Cyber Security threats that can compromise passwords
The threat of cyber crime is vast and ever expanding.
Weak authentication systems are often exploited. This leads to account takeover, data breaches and financial costs.
Large businesses are often the target of co-ordinated attacks.
However, biometric technology is emerging to mitigate the the threat posed by these hacks.
Phishing
This the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. The attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. These messages aim to trick the user into revealing important data — often a username and password that the attacker can use to breach a system or account.
Malware
The growth and spread of malware is rampant, with millions of new forms of malware being created weekly. A key target for large portions of malware (such as Smoke Loader and Squirt Danger) is to steal passwords, credentials, files, data and directories. A new spate of malware are designed to steal sensitive information transferred over a browser - the likes of Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird can all be used to steal data.
Brute Force Attack
This uses several repetitive trial-and-error attempts to guess the password to break into a website or a service. These attempts are quick and vigorous and are carried out by bots. A report by eSentire says that brute force attacks increased by 400% in 2017. While some of these attacks were blocked, a majority of them were able to gain unauthorized access to user accounts.
Keylogger Attacks
A key logger monitors and logs every key stroke it can identify. This includes every password and username. Keystroke malware can refrain from recording the keystrokes until a certain activity is registered. For example, the program might wait until you open your web browser and access a specific bank website before it starts.
A Trojan key logger is installed along with a regular program. Trojan horse viruses are malicious programs that don't actually look dangerous. They are attached to a regular, sometimes functioning program so that it doesn't seem like anything nefarious is installed to your computer.
Malicious insiders
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. Measures need to be in place to ensure data and end points are kept safe. This could include biometric user authorisation assigned to launching an application or performing tasks related to the handling of sensitive information.
User Error
The careless insider is the most common type of insider. He is typically a negligent, non-managerial employee who causes a breach of confidentiality unintentionally and has no real incentives to violate internal information security rules. These employees pose an unintentional, non-targeted threat and violate confidential data storage policies despite their best intentions. Breaches of these nature can lead to data leaks, password leaks, unauthorised access to applications and malware infections.
Weak Passwords
Passwords are commonly the biggest failure point of any network or login. Password cracking procedures will take data that’s been hacked and leaked, match it against a known word and discover the password. This problem is exasperated by the fact that most people use the same or variations of a singular password for all of their accounts. If one of their known passwords is discovered it can be taken and applied to their other accounts, compromising their data.
Examples of security breaches stemming from compromised passwords
Equifax:
In this attack, personal information of 147.7 million Americans was stolen. The data stolen included passwords, names, addresses, contact detail, credit card data and Social Security numbers.
The attack process started on March 10, 2017, when hackers searched the web for any servers with vulnerabilities. On May 13, they were able to access Equifax's dispute portal, where people could go to argue about claims.
There, hackers used an Apache Struts vulnerability and gained access to login credentials for three servers. They found that those credentials allowed them to access another 48 servers containing personal information.
The hackers spent 76 days within Equifax's network before they were detected. The post attack reports that the hackers stole the data piece by piece from 51 databases so they wouldn't raise any alarms. Equifax didn't know about the attack until July 29, more than two months later, and cut off access to the thieves on July 30.
Anthem
In the 2015 Anthem breach, hackers were able to implement a phishing campaign to compromise multiple C-level executive accounts. Because none of the executives used additional authentication mechanisms, hackers were able to easily access the entire data warehouse and remove more than 80 million customer records. The scale of this is staggering considering it was achieved from only five breached accounts. The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.
Uber
Uber learned in November 2016 that hackers had accessed personal data, including driver’s license information, for roughly 600,000 drivers in the US. The on-demand ride company acknowledged the breach in November 2017, saying it had paid $100,000 in ransom for the stolen information to be destroyed.
The hack also took the names, email addresses and mobile numbers of 57 million riders around the world. Two hackers accessed Uber’s GitHub account to uncover username and password credentials that never should have been stored there in the first place. The breach may have cost Uber $20 billion in valuation during its attempt to sell a stake in the company.
Twitter was forced to tell its 330 million users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The problem happened because of a bug in Twitter's password hashing. Twitter said it stored encrypted passwords using a hashing algorithm called bcrypt. But the social network found it had stored the passwords in plaintext before they were encrypted. Twitter said this happened because of a bug.
The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by
Russian cybercriminals. Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident. By the morning of June 6, passwords for thousands of accounts were available online in plain text.
In May 2016, LinkedIn discovered an additional 100 million email addresses and hashed passwords that claimed to be additional data from the same 2012 breach. In response, LinkedIn was forced to invalidate the passwords of all users that had not changed their passwords since 2012.
Ebay
Ebay reported a cyber attack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database.
8 Tracks Music Streaming Service
The social music streaming company 8Tracks was surprised to learn that an employee inadvertently leaked the passwords of 18 million user accounts. The company was able to source the breach to a GitHub repository that did not require two-factor authentication.
