Major Credential Breaches Place Account Security At Risk
Imagine a traditional office environment scenario in which a different person turns up for work one day, claiming to be you. They may look and sound completely different, but the fact that they know your name and place of work is enough – for them at least – to claim that this is sufficient proof of their identity.
Unless it’s part of an elaborate prank of course, the individual in question would be asked to leave and the authorities likely notified – that is, if they had the nerve to try such a scam to begin with.
The chances of some variation of this happening in the real world are, of course, why we have photo cards on our passports, driving licenses and other documents that may be required to prove who we are – even in scenarios in which the party carrying out the inspection doesn’t know the individual to begin with. Your face and associated biometrics is your identity.
Things are hazier in the online world. While tools like facial recognition and fingerprint sensors are commonplace in some arenas, when it comes to logging into services like online banking or remote access workplaces, identity is typically proven with usernames and passwords: information that, in theory, is known only by the rightful user.
But what happens if a bad actor gets hold of this information? Potentially quite a lot, actually – which is why it poses such a security threat, possibly allowing attackers to pose as individuals for a variety of malicious use-cases. It’s a reminder of just why account takeover prevention tools are so necessary.
Attacks go from bad to worse
The threat of stolen credentials continues to go from bad to worse. According to one recent report, the Office of the Attorney General (OAG) for New York state concluded that 1.1 million online accounts had been compromised as part of credential stuffing attacks – in which attackers use stolen login credentials to try and access other services where the username and password may have been reused.
(For instance, a person who uses Password123 as the login for both their Amazon account and their PayPal.
In total, there are reportedly upward of 15 billion stolen credentials that are circulated online, roughly equivalent to twice the global population – since many users will have multiple sets of credentials to their name.
There are various reasons why account takeover attacks may be continuing to happen. One is that, despite warnings, many customers continue to reuse credentials – sometimes even failing to change login details when they hear about a data breach that could affect them.
The fact that more of our lives are now lived online – for everything from filing taxes to remote work via Remote Desktop Protocols (RDP) – also opens up more potential credentials to steal, ways to steal them, and more opportunities to cause damage in the event that they are. The adoption of Software-as-a-Service (SaaS) solutions has exposed critical services to the public internet, making it easier not just for attackers to steal credentials, but also to test out their compromised credentials on other services and websites.
One other crucial factor is the rise of automation tools such as bots, which can be used for both brute force cracking of passwords, and then carrying out the kind of time-consuming trial and error needed for credential stuffing attacks. This has made a kind of account takeover approach that would once have been unfeasible to carry out at scale possible for attackers.
All they have to do is to get hold of credentials and then let a bot do the hard work of trying to crack individual accounts!
Defending yourself against attacks
Fortunately, while there may be multiple reasons these attacks continue to happen, there are also multiple ways that users can defend themselves. For starters, users should ensure that they do not reuse passwords across multiple platforms – or, to be extra safe, even variations of the same password. They should also frequently change their passwords, especially if they hear that there has been a data breach on one of the platforms that they use.
Organizations and users should additionally make use of multi-factor authentication measures. This ensures that, even if an attacker is able to get hold of a password or username, they will be unable to use it without having access to an additional source – such as their smartphone. That adds an extra layer of protection that can prove invaluable.
It’s also important to make use of tools designed to safeguard against account takeovers. For example, advanced bot protection tools can help protect mobile applications, APIs and websites from automated attacks such as those seen in credential stuffing – without this affecting the flow of legitimate, business-critical traffic.
By employing measures such as this, users and organizations alike can be confident that they are keeping themselves – and those who rely on them – safe in the face of potentially devastating cyber attacks. There can be few better investments they can make.