Someone has stolen your user ID and password from a website where you have an account. Are you at risk? What are they going to do with it?
Unfortunately, even with the best security, passwords are stolen all the time from websites and cloud service providers. There are over 15 billion stolen credentials. Usually the passwords are solved using off-line brute force password cracking methods, and then packaged up and sold on Dark Web markets. Sometimes they are just posted online for free, like the billions of credentials released in January 2019 as Collections 1 through 5.
Some of these packaged credentials can be targeted at specific user groups, for example, you could buy a list of just Google, Apple, or Microsoft accounts, or a specific business email domain. This would provide an attacker with access to email accounts and other services you used with these companies. In situations like these, the only way to keep your accounts secure is to change the passwords when you are notified of a breach affect one of your online accounts.
Because many people are still reusing their passwords on more than one site, another way for your stolen user ID and password to be used is to try it against other popular website and services to see if it works. For instance, if I have your password for your Facebook account, it would make sense for me to try it on LinkedIn, Instagram, Twitter, Dropbox, and other sites. There are automated tools that will do just that.
On-line brute force password attacks uses a single user ID and a list of potential passwords in a form of automated guessing. They do not work as well as they once did, due to the use of rate limiting and account lockout policies used on websites these days. In account lockout, if an attacker is guessing the password, they will get as few as 5 failed logon attempts before the account is disabled, or they are blocked from attempting more tries. Rate limiting looks at how many attempts are tried in a minute. A normal human might be able to manage 5 or 6 attempts in a minute, anything higher would be an indication of an automated attack, and would be blocked by web site security.
Password spraying is a variation where the password stays the same, but a list of different user IDs are cycled through the logon process. This has the ability to bypass rate limiting and failed attempt blocking because it looks like one try per different user.
Credential stuffing is a technique where the user ID and password remain the same, but the website logon page is changed for each attempt. This is even harder to catch than password spraying.
These techniques work because automated programs allow an attacker thousands of attempts per minute. This can be magnified by using a botnet to attack different sites from different IP addresses. This disguises the origin of the attack, and overcomes security techniques that block attacks from certain IP addresses, or geo-blocking IP addresses from countries such as Russia and China.
This sounds like a lot of work for the attacker, and it is, but if the attacker has a list of 1 million credentials, and can achieve a success rate of only 1%, this nets them 1000 accounts to take over, with a cash value to the attacker of hundreds to thousands of dollars per site. Good examples included email account hijacking leading to multi-thousand dollar invoice or wire transfer scams. In 2018, the cyber-crime economy generated about $15 trillion in revenue for the perpetrators. This is more than the GDP of some entire countries.
For users, here are some suggestions on how to improve your account security.
- The best solution is changing the password on breached accounts, or closing the account if it is not needed.
- Use a good password that will survive brute-force password cracking attempts. It needs to be 15 characters long.
- Use a password manager.
- DO NOT reuse passwords. That’s why you have a password manager.
- Use two-factor authentication, when available.
- Set up advanced security features on your accounts
- Link your account to a cell phone
- Set up your secret questions and answers, but try NOT to use questions that can be answered by doing a little online research.
For service providers and website operators, you may be doing everything right, and your site has never been breached. But due to password reuse, your customers may be at risk on your site because of credentials stolen at another site. Indications that your site is being attacked using password spraying or credential stuffing would show up as:
- An overall increase in password failure rates.
- An overall increase in password reset requests.
- An increase in overall traffic, with decrease in traffic conversion rates. Bots don’t spend money.
- An increase in traffic from specific IP addresses. Easy to spot if the attacker is not using a botnet, harder to spot if they are.
- An increase in traffic during hours that would typically be slower, in the evening and overnight. Humans sleep, bots do not.
Techniques you can employ to harden your website from these sorts of attacks include:
- Use a web application firewall
- Tighten up rate limiting.
- Lower the threshold for multiple password failures.
- Increase the delay time before a user can try the password again.
- Password reset requests should require something like a PIN sent to a mobile phone.
- Notify users of any password changes.
- Notify users if there is a successful login from a new location or device.
- Provide two-factor authentication.
Using a combination of these techniques will make it more difficult for unauthorized logins by cyber-attackers.
More information
ShareDEC
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com