An announcement made in September by Yahoo put the organisation among the biggest data breaches in history, with at least 500 million accounts compromised.
Yahoo is not alone. Earlier this year, 427 million stolen MySpace passwords were posted on the dark web for sale, and the individual posting of the database was made by the same cybercriminal who was selling the data of more than 164 million LinkedIn users just one week prior.
While the methods of infiltration are different, the common factors between them are the attackers using stolen, valid credentials to gain access, and consumers have had their access credentials being exposed and sold on the dark web.
According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involved the use of weak, default or stolen credentials.
If organisations don’t take action to safeguard their resources and data, they too are leaving themselves at risk. Businesses need to take notice of what has been happening to other organisations and act quickly to minimise the risk of being the next victim.
These data breaches took months to uncover – none have been simple ‘hit and run’ incidents. They have been break-ins with intent. The bad actors took time to filter through the sites and access a variety of consumer data and information.
In some ways we can see a knock-on impact. Once a credential set has been compromised by an attack, hackers are then either manually testing this across a number of sites, or employing bots to do so. This maximises on the knowledge that users often replicate their logins for multiple accounts.
Once inside, the attacker will elevate their level of access, and begin using legitimate or newly created credentials to move from one system to another, as a method of recon, as they move towards completing their mission to steal the most valuable data.
The number of passwords users are required to remember is only growing as consumers increasingly utilise online services. And to keep life simple, users are adopting the same login credentials across multiple sites.
Research released in September this year showed that around 90% of consumers understand there are risks in password reuse – and yet alarmingly, 60% continue to do it anyway.
Moreover, passwords are often basic in their make-up and therefore extremely vulnerable. In early September, news broke of the cyber-criminal activity to the ‘Russian Yahoo’, Rambler.ru.
A shocking finding in the breach was not just the volume of accounts compromised, but the fact that the most common passwords included terms such as “asdasd”, “123456” and “000000”.
Lessons from the leaks
For too long organisations have relied on username and passwords as the single form of access control, and it is no longer adequate to protect confidential information or personal data.
These attacks should serve as a hefty reminder to businesses that they need to continuously innovate in their approach to authentication, taking themselves far beyond traditional username and password and even vanilla two-factor approaches.
The cumbersome early days of multi-factor authentication cast a shadow on the technology, but times have changed and options are now more robust, whilst being less invasive.
Smart organisations are already moving to stronger methods of user authentication, including adaptive access control techniques as a way of safeguarding credentials.
It is imperative that more organisations take this lead and look to implement adaptive access in a way that, in addition to the credentials, performs pre-authentication checks (looking at the geo-location of the login attempt, type of web browser they are using, and the IP address they’re logging in from) and risk-analysis as part of the authentication process.
An example could be requiring something a user knows (credentials), something a user has (a recognised or registered device), and something the user is (a biometric). This helps render stolen credentials completely worthless across the breached site and maintains a simple user experience.
Cyber-attackers will continue to become even more sophisticated as their methods become more robust. It’s imperative organisations prepare and make sure strong defences are in place yet are still user friendly.
It is critical that security continues to innovate and keep ahead of the attackers in 2017. Critical business information and personal data must be protected by more than just the password, or even basic two factor methods. The future of personal and professional online lives must move away from just the two box login that people and businesses have grown so complacent towards.
Sourced from James Thompson, VP of EMEA, SecureAuth