There are a dizzying array of security solutions flooding the market, many promising unmatched protection against account takeover (ATO). If you look beyond the marketing jargon and sales pitches, you’ll realize many of these products have weaknesses that make them less than ideal to actually “prevent” ATOs. They miss the things that are precisely what put your organization at risk.
How can you decipher between fact or fiction? There’s a lot at stake. Getting it right matters. We want to lay it out for you, plain and simple, so you can make the best decisions for your company, employees and customers. We’ve analyzed six of the most popular ATO approaches on the market and provided reasons why ATOs are successful with these in place.
1. Multi-Factor Authentication
While multi-factor authentication, a.k.a. 2FA, discourages criminals, it’s not a perfect solution. Passwords can still be compromised, turning two-factor authentication into single-factor authentication. Personally identifiable information (PII) associated with each account breach is often exposed as part of a breach, opening up all kinds of possibilities for the cyber criminals to bypass 2FA.
PII can come directly from a breach, targeted efforts (ie. fraudulent credit checks) or through simple open-source research of social media accounts. Many other PII collection techniques are possible depending on the creativity of the criminal. Once discovered, the criminals use compromised PII to answer security questions intended to be private and gain access to the account.
But they don’t stop there. Threat actors often use the answers to security questions to then break into other accounts they can match to ones they have already compromised. For example, if your answer to “what is your pet’s name?” is “Sparky” for both your email and online banking accounts, and one of those accounts is compromised, you may be out of luck if you’ve reused passwords between these accounts.
Phishing tools can also make it easier for threat actors to steal the access codes produced during the multi-factor authentication process. Threat actors tend to adapt to security measures and multi-factor authentication is no exception. In the case of two-factor authentication mechanisms, attackers may use custom-developed phishing pages or social engineering techniques in order to obtain the access codes produced by a soft or hard token. In the case of phishing pages, an attacker may craft a website that closely resembles the targeted application and use it to steal a victim’s account password and username—and one-time password produced by the third factor. This allows the attacker a few seconds to use the third factor and take over the account.
Even if multi-factor authentication was enough, fewer than 10 percent of Gmail users have two-factor authentication enabled for one simple reason: it’s not easy enough to use. In fact, when Google tried to enforce 2FA use by making it simpler, more than 10 percent of those using the service had issues just inputting a code delivered via SMS.
In an interview with The Register, Google software engineer Grzegorz Milka explained why so many users have trouble integrating multi-factor authentication into their everyday interactions with technology. “The answer is usability,” he said. “It’s about how many people would we drive out if we force them to use additional security.”
2. Password Managers
Password managers can and do curtail the temptation of password reuse among users. Unfortunately, they are not impervious. Even when companies mandate their use, most employees don’t use password managers at home or for personal services. This wouldn’t be such a problem if password reuse wasn’t so rampant and the lines between personal and employee accounts and devices weren’t already blurred. Confusing BYOD policies and use of employee accounts on personal devices only make the situation worse.
A study commissioned by Siber Systems in 2015 evaluated the password habits of 1,000 consumers of its product in the U.S. and the UK. The results were sobering: only 8 percent of those surveyed used a password manager.
Not surprisingly, the study also found plenty of evidence of widespread password reuse. The survey asked participants how many sites they log into daily as well as how many passwords they had memorized. Seventy-four percent of those surveyed claimed to log into more than six sites daily, while 30 percent logged into ten or more sites daily. Fifty-nine percent claimed to have memorized five passwords or less. It doesn’t take a mathematician to figure out that passwords are widely re-used among multiple sites and applications.
3. 90-Day Password Rotations
Many organizations attempt to prevent password reuse by enforcing a 90-day password rotation. These rotations actually benefit threat actors more than the consumers because threat actors are assuming you’re periodically rotating your passwords. They may be criminals, but they are also technically savvy and they make a living on fraud. Threat actors test stolen credentials on a quarterly basis knowing that eventually, the employee will think they’re safe and unknowingly change his password to one that has already been compromised.
According to Carnegie Mellon computer science professor Lorrie Cranor, 90-day password rotations may have only been effective in the past. “Today, attackers who have access to the hashed password file can perform offline attacks and guess large numbers of passwords,” she wrote in a statement for the FTC. “Frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users.”
NIST itself cautions against regular password changes. In a 2009 publication on enterprise password management, NIST explained that while password expirations are “beneficial for reducing the impact of some password compromises,” they are “ineffective” for others, even sometimes a “source of frustration.” Instead, NIST recommends that organizations find a balance between usability and security, specifically suggesting that password requirements for length and complexity may be more beneficial than periodic password expiration.
Unless your organization enforces NIST password guidelines, password filters that incorporate NIST guidelines may be significantly more helpful than a password rotation policy. The password filter should incorporates NIST’s new guidelines on password strength published in Special Publication 800-63B. These guidelines now recommend that all applications with user accounts “compare the prospective secrets against a list that contains values known to be commonly-used, expected or compromised.”
NIST recommends this extra check due to the modern success rate of brute-force and credential stuffing attacks. The filter flags previous breach exposures, dictionary words, repetitive characters, less than eight characters, context specific words and more than 64 characters.
4. Behavior or Heuristics-Based Solutions
Vendors make bold statements about how their behavior-based technologies prevent all sorts of attacks, including account takeovers. If these claims were true, however, why is the magnitude of ATOs only increasing every year? The truth is, these and other solutions are missing critical elements and aren’t keeping up with the cyber criminals.
