Stolen Credentials – How Hackers Breach Secure Organizations

passwordphoto4678491

 

Hackers have sophisticated skills and many tools at their disposal. The Internet can be a dangerous place and many casual computer and Internet users become the hacker’s unwitting accomplices.

Most people, private individuals or business professionals alike, are not good stewards of their credentials. They do not use a secure method for storing passwords and Logon IDs.
This article exposes the facts of how the uninformed Internet traveler is making it easier for the hacker and putting everyone’s personal information at risk.

The Free & Easy Truth About Passwords

Funny Story – A Password Calamity on Live TV

Individuals and businesses are far too casual about their credential management. A classic, and certainly embarrassing example of this occurred during a live broadcast with a French Television reporter. Ironically, the broadcast was about a hacking incident that happened on a different French program. The interview discussing the prior hack was conducted in front of a staffer’s desk—which was smothered in sticky notes and index cards with account usernames and passwords written on them. They were posted in view of anyone walking by, and now, the entire TV audience as well!

You can read the entire story, including the image of scene behind the reporter, here.

Password Mal-Practice

It’s a lucky thing for many people think that password management is not thought to be as critical as healthcare management. If it was, the malpractice insurance and law suits would be colossal.
Most people have not figured out a secure and accessible means for storing their credentials. This means they try to remember them or just keep them written down somewhere convenient. Sticky notes on the computer monitor is a popular tool. Memories can be weak, so many people have just a few simple passwords they reuse frequently. That practice makes their security as weak as their memories. Even people who use more sophisticated passwords tend to reuse only 3-5 passwords across all web services they may access.

According to blogger Tom Le Bras on Dashlane, the average user has at least 90 online accounts. It is no wonder that memories fail.

The KISS Principle Backfires!

When it comes to passwords, concepts like “Keep It Simple Stupid” and “Less Is More” are counter-productive and dangerous. The following graphic from an article on Entrepreneur.com, shows the 5 most commonly used passwords in 2014.

Common_Passwords

The following graphic from the same article on Entrepreneur.com, provides an interesting illustration of password reuse behaviors.

KISS

Frustration is the True Mother of Invention

So how do people attempt to store manage and recall their passwords? The following infographic from Password Boss, illustrates the wide-spread futility of self-devised solutions.

Manage_Passwords

Breaching Secure Organizations – With Their Own Keys

Everyone understands that credentials are for granting account access to users. What is somewhat less understood, is that authentication processes cannot distinguish between the legitimate user and an attacker using legitimate credentials. That is the fundamental flaw in the current online security. Given the wide-spread mismanagement of user credentials, it is not difficult for hackers to pose at legitimate users.
Attacks start with malware and phishing exploits perpetrated on thousands of ordinary Internet users. Because users’ credentials are so poorly secured, attackers are able to compile large numbers of online account credentials that are shared on the dark web. Attackers will try every compromised password against multiple services. In other words there is a domino effect – one key will open multiple doors. The following graphic from Entrepreneur.com, illustrates the domino effect of reused passwords.

Domino_Effect

With password reuse being such a prevalent practice, attackers are able to use large numbers compromised credentials against multiple services. The services are breached even though they are otherwise perfectly secure. The attack success rate using compromised credentials is estimated to be between 15% and 40%.
According to Password Boss, “Data Breach Fatigue” is a real human reaction to the constant bad news and contributes to apathy about password habits.

Stolen Credentials – How Hackers Breach Secure Organizations - image change_password on https://www.vericlouds.com

The end result of this apathy is that compromised passwords provide continued value to hackers for years after they are first acquired. Reading about this apathetic response makes one think of the old saying – “All that’s required for evil to triumph is for good men to do nothing”.

Breaches in the News

Comcast – Announced that 200,000 of its customers will have to reset their login information after a suspected security breach, although the company denies it was hacked. A post on the dark web claimed to sell a package of 590,000 Comcast user emails and passwords for $1,000. According to CSO Online article, it’s likely the login information became available when customers accidentally installed malware, or were exposed to phishing or previous major data breaches. Read the entire story, with video here.

Alibaba – According to an article on Reuters.com, hackers in China attempted to access over 20 million active accounts on Alibaba Group Holding Ltd’s, Taobao e-commerce website. The hackers used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts.

FitBit – According to an article carried on CNBC and first reported by BuzzFeedNews, multiple online FitBit accounts were penetrated by hackers who changed email addresses and usernames. They also tried to swindle Fitbit out of replacement items under a user’s warranty. The hackers gained access to Fitbit users’ GPS history, “which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep”. Read the entire story with video here.

Conclusions

  • Many companies are vulnerable when a sophisticated attacker uses stolen credentials from other services and applies them against the target company.
  • Such attacks have a high success rate because authentication processes are not able to distinguish between the legitimate user and an attacker using legitimate credentials.
  • The account security of your company is no better than the lowest level of security protecting other online accounts visited by your users.

What if hackers could not leverage valid user credentials? What if all compromised credentials and accounts were known and unusable? VeriClouds can make this a reality.

ABOUT VERICLOUDS

VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.

Spread the word. Share this post!

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to support@vericlouds.com