“If someone else can run arbitrary code on your computer, it’s not YOUR computer any more.”
— Rich Kulawiec

Unauthorised access

If you have gained unauthorized access to any account or service, it is considered illegal in all parts of the world.

Unauthorized access is when someone gains access to a website, program, server, service, or other system using someone else’s account or other methods. For example, if someone kept guessing a password or username for an account that was not theirs until they gained access, it is considered unauthorized access.

The term ‘unauthorized access’ describes the act of directly — or indirectly — accessing information online without authorization.

This can be any kind of information found online, such as:

  • social media accounts
  • websites
  • bank accounts
  • emails
  • business networks and systems.

Unauthorized access is often done with the intention of getting data for personal gain, or causing loss to another person.

It’s when someone:

  • is no longer permitted to access systems or information and they do
  • gets access to a system fraudulently, for example by guessing a password
  • gains access to a system by brute force — by using automated software to guess things like:
    • usernames
    • passwords
    • pins, and
    • login details.
  • uses social engineering to get access to something they shouldn’t have. Social engineering is when an attacker:
    • gains someone’s trust and tricks them into giving them access or information they shouldn’t have
    • researches a person or company and gets enough information to be able to either guess their passwords or get them to reset to something the attacker chooses.

How to prevent unauthorized access

Here’s what you can do to reduce the likelihood of anyone getting unauthorized access to your computer system or network.

  • Be aware of social engineering. Don’t give out any personal information unless you know exactly who’s asking for it and why they want it. If you’re not sure, ask.
  • Choose unique passwords for your online accounts — don’t use the same password for every account you have. Consider using a password manager like KeePass to manage them.
  • Turn on multifactor authentication for your online accounts.
  • Always update your operating system and your apps when new versions are available. You can set this up to happen automatically with Windows and a lot of other applications like Office.
  • Install antivirus and anti-ransomware software on your computer if you don’t already have it, and update it regularly.
  • Scan for viruses regularly and clean up any infections straight away.
  • Make sure that the answers to your account recovery questions aren’t easy to guess. Your answers don’t need to be factual, just something that you can remember.
  • Be cautious when connecting your computer to unsecured networks like free WiFi or internet cafés.

If you have your own business, there are a few extra things you can consider.

  • Limit your employees’ access to the systems and processes they need to do their job and no more. This is known as the principle of least privilege.
  • Only give remote access to people within the business who need it. Put some controls around who can and can’t have it.
  • Monitor your business network and systems for any unexpected login attempts.
  • Keep an inventory of the devices on your network and make sure they’re secure.
  • Don’t use generic passwords and logins — have a unique login for every user and update your passwords regularly. 

If someone’s had unauthorized access to your system or network

What to do if your system or network has been accessed without your authorization.

  • Change the password for anything that was accessed without your permission.
  • Contact the service provider for your online accounts — like your bank or your email provider. Let them know what’s happened and ask what they can do to help.
  • Make sure you back up your files regularly. This includes the files on your computers, phones, and any other devices you have. You can:
    • do an ‘offline’ or ‘cold’ backup. Back up the data to an external hard drive and then remove the hard drive from your device
    • do a cloud backup to Dropbox or a similar online hosting service.
Visit CERT NZ for more information. 
Visit ACSC for more information.