Between 2015 and 2016 alone, experts observed a 61 percent increase in funds lost to ATOs, as well as a 31 percent increase in the amount of ATOs in 2015. This was after ATOs hit a low point in 2014. Why? Because threat actors adapted to countermeasures already in place. Not unlike actors who will scramble their exploit code to bypass all current antivirus solutions before release, fraudsters specializing in high-netting ATOs will eventually bypass heuristic and behavior-based account protection. For highly capable and resourced actors, the question is not if, but when.
Many of these solutions have a machine-learning backend whose algorithms have been trained upon vast amounts of login and/or breach data. These algorithms, they claim, can detect a possible account takeover before it ever begins. They argue that these “next generation” solutions are more effective than services which rely on compromised credential sets that have been obtained directly from dark web and closed threat actor research.
While it may be true that actors leveraging low-sophistication tools like Sentry MBA or who rent out cheap botnet services to carry out ATO attacks may tip off these systems, it’s not always the case. Many of the nodes in botnets have likely already been leveraged somewhere else and may be blacklisted or flagged. If the machine-learning technology was as effective as advertised, it would be able to discern the logins are coming from these nodes based on their behavior alone. Luckily, this means it would be harder to take over several accounts en masse using botnets.
But this only accounts for less-sophisticated actors whose motivation is oriented strictly towards financial gain. Their goal, of course, is to take over as many accounts as possible. More sophisticated actors think differently. Whether they’re trying to take over one or a few particularly high-value accounts, they may employ a longer-term approach. These methods are much less likely to tip off any AI that’s been trained on garden-variety ATO data.
A more practical solution to deter all threats is to stay vigilant about what credentials are already out there. With rampant password reuse between corporate and personal accounts, human nature leaves the door wide open to access high-value corporate accounts. Your best bet is to use a solution that can cover your bases, or at least a combination of both. In fact, these types of products would benefit greatly from adding exact match results in order to determine accurate, real-time threat scores. It could also help prevent false-positives, which can drive customers to the helpdesk, leading to hours of manual fine-tuning in order to yield meaningful results.
5. Deep & Dark Web Scanners, Crawlers and Scrapers
Any company that primarily relies on credentials to be harvested via automated scanners will ultimately find more credentials after they have been used in an account takeover operation. These automated scanners cannot prevent ATOs, despite their marketing claims.
The truth is, credentials that are for sale are almost never posted in their entirety in advertisements on dark web forums, the open web or any public environment that can be scanned. Sometimes an actor may post a redacted sample of their credentials online to advertise their goods. They don’t, however, post the entire credential set, such as passwords, hashes, security questions, social security numbers and other information. If they did, they’d be giving away their products for free.
Scanners, therefore, only pick up redacted samples of what threat actors use to advertise their products publicly. This is key and something most vendors won’t tell you. The actual entire credential sets, fullz, as they are called in threat actors communities, are not sprinkled around the dark web like candy. These fullz can only be obtained through vetted relationships with threat actors who sell and trade their fullz to trusted partners. It takes human analysts to find what’s not as obvious. This part may not be fast or easy, but it cannot be done automatically, whether through automated scanning or through the work of a heuristic AI.
Data breaches, such as Ashley Madison, frequently include corporate and government and military accounts among their targets. Organizations everywhere have realized the risks. They have taken steps to educate employees of the dangers and some have adapted official policies preventing employees from using their work accounts to sign up for personal, third-party services. Unfortunately, it’s not that simple.
Threat actors can find an employee’s personal email credentials and then use them to target corporate accounts. Once again, simple passwords that are reused among accounts is to blame. People simply don’t understand the risk of password reuse and often don’t see a problem with sharing passwords between personal and official accounts.
The collateral damage continues as threat actors use these reused passwords to log into third-party services attached to corporate accounts, such as DropBox and Google Drive. Threat actors can then make a copy of any document that looks interesting and make it a malicious attachment. Before the employee knows it, they may become the first infected endpoint on a corporate or government network simply by clicking on the seemingly benign attachment. This malware tactic is actually more likely than a threat actor attacking the employee directly using her corporate credentials. Once infected, it doesn’t matter how the account was compromised. The damage is done.
In implementing such policies, it becomes more difficult for companies to monitor their employees’ exposure due to password reuse between personal and employee accounts. In addition, such policies make monitoring employee exposure due to personal account reuse nearly impossible. Assuming that everyone follows the policy, the issue becomes “out of sight, out of mind.” Such policies allow companies and organizations a considerable degree of plausible deniability. Are these policies really designed to protect accounts, or do they allow companies and organization turn a blind eye to their security problems?
The Last Word
There is no easy solution to the widespread threat of account takeover. As soon as the good guys think they’ve figured it out, the bad actors try something new. It’s a never-ending, cat-and-mouse game.
Organizations must consider their needs and vulnerabilities in context in order to find the best solutions for them. Security vendors who claim to provide foolproof solutions with no false positives, no misses and 100 percent accuracy are fooling themselves and their customers. No solution on the market today is 100 percent effective, which means no one can be 100 percent protected from account takeover.
At SpyCloud we seek to empower our customers with coveted intelligence that our analysts work tirelessly to develop. This type of information is not hidden in plain sight and cannot be found automatically.
With security and ATO top of mind, companies must be vigilant and proactive. They must secure budget to invest in the most comprehensive solution that fits their organization’s needs the closest. Do your homework. Verify the claims. Be skeptical. Ask tough questions. While we can’t speak for the others, at SpyCloud, we can promise we’ll tell you the truth, and demo our product in your environment so you can see for yourself what it can (and can’t) do. There may not be a perfect solution, but there is a better one. In the meantime, get started by checking your company’s exposure.