Your Partner for Bookkeeping and Controller Services

Contact Us

What are you interested in learning more about?

×

Supporting Strategies Blog

Be Sure to Guard Against a New Online Threat Called PRMitM

Share:

Be Sure to Guard Against a New Online Threat Called PRMitM

|

Hacker programing in technology environment with cyber icons and symbols.jpegAt Supporting Strategies, we take great care to protect ourselves and our clients from online hackers. We're committed to training our staff in the latest security protocols and online practices.

Along those lines, we often issue staff bulletins warning of new threats from hackers. For the benefit of readers of this blog, we've decided to publicly share information from one of these recent bulletins. Please read on to learn about a dangerous new online hazard.

Beware of PRMitM
We all have online accounts that require personal information for password-recovery purposes, such as "mother's maiden name." Hackers have devised a way to steal that information to hijack your account. It's called PRMitM, for "Password Reset Man-in-the-Middle."

With PRMitM, hackers trick you into giving them your password-recovery secret answers, which enables them to reset your passwords and gain access to those accounts. They do this in a variety of ways, primarily by emailing offers for a website that appears to provide coupons, free services or software, or some other freebie that can only be downloaded by creating a new user name and password for that website. An online "PDF-to-Excel" file converter service is one example.

The registration process for these phony websites usually includes a list of typical password-recovery questions, such as the name of the high school you went to, make and model of your first car, name of the street that you grew up on, etc. But because these are many of the same security questions you've already answered for other online accounts, you inadvertently give hackers the information they need to reset your password and gain access to banking websites and other legitimate websites.

An Alternate Version
A second trick hackers use involves the same bait but a different hook. Once you respond to the email and try to log on to the phony website, you get a message saying that you'll soon receive a text message with a security code that you'll need to enter (into the phony website) to complete the registration.

What's really happening is the hacker is trying to log in to another system with your user ID — again, this might be your online bank account — which prompts that account to text you a security code. So the text message you receive isn't from the phony website; it's actually from your bank.  If you pass that security code onto the hacker by typing it into the phony website registration, you provide the hacker with access to your online bank account.

How You Can Fight Back
Our key takeaways from these scenarios (and rules to live by in the virtual world):

  1. Do not download free services/software/etc. until you thoroughly vet them for legitimacy and necessity.
  1. Password-security questions may soon become a thing of the past. Until then, provide unique answers for each site's password-recovery questions. If you're asked to name your first car, for example, instead of simply using "Honda Civic," make up something random and different than the answer you used on any other website that asks you the same question. Keep your security information recorded in a safe location for future reference.
  1. Whenever you receive a security passcode via text message (for two-factor authentication, or TFA), be sure that you're expecting it and that it's from the website you're actually trying to log in to. (Warning sign: Most sites don't include the company name in the body of a text message.)

The bottom line: Hackers are smart. You have to be smarter.

Mark Wald

Author:

Mark Wald

Mark Wald, Managing Director, Supporting Strategies | Santa Monica, LA, and Ventura County, provides bookkeeping and controller services to growing businesses.

Legal and Tax Disclaimer

This website is created by Supporting Strategies to provide general bookkeeping and accounting information only. Supporting Strategies does not provide tax, legal or accounting advice, and the information contained herein is not intended to do so. As such, the information provided should not be used as a substitute for consultation with professional tax, legal, and accounting advisors, and you should consult with a tax, legal and accounting professional before engaging in any transaction.