Account Access: Resisting the Path of Least Resistance
Data breaches stemming from unauthorized account access continues to grow. Effective security strategies must resist the path of least resistance
Just like doctors and lawyers, cybercriminals are professionals and have a job to do. As the security industry continues to develop new methods for combating attacks, cybercriminals are evolving rapidly to beat them. As of May 7, there were more than 437 reported breaches in the United States in 2019, according to the Identity Theft Resource Center’s “April 2019 Data Breach Report.” With cybercriminals at work, it is crucial to understand how they prey on user vulnerabilities. Companies need to be aware of not only the types of threats they face, but also how their attack surface is left vulnerable to breaches. By understanding the path of least resistance ideology, companies can create an informed strategy to protect their users and safeguard their data.
What is the idea behind the path of least resistance? It’s simple: Human nature often leads to taking the easy road, even if it is at the expense of security. There are general best practices for account hygiene, such as using a unique password for each account or activating two-factor authentication, but most users won’t take the extra precaution and often use the same password across multiple accounts.
It is tough for companies to know account holders are implementing the best practices to remain secure. The average user won’t create different credentials for each of their accounts but will reuse the same across accounts. A recent National Cyber Security Centre report found that more than 23 million users worldwide use the password “123456.” Why? Because it is easier to remember a single password than 20. Account-holders, employees and customers alike, don’t intentionally leave their accounts vulnerable with recycled passwords; they simply don’t understand the legitimate and immediate threat.
Cybercriminals are making a living by identifying and exploiting vulnerabilities because there is a significant economic incentive. They identify targets to attack based on two things: the potential benefit and the resources needed to extract that benefit. However, users aren’t the only ones taking the path of least resistance. Cybercriminals often prey on user weaknesses, such as poor account hygiene practices, because it is the quick and easy approach to attack a company.
The login portal is extremely susceptible to attacks because passwords are often reused across many websites and customers may not add an extra step to authenticate the user with each login attempt. Cybercriminals can easily manipulate this weakness with an account takeover attack. With little to no resources needed, automated attacks can be carried out at scale. Cybercriminals hack into user accounts by using stolen credentials available for purchase on the dark web combined with common passwords—such as password123—and this type of breach is growing in popularity. Data breaches stemming from unauthorized access via account takeovers were the leading method of attack in April, according to the Identity Theft Resource Center’s report.
To combat this growing threat, companies can implement advanced telemetry to sort traffic into different buckets at the login portal: Authentic users are let through without being impeded, but inauthentic users are challenged. Coupling this with a gamified challenge-response mechanism is the most secure way to stop the automated credential-stuffing attacks on the rise today. Instead of offering the path of least resistance, inauthentic users are quite literally forced to play—and overcome—an interactive gaming challenge before granting entry. Built-in machine learning feedback learns in real-time from the traffic by how it responds to the attack, which enables rapid automated intervention to stop fraudulent attacks before they can extract a return on their investment. This solution makes the cyberattack too expensive, and resource-heavy, for a criminal to execute.
Effective security strategies must account for the path of least resistance ideology to protect against the rising threat of unauthorized users accessing accounts. By understanding two fundamental truths—that cybercriminals can easily manipulate commonly used passwords with credentials purchased on the dark web through automation and that account holders create a window of opportunity for cybercriminals with poor password hygiene—companies can begin proactively protecting their attack surface. Turning the tables on cybercriminals and making it difficult—expensive, even—to attack your organization eliminates cybercriminals’ financial incentive and ROI. Because cybercriminals pursue the path of least resistance in an attack, companies that stop automated fraud at the attack surface and break the economics of an attack will win. Fraudsters will eventually move on to pursue easier targets.