Last week, we heard of a cyber attack that resulted in over 400 cases of customer data becoming compromised for those with customer accounts across two operator websites, buses.gg in Guernsey and Liberty Bus in Jersey. Whilst this attack didn’t involve any of our customers or systems, any security attack can bring concern to the industry.

Website users with accounts were urged to change their passwords on the site immediately. Due to the nature of the breach, it would be necessary for these users to change passwords on any other platform in which the password was used. For a lot of users, this is a problematic task dependant on mostly guesswork.

This particular case of attack did not involve a direct hack into customer records, but instead set up a copycat login page where customers would type in their details directly into the cyber-criminals hands.

According to the Guernsey press,

“The attack involved the creation of a duplicate login to the top-up site where users were asked to fill in their email address or pass number and their password, meaning email addresses, puffinpass or AvanchiCard numbers and account passwords were taken.”

Dave Hulbert, Engineering Director at Passenger said “This may have happened due to a weakness in the website’s software or an attacker getting hold of login details from someone with access to manage the website. Attacks like these are only prevented by combining vigilant management of software systems with security training for staff with access to public-facing systems.”

Due to the unfortunate reality that cyber attacks can happen at any time to any platform, it’s down to the user to ensure their data is as safe as it can be. To help, we’ve compiled our top 5 ways to keep secure that everyone should be doing.

5 top tips from the Passenger team

 

  1. Use a Password Manager

Password managers are a great way to add in an extra measure of security. You can generate strong unique passwords for each site, safely stored in the manager.

You’ll need to make sure the master password is strong but it’s the only one you’ll need to remember. This means that even if an individual site gets broken into, an attacker won’t be able to access any of your other logins. There’s a few to choose from, including KeePass, 1Password and LessPass.

Passwords are like underwear:

  1. you shouldn’t leave them lying around;
  2. you should change them often; and
  3. it’s best if you don’t share them with your friends.

 

  1. Bookmark frequently used websites

Many attacks only work because people click to dangerous sites from emails. If you bookmark a website in your browser (click the star near the website address), then you can use the bookmark next time to make sure you’re on the official site. Password managers help too, as they’ll check you’re on the right site. You can read more about this in 1Password’s explanation of phishing.

 

  1. Use Multi Factor Authentication (MFA) where possible

Email providers like GMail and Outlook and many other services offer MFA, which means you need more than just a password to log in. This means your password could be compromised and the attacker still couldn’t gain access. This list of sites that offer MFA is a good place to start.

 

  1. Look out for warnings

Browsers will let you know if a site is “Not secure” or if there’s a “certificate error”. Take heed of these messages and don’t click “Nevermind” or “Meh”. This is even more important when on public Wi-Fi. If you’re technical, make sure the site is served over HTTPS.

Make sure you let your PC/phone do software updates too. Clicking “not now” may give an attacker enough time to take advantage of a vulnerability.

 

  1. Ask for help

If you’re not sure then it’s better to ask for help than risk doing something that could lead to compromised data. You can chat to your IT department or even get in touch with our lovely folk at the Passenger Help Desk. There’s also a lot of companies including banks and service providers that have dedicated security and scam departments who are happy to verify emails, phone calls and websites – just make sure you’re the one contacting them!