Home » Cybersecurity » Application Security » Cracking Passwords and Taking Over User Accounts

Cracking Passwords and Taking Over User Accounts

Last week, a social media platform announced that many of its high-profile user accounts were compromised. While  such compromises can typically be traced  to cyber crime, that will not be the focus of this blog. Instead, let’s talk about the importance of securing user accounts, which is applicable to both individuals as well as organizations of any type that maintain consumer accounts.

How Are Accounts Breached?

There are several ways accounts can be breached, each of which have their unique, corresponding detection challenges. Per the OWASP list of Automated Threats to web applications, these include:

• Credential Cracking (a.k.a. Bruteforce) – Hackers identify valid login credentials by trying different values for usernames and/or passwords. The detection challenge: A “stupid” bot will do it repeatedly until rate limited. A smarter one will maintain long intervals (even days) between attempts, thus flying (or more like walking!) under the radar.
• Credential Stuffing – Mass login attempts used to verify the validity of stolen username & password pairs. The detection challenge: Understanding that even though the credentials are valid, this particular login attempt is of a malicious intent.
• Account Creation – Create multiple accounts for subsequent misuse. The detection challenge: Many bots can mimic real user behavior and deceive conventional security solutions.
• Account Aggregation – Used by an intermediary application that collects together multiple accounts and interacts on their behalf. The detection challenge: The malicious intent of this application is to consolidate a profile based on a digital footprint by collecting data from multiple sources (you may think of it like the initial, automated part of social engineering or an identity theft). Detection requires activity-tracking and event correlation, which coerces a big and rich data lake.

[You may also like: Malicious Bots Have Realized Your APIs Are the Weak Link]

The impacts of account takeover are serious, and include fraudulent transactions and abuse of rewards programs (which in turn can cause a loss of revenue and sabotage customer loyalty efforts), and damage to brand reputation (which also can result in lost revenue and undermines customers’ confidence).

Secure Practices

The good news is that you have control over protecting your – or your customers’ – accounts. For starters, having the right bot manager in place can help block illegal account access before fraudulent transactions can occur, as well as sophisticated account takeover attacks. What’s more, following these simple steps will substantially increase the level of security – and help you outsmart the hackers (the number one rule):

[You may also like: 4 Verticals Most Targeted by Bad Bots]

1. Password hygiene – Use complex passwords, not dictionary words, a mix of numbers, letters and special characters. And above all – make it loooong. Many bruteforce attacks are testing 6,8- & 10-character length passwords. Any additional character exponentially increases the number of possible combinations, which requires more compute power from the bot.
2. Endpoint security – Mobile phones, home routers, IoT devices and many hardware pieces come with poor built-in security and the ways to compromise them are easy and known. Once compromised, malware can be installed and no matter how complex your password is, a key logger can steal it. So be aware and if you can, get more secured equipment. Alternatively, secure it yourself by managing access and installing a comprehensive endpoint protection. Lastly, make sure to change admin credentials as many hackers are breaking in simply by using the factory default.
3. Deploy sophisticated detection tools – As an organization, you are in charge of securing your customer data and maintaining the unwritten treaty of trust you were granted. Today unfortunately, such sophisticated bots that takeover accounts can mimic real user behavior, rotate their IP addresses or device IDs, bypass CAPTCHA and other challenges and eventually trick conventional security solutions. These bots target websites, mobile applications and APIs.

How the Pandemic Plays a Role

Compromised accounts have been traded for financial gain for years. Email addresses, passwords and credentials are low-hanging fruit, as they are relatively cheaper and go in masses. Payment details are another favorite, second to the aforementioned “fruit,” with prices dictated by different parameters such as country of issue, credit score and more. And at the highest end, there are medical records.

[You may also like: Recommendations for Managing a Bad Bot Problem]

During the pandemic, stealing and subsequently selling data from compromised accounts has become even more attractive for cyber delinquents. They are using malicious bots to achieve three main objectives:

• Steal medical records, especially of those infected with the novel coronavirus
• Get a hold of medical research (for instance, by way of credentials or accounts of staff)
• Spreading spam and fake news

Were you personally compromised? If so, you may want to read our previous blog, What Should You Do When Your Identity Has Been Compromised?