Mittens Rules The Milky Way, and other simple ways for clubs to improve cyber security

Mittens Rules The Milky Way, and other simple ways for clubs to improve cyber security

Michael Connelly and Courtney Frederiksen

We’ve all seen that suspicious email. Perhaps it’s from someone you know, but it’s a little strange that there’s only an attachment called ‘You have to see this’. Download the file, and lo and behold – virus. Perhaps it looked like it was from your bank or an online file sharing service like Dropbox, with a link that directed you to input your personal details – do so, and whoops, you’ve fallen for the lure and been phished. Phishing is a way that criminals steal confidential information by sending fraudulent messages.

With so much of our communication and information stored online, everyone needs to take cyber security seriously. While government and businesses heed this message, we have seen an unfortunate rise in breaches of online security for sports clubs recently. Perhaps this is because incoming committee members don’t think that the secretary’s email address is worth hacking. Maybe it’s just laziness. Or it could be as simple as thinking, because I don’t want to have to remember another password, I’ll just leave it the way the last secretary had it set up.

This has resulted in real costs for clubs. In some cases, these costs are directly financial, like the football clubs who were scammed out of hundreds of thousands of dollars recently. This came in the form an email scam where committee email addresses were hacked (thanks to poor password security) and committee members innocently provided sensitive information, like bank passwords, to fellow committee members via email, unwittingly providing an easy way for thieves on the other side of the planet to get in and untraceably steal their money.

But sometimes the cost is reputational. If I receive an email from someone I trust, say the operations manager at a regional association, and opening a link in their email compromises my online data and identity, I will most likely blame the operations manager, not the anonymous fraudster. These sorts of scams can lead to long-lasting reputation damage to innocent associations, who simply didn’t understand the need for strong and active password management.

If your sports club email addresses were compromised, think of the potential information hackers could get their hands on. Perhaps you sent an email to another committee member with the club website’s login details. Now the hacker has access to the backend of the site where you take payments from members.

Hackers can beat your passwords by using a method called ‘brute force’. They google your name and search on social media to find information about you, like your cat’s name, or where you celebrated your anniversary. They input key dates, names and phrases into specifically-designed software which runs millions of iterations while inserting numbers and special characters. Unfortunately, this means that a password like Mittens1506!* can now be cracked in seconds.

Once a password is known, hackers can then run the same software in all of the different accounts you may have online, inserting random letters and numbers, making M1tt0ns#2019 just as easy to crack.

Passwords are out, passphrases are in!

Instead of using a password, it is now recommended that we use a passphrase. A passphrase is a longer sequence of words or text. The longer the passphrase and the less obvious the string of words, the longer it takes brute force software to find. For example[1]:

Bruteforce graph.png

And MittensRulesTheMilkyWay is a whole lot more fun to type!

Here are some tips to protect your club’s information online[2]:

Be vigilant

  • 92% of malware comes via email[3]

  • Spelling and grammar mistakes can indicate a false email

  • Hover over a link (or right click and select Copy Link Address) to confirm the link address before clicking anything

Confirm authentication

  • If you’re suspicious about an email you have received, confirm with the sender of the email before opening a file or link

  • Neither your bank nor any other large organisation would ever send a link to gain your personal information

Protect your passwords

  • Don’t share your passwords with anyone, and don’t keep a written list of passwords in your top drawer!

  • Have unique passwords, especially for important accounts, like email, banking, and other accounts that hold your financial data

  • Change to a passphrase instead of a password

  • Use password management software, like that available in web browsers, and keep your software up to date

Don’t let your club fall victim to dodgy online scams. You and your volunteers have strived to build your reputation and your online brand. And you have worked too hard to earn the money that you have in the bank to risk it to thieves, scammers and hackers, who have realised that clubs can be ‘easy pickings’.


[1] https://www.cloudflare.com/learning/bots/brute-force-attack/

[2] https://www.staysmartonline.gov.au/protect-yourself/recover-when-things-go-wrong/phishing

[3] 2018 Data Breach Investigation Report, Verizon