Person with phone checking their bank balance and having breakfast.

Shockingly simple ways your passwords can get stolen

Here are 5 deceptive techniques fraudsters use to easily access your sensitive information.

6 min read

Here are a few facts that might startle you: 18% of all the goods being traded on the dark web are online accounts, email logins, and passwords. The rise in stolen credentials has risen close to 30% since 2017 and 81% of all hacking-related breaches are due to weak or compromised credentials. Those are some pretty scary stats. 

However, since the majority of breaches (74%) are attributed to human error, the solution lies not in more advanced technology but in our hands. Here are some of the shockingly common ways hackers steal our passwords and how we can protect ourselves against them.

Brute forcing - trying every digital key in the lock 

The average person has over 100 passwords and every password is like a key. Managing this large collection of keys tempts many of us to take shortcuts, like setting passwords that are easy to remember or, dare we say, recycling passwords across different sites. But here’s where it gets tricky.

The brute-force hacking method, a favorite among hackers for its simplicity and effectiveness, is the digital equivalent of trying every key until one unlocks the door. A brute force technique that’s particularly popular is called credential stuffing. Hackers use this technique when they get their hands on a bunch of previously leaked username and password combos. They then let an automated system loose, trying these credentials across a range of websites. Essentially, it’s a numbers game, and with an estimated 193 billion attempts globally in just one year, the odds are uncomfortably in the cyber criminals’ favor.

The takeaway: In the world of password security, variety is more than just the spice of life—it's the fortress wall guarding your digital domain. Ditch the "one key fits all" approach and consider investing in a password manager. In the end, the best defense against a brute force attack is a set of strong, unique passwords.

Phishing attacks prey on human nature—our innate tendency to trust and our occasional lapse in judgment under pressure. They come in many shapes and sizes but a popular phishing approach is to impersonate a target’s trusted contacts such as friends, family, or familiar companies. However, lurking beneath a well-crafted, authentic-seeming email sent from a loved one or colleague, lurks malicious intent: a link or attachment poised to unleash malware or direct you to a counterfeit website where your personal information is stolen.

But the deceit doesn't end with emails and texts. Enter "vishing," the voice-based twin of phishing. Vishing is a form of scam in which fraudsters use phone calls to trick individuals into giving out personal information, such as bank account details, passwords, or social security numbers. Unlike traditional phishing, which typically occurs via email, vishing attackers use the telephone to create a sense of urgency or authority, often pretending to be from a reputable company, government agency, or technical support team.

Awareness and a healthy does of skepticism are powerful tools in identifying the red flags of a phishing or vishing scam. Look out for unexpected requests for information, check the sender's email address carefully, and remember: if it sounds too urgent or too good to be true, it probably is.

Worry-free — 
This is how I bank

Bank card gone missing? Lock it and unlock it in seconds in your N26 app.
Security at N26
Person looking at phone.

Shoulder surfing, the over-the-shoulder password heist

Think all hacks require complex algorithms and tech? Think again. Shoulder surfing, in its simplest form, is the act of spying over someone's shoulder to gain access to sensitive information, particularly passwords or other secure data. It can happen anywhere, from peering over someone's shoulder in a crowded coffee shop to watching as they enter a PIN at an ATM. 

However, shoulder surfing has evolved; it’s no longer just about physical proximity. Cybercriminals can also employ digital tools, like cameras or screen recording software, to capture sensitive information remotely. Despite its low-tech nature, shoulder surfing remains an effective and straightforward method for obtaining unauthorized access to personal or confidential information, highlighting the need for vigilance even in seemingly secure environments.

Dismissing shoulder surging as outdated would be a mistake. Just because it doesn't require a high-tech setup doesn't make it any less of a threat. So, next time you're typing away in public, remember: prying eyes might just be watching, and not all hackers need a computer to steal your password.

Mask attacks, a hacker’s masquerade

In a mask attack, attackers gain partial knowledge of your password through data breaches or cybersecurity incidents. While these hacks may not give the hacker the full password, they can offer enough clues for them to start with. Instead of trying every possible combination of characters (as in a brute-force attack), they apply a "mask" that fits the known elements. For example, if a hacker knows the password starts with "The" and it’s eight characters long, they will only try combinations that fit this pattern. This significantly reduces the number of attempts the hacker needs to guess the correct password. 

The upside (for you, not the hacker) is that if your password is the digital equivalent of a high-security lock—long, complex, and unpredictable—even a sneak peek won’t give them the full picture. So, create your password as a mix of long sequences of numbers, letters, and symbols into a pattern only you understand. 

In the darkest shadows of the internet you'll find a hacking approach that sounds remarkably harmless but is anything but: the rainbow table. Rainbow tables are like cheat sheets used by hackers to crack passwords. When you create a password on an app or website, it’s then usually converted into a scrambled, unrecognizable format using a hash function–a process known as "hashing". 

In essence, a rainbow table is a list of precalculated hash values for countless potential passwords. Hackers use rainbow tables to match the scrambled password (the hash) with its original form in their table, making it much easier to guess the correct password without having to go through the timely process of trial and error.

There's a silver lining, though. Your password's complexity and uniqueness can still lock hackers out. The practice of "salting"—sprinkling random data into your password before hashing it—transforms it into a riddle too convoluted for even the most comprehensive rainbow table to crack.

The sneaky simplicity of a dictionary attack

Misleading by name, this method doesn't rummage through Webster's latest; instead, it operates with a hacker's "dictionary"—i.e., a compact arsenal of the internet's favorite passwords. Think: "123456", "qwerty", "password", "iloveyou", and the internet-infamous "hunter2".

But there's a twist in this tale, a method known as "spidering." When a hacker sets their sights on a particular company or organization, they don't just throw common passwords at the wall to see what sticks. They craft a web of words specific to the target—think corporate lingo, industry jargon, or anything publicly associated with the company. This isn't done with a dusty old thesaurus but with a digital spider, akin to the bots search engines deploy to index vast expanses of the internet.

The appeal of dictionary attacks, especially with a spidering strategy, is their potential to unlock accounts of individuals perched high up in an organization's hierarchy. However, this method isn't foolproof. When creating your password, avoid anything that a dictionary attack could predict—personal information, simple sequences, or anything remotely guessable. Instead, opt for a chaotic mix of characters, numbers, and symbols, unique to each account. This way, your digital keys remain yours alone, safeguarded against the simplicity of the dictionary attack's deceptive cunning.


Your money at N26

At N26, we take security seriously. All N26 Mastercards are protected with 3D Secure technology, and if you spot any suspicious activity on your account, you can immediately lock your card right from the app. Plus, instant notifications on all account activity give you visibility and peace of mind. Visit our accounts page to find the one that’s right for you.

By N26

Love your bank

Related articles

These might also interest you
hand holding a credit card.

N26's Complete Guide to Secure Online Banking

The complete N26 guide to banking safely online

Man playing dominoes with his phone on a table.

How digital identity verification keeps your account secure

Banks use intelligent learning mechanisms to protect you at every step of your banking relationship, from the moment you sign up to the day-to-day transactions you don’t even think about.

How N26 will contact you — and how we won’t

Scammers and fraudsters may pose as representatives of N26 to try to steal customer data. Here, we dive into how N26 will and won’t contact you, so that you can spot the scams.