Why are most Phishing campaigns designed to steal user credentials? Because credentials are the easiest key to entering an organization’s virtual premises, unnoticed. However, most users tend to believe that their password-protected systems are secure.
Millions of passwords are compromised each day because cracking passwords is easier than launching sophisticated cyber-attacks. A website called HaveIBeenPwned tracks such compromised accounts where users can check if their accounts have been compromised. The website lists hundreds of millions of accounts that have been compromised in multiple breaches due to successful phishing attacks, or reuse of compromised passwords on other platforms. Below is an image of the website tracking latest breaches and compromises.
Another way passwords can be obtained by attackers is by reviewing password history of users and guess the next password following the pattern that users use. For example, a user may change their password to the date of birth of a family member every time they change a password. Attackers may explore social media of targets as an open source intelligence to acquire DOBs of other family members for the next password guesses for that user.
The image above shows that millions of accounts have been compromised in data breaches. As a cherry on cake, most of these passwords are solely responsible for the security of respective devices. Single factor authentication is a very outdated way of protecting your assets in this age of technology. Additionally, most users practice the habit of password reuse, i.e. they do not have unique passwords for every platform. They reuse the same passwords for multiple logins. Consequently, when the password is exposed or breached on one platform, it can be used to access all the other platforms where it is repeated.
Single factor authentication poses a huge threat to the security of an organization. Once a legitimate password is acquired, attackers can easily get inside an organization using the single sign-in process without raising any suspecting eyebrows. If this happens, all the best network security procedures will go down the drain and attackers will be strolling inside an organization without raising an alarm. Stats show that many attack types have been successful using simple technology because no other authentication had to be provided at the time of unauthorized login. It is due to the insufficiency of these single sign-in processes that Business Emails are often Compromised and plain text protocols are exploited.
• Business Email Compromise
Password breaches and insufficiency of authentication processes often compromise business accounts on massive scale for financial profits. Business Email Compromise has been a known profitable attack over the past few years. It was reported in July 2018 that attackers made more than $12 million through these attacks in less than five years. Once the password was acquired for these accounts, attackers were able to access them without difficulty.
• Legacy Protocols
Single sign-in is also dangerous when organizations need to use plain text protocols, aka legacy protocols. Unfortunately, organizations are bound to use single sign-ins at some instances where they use simpler technologies like legacy protocols such as SMTP because these were created in simpler times when Multiple Factor authentication wasn’t used. The bigger concern is, attackers are also aware of these limitations and are determined to suppress advanced protocols and authentication.
A paper by Sans institute states that organizations are now vulnerable to attacks due to factors other than their own security measures. While they continue to suffer from direct data breaches and spear phishing, they are also threatened by data breaches of third parties, which compromise these repeated passwords of users. Reused passwords aid attackers in targeting multiple platforms using one stolen credential.
Having retrieved one password from a breach, attackers are guaranteed to try the acquired password for accessing other organizations too.
In order to avoid the vulnerabilities and security weaknesses that come along single step password authentications, users are advised to utilize the availability of resources like multi-factor authentication and password-less authentication. These ensure that your entire security is not dependent on a password. Even if the password is leaked or breached, attackers will still be unable to access your device or system if you have enabled multi-factor or password-less authentication.
Utilizing Multi-factor Authentication
Multi factor authentication includes a username and password combination along with one more proof of user’s identity. It can be something that you have (a device that verifies the login attempt through a pincode/link that it receives) or something that you are (biometric verification like thumb print). There are other software-based MFA sources too, that collaborate with smart devices like phones and laptops.
Most users avoid setting up multi-factor authentication because it involves an external device. Also, it’s a two-step authentication rather than one and it demands slightly more effort than single passwords. However, it’s about time that organizations start enforcing multi-factor authentication and spreading awareness against password reuse.
There are hardware devices that allow for storage of encryption keys to verify user identity. Technological discoveries also enable websites to implement stronger and password-less authentication to strengthen the security chain as a whole. Examples of common password-less authentication is facial recognition, iris detection, or thumb print reading also implemented in latest mobile phones and notebooks. Advanced desktop systems also support facial recognition to verify user’s identity.
Since password compromises are getting easier with advanced phishing techniques, organizations should discard single step sign-in, discourage password reuse and implement at least Multi-factor authentication to ensure their safety. Password-less authentication should also be used where feasible and available.