Mass Password Dump
The largest collection of leaked data in history was posted online by security researcher Troy Hunt, who discovered a dataset comprising more than 772 million email addresses and 21 million passwords in a package of 12,000 files
The 87GB trove was dubbed "Collection #1" by Hunt, who said he found it on both the MEGA cloud service and on a popular hacking forum. It contains 1,160,253,228 unique combinations of email addresses and passwords, including "dehashed" passwords that have been cracked and converted back to plain text.
It was made up of numerous individual data breaches from thousands of different sources, and that the data would likely be used for credential stuffing, which cyber criminals can use to bulk test combinations of email addresses and passwords.
Security breaches that involve CRM systems
Salesforce Malware
A strain of malware called Dyre which had previously targeted banks targeted users of the popular CRM software Salesforce, used by 100,000 organizations and millions of subscribers. Once an end point is infected with Dyre it has the ability to steal user passwords, log in credentials, data and encrypted data which it can the siphon off to its controllers.
Salesforce API
In 2018 Salesforce was forced to issue a warning to users of its Marketing Cloud that some of the data stored on its platform may have been accessed by third parties or inadvertently corrupted due to an API error.
Sage
A data breach at large UK software company Sage in 2016 compromised personal information for employees at 280 UK businesses, it is understood. The Police and Sage investigated "unauthorised access" of data by someone using an "internal" company computer login. Sage provides business software for CRM, accounting and payroll services to firms across 23 countries.
BUPA
Healthcare giant Bupa was been fined £175,000 by UK regulators for "systematic data protection failures" after an employee stole thousands of customers' data and offered it for sale on the dark web.
The data breach, which happened between January and March 2017, affected 547,000 Bupa Global customers, who were not informed until two months after the incident.
The employee accessed the customer information through Bupa's customer relationship management system, known as SWAN, copied the information, deleted it from the company's database and then tried to sell it on the dark web.
Zappos
Online retailer Zappos has a customer base of over 24 million people. In January 2012, Zappos suffered a data security breach that gave hackers personal information of their customers. The security breach exposed names, addresses, and phone numbers of Zappos customers.
Hello Group
Affiliates were able to access databases of all Hello Markets brands and CRM data in massive security breach Hello Group’s CRM data is publicly available and displays the entire databases of affiliates by just copy pasting a URL.
Advantages of using Biometrics Software
1) Biometric technology is very useful for ID verification in a range of corporate, government organizations, banks and financial institutions, and high security areas. Biometric systems are capable of recognizing people swiftly, consistently, and reliably.
2) One of the main advantages associated with biometric technology is high individual identification accuracy. Biometrics relies on the use unique physical traits, such as a voice or facial characteristics, rendering biometric technology a very accurate technique of authenticating end users. Superior accuracy is why a lot of companies use biometrics for their security purposes.
3) Since biometric characteristics cannot be conjectured or stolen, biometric systems present a superior level of security than usual means of authentication.
4) Biometric technology is less exposed to damage and sudden changes. The behavioural and physical elements accessed for biometric verification like iris/retina, voice, pulse, DNA, vein, etc. are less in danger to damage and sudden changes.
5) Another vital advantage of biometric technology is that it is less time consuming, dependable, user friendly, hard to falsify, requires negligible training, is inexpensive and accesses distinctive recognition features of individuals resulting in accurate verification.
6) Biometric technology can be used in a lot of industries such as healthcare, civil ID, business, schools, financial industries etc. A lot of countries have already used biometric technology for voter registration, national ID, and national healthcare or e-passport projects.
7) Biometric technology can be effectively employed in forensics. It is a useful technology that can be utilized for criminal identification and prison security.
8) With the flourishing of Internet based businesses and the increased requirement for accurate verification when accessing accounts, biometric technology turns out to be the best and most suitable solution for secure mobile transaction identification.
9) Biometric technology can be used to avert illicit access to ATMs, cellular phones, smart cards, desktop PCs, workstations, end points and computer networks.
10) Passwords and PINS are easy to forget causing people to write them down and consequently can be stolen, and can at times be hacked. With biometrics technology, biometric recognition won’t be lost and can’t be attained and copied by someone aiming to illegally gain access.
If a password is cracked criminals can be directed to personal, profitable information they can sell en masse. Many companies encrypt passwords; however, the type of encryption matters. Even well-designed passwords can be stolen or compromised when service providers aren’t adequately securing them with the latest technology. Weaker algorithms, like unsalted md5 and sha1, are commonly used yet easily deciphered and immediately converted back into the readable passwords that fuel attacks.
Unless organizations turn to automating their tracking and breach detection and strengthening their login and authentication through technologies like biometrics, they will continue to leave themselves, their employees, their customers and their data at risk.
As long as passwords are the cornerstone of cybersecurity, we will continue to be vulnerable. Refortifying passwords and avoiding data breaches involves adjusting mentality and behaviour as well as modernizing technology and service provider practices to stay a step ahead of the threat actors.