weerapat1003 - stock.adobe.com
New stolen credentials cache puts spotlight on authentication
The discovery of billions more stolen usernames and passwords in Collections #2 to #5 have prompted fresh calls for the implementation of better authentication methods across industry
Calls for improved authentication methods in business and online have gained momentum with the discovery of billions more stolen usernames and passwords on hacker forums.
Hard on the heels of the discovery of Collection #1, a data cache that contained 1.1 billion unique combinations of email addresses and passwords, came the discovery of further data dumps, dubbed Collection #2, #3, #4 and #5, revealing that the first set of data was just the tip of the iceberg.
Estimates of the size of subsequent data collections vary between 600GB, as reported by the Hasso Plattner Institute, and 784GB, as reported by UK-based authentication firm Authlogics, but there appears to be consensus around the fact that the total number of username and password combinations is around 2.2 billion, double the figure in Collection #1.
This provides overwhelming evidence of the extent to which credentials are being harvested and traded on hacker forums, providing cyber criminals with easy access to corporate accounts and networks. “As shocking as all this news may sound, these types of dumps are far more regular than most people would think,” said Steven Hope, CEO of Authlogics.
Although he cautions that many of the so-called “new” dumps contain old data seen in previous breaches, the discovery of such a large cache of credentials has put the spotlight on the need for improved authentication methods.
Despite the growing regularity of breach notifications, multifactor authentication is still not in use whenever and wherever possible, said Frederik Mennes, senior manager for market and security strategy at cyber security firm OneSpan.
“Companies should remember easy targets will continue to be exploited first, because cyber crime follows the path of least resistance. Technology is evolving, and next-generation authentication, intelligent adaptive authentication, is gaining momentum.
Read more about the Fido Alliance
- Fido Alliance launches authentication standards certification.
- The Fido Alliance has published the final technical specification of its password-killing authentication standards.
- Facebook ups security with Fido U2F two-factor authentication.
- Google’s Security Key is the first deployment of the universal second-factor authentication (U2F) standard published by the Fido Alliance.
“This technology utilises AI [artificial intelligence] and machine learning to score vast amounts of data and, based on patterns, analyses the risk of a situation and adapts the security and required authentication accordingly,” he said.
Steven Murdoch, chief security architect at OneSpan’s Innovation Centre, said Collections #1 to #5 show that large quantities of stolen passwords are readily available to anyone – regardless of how low their budget – although data from recent breaches will be more expensive to obtain.
“Companies should recognise the limitations of password authentication and are in the best position to mitigate the weaknesses. They should implement additional measures, such as detection of suspicious behaviour.
“Two-factor authentication [2FA] – or, even better, the Fido Alliance’s Universal Second Factor (U2F) protocol– should be offered to customers. Customers can also help by not reusing passwords across multiple sites and using a password manager if needed.
“The website https://twofactorauth.org gives instructions on how to enable two-factor authentication on many popular sites, as enabling 2FA, and preferably FIDO/U2F, will significantly help to improve their security,” he said.
Fido enablement
In a recent Computer Weekly interview, Fido chief marketing officer Andrew Shikiar said that while a world without passwords is the end goal, the alliance’s immediate focus is on Fido enablement in devices and browsers.
“With that will come less and less use of passwords, reducing the likelihood of scalable attacks like we saw recently with Collection #1,” he said. “Passwords are a huge risk to businesses. The vast majority of breaches are caused by weak and shared credentials, which opens up a huge attack surface for businesses.
“Passwords also cause friction, with 50% of shopping cart abandonment due to password issues and a large proportion of costly IT support calls within enterprises related to passwords,” said Shikiar.
According to Fido, the cost of passwords underlies the need for organisations to switch to an alternative method of authentication that will de-risk the process and cut costs.
Terry Ray, senior vice-president and Imperva fellow, said the credentials contained in Collections #1 to #5 gives cyber criminals all they need for credential stuffing, password guessing and other iterative processes used for account takeovers.
“This is essentially like giving cyber attackers a key to your front door,” he said. “Armed with the recent and past credentials, hackers could access consumers data, troll social media platforms to spread propaganda, cash in on hard-earned airline miles, sell contact data for spammers and even access bank accounts.
“To make matters worse, if consumers reused passwords at work, hackers would breaking into enterprise infrastructures to steal corporate data, costing businesses millions in damages if that data were to get into the wrong hands.”
Remaining vigilant
Businesses should be extra vigilant over the next few weeks, said Ray, because these credentials make their rounds through the dark channels.
“Post credential leak account takeover attempts have historically spiked immediately following incidents like this. Successful logins using these credentials are difficult to identify, though technology does exist to assist IT security teams.
“Most teams assume they won’t be able to prevent every attempt and instead focus their security around their most critical data assets, by monitoring all activity to those resources and flagging or preventing unusual access internally.”
This approach changes the challenge from trying to identify the wrong person using the right credentials, to identifying when a valid credential is doing very unusual things, which is easier to do by comparison with previously modelled behaviour.
