SA cyber crime crisis

Skilled criminals from anywhere in the world can crack ‘clever’ passwords with brute force smart-guessing algorithms ‒ and South Africa is in the top 10, as targets and culprits.

Skilled criminals from anywhere in the world can crack ‘clever’ passwords with brute force smart-guessing algorithms ‒ and South Africa is in the top 10, as targets and culprits.

Published Jun 23, 2024


Durban — Your “clever, secure” password can probably be cracked in less than a minute by tech-savvy hackers anywhere in the world using “brute force” and other methods to decrypt sensitive data.

Cybercrime is reaching crisis levels with cyberattacks on major South African companies, state institutions and individuals and the number of IT breaches increasing and expected to rise further.

Cyber expert Professor Manoj Maharaj from the University of KwaZulu-Natal said the number of attacks was far greater than the public was aware of and a major education drive was needed to bolster online security in the country.

“Your security must be like an onion with multiple layers, not like an egg. An egg is hard and crusty on the outside and soft and squishy on the inside – break through the shell and everything else is available.”

This week, global cybersecurity and digital privacy company Kaspersky said it had analysed 193 million English passwords and 45% of those – 87 million – could be guessed by scammers within a minute.

Maharaj said people went for driving or shooting lessons before they acquired a driving or firearm licence, but the internet was just as dangerous, yet cybersecurity was not discussed.

“We understand the concepts, that these things are dangerous, and people need training, and some kind of skills development to show some competence. What we do with the internet is the opposite; we give people access to the internet, thinking it’s harmless because we don’t really understand it, but it is a very dangerous thing.”

Transnet, Eskom, the Companies and Intellectual Property Commission of South Africa, International Trade Administration Commission of South Africa, Standard Bank and the Office of the Chief Justice are just some of institutions that have been compromised by hackers over the past few years.

In its 2024 Financial Stability Review, the South African Reserve Bank noted that a successful cyberattack with systemic consequences remained an ever-present risk to financial stability.

Maharaj said South Africa ranked in the top 10 countries for cybersecurity breaches and as a source of attacks.

People, he said, were the weakest link. Often those without any online knowledge were given devices and just shown what buttons to press to execute a function. While hackers could attack employees with weak security passwords, it was not to get to them personally but to gain access to a company’s network through them.

“We’re rolling out broadband, we’re rolling out the internet, we’re doing all kinds of things because there’s a political imperative to do that. But we’re not rolling out training and education at the same time. You go to the UK, for example, you see billboards and posters everywhere talking about internet safety.

“We don’t see that in South Africa. I don’t see these posters warning people about the dangers of the internet. So we’re allowing people free access to this without the guardrails.”

Maharaj said while companies might have top-notch cybersecurity in place, the same level of security is not applied when employees work from home.

“You might have a laptop or a PC at the office which is secured under your company policies, but does your company insist on the same security of your home systems? Can I drive past your home, log in to your router because your router is not secure, hack your password, get in there and load some malware?”

According to Kaspersky, last year there were more than 32 million attempts to attack users with “password stealers”, which showed the importance of digital hygiene, in which electronic devices were regularly cleaned and updated, as well as timely password policies.

Kaspersky said its study revealed that most passwords tested could easily be compromised by using “brute force”, or smart guessing algorithms.

Only 23% (44 million) passwords were resistant and it would take up to a year to compromise them. The rest fell quickly: 45% (87 million) in less than 1 minute; 8% (15 million) from 1 hour to 1 day; 6% (12 million) from 1 day to 1 month and 4% (8 million) from 1 month to 1 year.

Kaspersky said 57% of the passwords they examined contained a word from the dictionary which significantly reduced its strength. Some of the most used names were “ahmed”, “nguyen”, “kumar”, “kevin” and “daniel”.

Popular words in passwords were “forever”, “love”, “google”, “hacker” and “gamer”. Standard passwords included “password”, “qwerty12345”, “admin”, “12345” and “team”. The analysis showed only 19% of all passwords contained signs of a strong combination – a non-dictionary word, lower case and upper case letters, numbers and symbols. However, it revealed that 39% of such passwords could also be guessed using smart algorithms in less than an hour.

Kaspersky digital footprint intelligence head Yuliya Novikova said: “Unconsciously, human beings create ‘human’ passwords – containing the words from dictionaries in their native languages, featuring names and numbers. Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms.

“Given that, the most dependable solution is to generate a completely random password using modern and reliable password managers.”

In its 2022 Vulnerability Thermometer, cybersecurity company Surfshark noted that internationally South Africa was among the top 10 countries for cybercrime density, coming in at number five.

This year the Reserve Bank said the financial sector had to ward off cyberattacks daily.

“A successful attack on critical financial infrastructure has the potential to disrupt the payment, clearing and settlement system, with potentially far-reaching consequences. Ransomware attacks threatened critical infrastructures and enterprises during 2023, with 78% of South African organisations reporting a ransomware attack between January and March 2023, up from 51% in 2022.”

Its Financial Stability Review said that cyberattacks were borderless and could take place from anywhere. It also warned of an increase in state-sponsored cyberattacks.

“State-sponsored attacks are potentially more harmful because they may be politically motivated and intended to disrupt financial systems rather than being aimed at financial gain,” the report said.

Maharaj said internet users made themselves more vulnerable by reusing passwords, weak passwords and using personal information to generate passwords.

“Users often think they are unique in selecting ‘clever’ passwords like P@$$w0rd or $ecr@7 or similar. Hackers know all of this and check for simple substitutions of common words first,” he said.

He said a strong passphrase – a string of words to get into your device – coupled with strong passwords to protect your various accounts was important for online safety.

“Mybluefishhasgreenlegs is a very strong ‘password’ which you are unlikely to forget and is almost impossible to crack in normal hacking attempts.”

Maharaj also cautioned against the use of free wi-fi in public spaces, even if you’ve satisfied all the requirements for a strong password on your computer.

“There’s absolutely no security, because I could be right next to you with my computer, logged into the same AP access portal, and I could be stealing your information,” he said.

Independent on Saturday