Chances are, at least some of your passwords are already in the wrong hands
By: David Greenham, CISSP, CISM, CISA, SCF, QSA, Sr. Manager, Richter
So you receive a poorly-crafted email, full of spelling and grammatical mistakes, claiming to be from someone who has installed malicious software and taken control of your PC. They’re demanding a ransom in Bitcoin or they will send compromising photos to all of your contacts. You laugh at the absurdity of it, but notice that they actually tell you the password that was exposed, and it looks familiar, or maybe it hits a little too close to home. It makes you think, “Where did I use that password?”, or maybe even “How many places do I use that password?” …sound familiar?
First of all, you are not alone; there are hundreds of millions of user credentials that are being bought, sold and disclosed on the Dark Web. In fact, scarcely a week goes by without a news story about a data breach involving consumer information.
In addition to data breaches wherein databases full of user IDs and passwords are exposed, there are many other ways in which cyber criminals are stealing credentials from unsuspecting users. Criminals send out phishing emails, for example, that are made to closely resemble the branding of an online service, in an attempt to trick the user into following a link to a fake website that requests the user to log in. What the website is actually doing is storing the user’s current user ID and password in a database for the attacker to then use or sell. It’s a tactic used frequently as recipients don’t recognize that the email or the website is suspicious (or realizes it too late).
There are a number of reasons why cyber-criminals could be after your credentials, including:
- Theft and fraud – Accounts that are associated with real money or assets can be hijacked and are very enticing to criminals. If there is a credit card attached to the victim’s account, fraudulent purchases can be made. Cyber-criminals frequently purchase products that they can monetize, such as gift cards.
- Identity theft – Accounts with access to customer, citizen or employee Personally Identifiable Information (PII), such as tax, healthcare or other government agencies, or company HR databases can be accessed and PII can be stolen, which can then be used to commit fraud. Examples include opening bank accounts for nefarious purposes, and/or taking out mortgages, loans or credit cards in the victim’s name.
- Account takeover (ATO) attacks – When an attacker has control over the victim’s email or social networking account, they can perform a number of damaging actions including sending malicious software or spam to everyone in the victim’s contact list, gleaning information about the victim that could reveal answers to their “secret questions” (for online banking as an example), or soliciting funds from people in the victim’s social circles. This type of attack is also common in the corporate world, and is often referred to as the “CEO Scam”. When an executive falls victim to email account takeover, the attacker will pose as the executive, and ask for funds to be transferred to a vendor or other entity of their choosing. In situations like this, since the email or social networking account is the victim’s actual valid account, Account Takeover attacks can be very difficult for recipients to detect.
- Data theft – Typical motives of committing data theft include monetary gain, corporate or nation-state espionage, extortion, and causing embarrassment or reputational damage to the individual or company.
- Denial of service – Once an attacker gains access to an account, they can change the password so that the legitimate user cannot access the account. This could be disastrous if the account is used to configure a company’s IT infrastructure, such as a cloud environment. The attacker can also cause havoc by turning off virtual servers or destroying data.
The problem isn’t necessarily that a person’s credentials on some obscure online website have been compromised, this issue is when said person uses those credentials (the same user ID and password combination) for multiple online services – possibly even online banking sites or to access their corporate network! It’s been reported that the average person is required to remember passwords to an average of 22 online services in today’s world, so it is no wonder that many people use the same log-in information just to make their lives easier. …but in the end, is making yourself less secure really worth making your life “easier”?
So, fear not. There are tools available to make password management easier, while at the same time enabling you to use unique and very complex passwords. These tools are generally referred to as “password vaults” or “password safes”. Using a password safe means that you do not need to remember the passwords to all of your online accounts. You just need to remember the master password to the safe. From there, simply copy and paste the credentials directly from the safe into the username and password fields of most services subscribed to, without even needing to see the passwords.
Some examples of password management tools are:
- Keeper Password Manager & Digital Vault
- Password Boss
- True Key by Intel Security
It is important to keep in mind that you still need to remember the master password to access the vault, and you’d still need to ensure that you are entering credentials into the legitimate site and not a bogus site designed to steal credentials. For extra protection of your online accounts, consider using multi-factor authentication (MFA) solutions. These solutions provide an additional layer of authentication, because in addition to “something you know”, such as a username and password, it would also require an additional factor, such as “something you have” (for example, certificates, hardware tokens, smart cards, etc.), or “something you are” (for example, thumbprint, face scan, retina scan, etc.). These days, many online services offer multi-factor authentication as an option. Some companies use their own proprietary authentication software tools, while others use widely-adopted third party authenticators. Some solutions generate a code that changes every minute which needs to be entered in addition to the username and password; others send a text message to the user’s smartphone that includes a code that needs to be entered.
Examples of multi-factor authentication solutions include:
- RSA SecurID
- Google Authenticator
- Microsoft Authenticator
- Duo Security
How Richter can help:
- Monitoring for leaked credentials or Dark Web chatter about you or your organization
- Security Awareness Training
- Phishing simulations
- Vendor selection and proof-of-concept of multi-factor authentication or other Identity and Access Management (IAM) solutions
 GCHQ’s Password Guidance: Simplifying Your Approach