To help companies better understand how authentication threats impacted businesses in 2018, Veridium compiled data on security incidents involving user credentials. We looked for statistics around how many passwords were exposed in data breaches, how many people fell for phishing scams and how much money insider threats cost organizations. We picked these areas since password reuse, phishing attacks and insider threats are top security concerns to organizations.
We took a deeper look at phishing attacks since this is cybercriminals preferred attack vector, according to the Verizon Data Breach Report. Based on the data that was compiled for the report, phishing and pretexting (developing a fake story to convince the target to give attackers information) were used in 93 percent of the data breaches.
Showing what the defenders are up against isn’t meant to spread doom and gloom around the state of enterprise security. By highlighting some of the authentication threats security professionals faced last year (and are likely to face in 2019), we hope they’ll be better equipped to mitigate them, whether that’s through more user education, implementing policies, or using technology to reduce the risks posed by authentication threats.
So read on and here’s to a more secure 2019.
New year, new password
In addition to getting more exercise and eating better, changing the passwords people use to access websites and apps should be a New Year resolution for the entire population of the U.S. Why do 328 million people need a new password? Because 390 million passwords were exposed in some of 2018’s largest data breaches, based on Veridium’s calculations.
Veridium came up with that figure by reviewing 21 of the largest data breaches in 2018 and noting the ones that exposed people’s passwords. That tally was six:
T-Mobile: 2 million passwords exposed
Shein: 6.42 million passwords exposed
Chegg: 40 million passwords exposed
MyHeritage: 92 million passwords exposed
Quora: 100 million passwords exposed
MyFitnessPal: 150 million passwords exposed
Next, we added together the number of people who had their passwords exposed in each of those breaches. That figure was 390 million.
We assumed that all users had their passwords exposed, even though each company said that the passwords were encrypted. What’s our logic behind this? Some hashing algorithms are more difficult to crack than others. Take MD5, which is considered weak and susceptible to brute-force attacks. T-Mobile may have used this algorithm to encrypt passwords, according to security and encryption professionals, although the company declined to name the hashing algorithm.
Meanwhile, question-and-answer site Quora said it used bcrypt, which requires extensive time and resources to break. UnderArmour, which owns fitness website and app MyFitnessPal, used two hashing algorithms — one strong and one weak — to encrypt passwords. The fitness apparel company said that while a majority of the passwords were encrypted with bcrypt, some were encrypted with SHA-1, which is considered unsafe for encrypting sensitive data. UnderArmour didn’t provide figures on how many passwords were encrypted with each algorithm. Online fashion retailer Shein, genealogy platform MyHertiage and education technology company Chegg didn’t name the hashing algorithm that they used.
So what’s the fuss over passwords that are exposed in data breaches? And why can’t I use the same password to login to my Gmail, Bank of America and Tinder accounts?
Well, in theory, the answers to both of those questions should be common knowledge given how often we’re asked to change our passwords. However, with multiple surveys (here’s one, here’s another and here’s yet another) showing that people reuse passwords to access multiple sites, accounts and apps, perhaps an explanation is warranted.
Using the same password to log-in to your personal bank account and Outlook account at work is a major security violation. Data breaches are common occurrences, increasing the likelihood that, eventually, the username and password a person uses to access an account or service will end up in the public domain. Attackers, criminals and other nefarious types know that people reuse passwords. So if the bad folks have the password a person uses to log-in to a MyHeritage account, they know there’s a chance the password could potentially get them into a more valuable account, like a Wells Fargo bank account, for example.
Security professionals realize that password reuse is rampant and beseech people to change them following breaches involving credentials to mitigate the risk of attackers using this information to access a person’s other accounts.
How biometrics can help reduce the risks around password reuse and exposed passwords
Unlike passwords, biometrics can’t be reused if they’re stolen in a data breach. While we’ve all read stories about researchers fooling Apple’s Face ID, the fingerprint sensors on various smartphones, and Samsung’s iris recognition technology – biometric vendors have put liveness detection algorithms into their technology to defeat most of those attacks.
“As any biometric vendor will testify, as soon as you release a biometric, you’ll have people who are obsessed with trying to break it, fool it and spoof it,” said Veridium Chief Product Officer John Spencer. “[But] we’re relying on computer vision technology and machine learning to differentiate between what’s real and what is fake.”
The addition of behavioral biometrics to the authentication process should make fooling biometric technology even more challenging, he added. Behavioral biometrics are based on how people use their phones and include how a phone is held, swipe patterns and the pressure that’s used when typing.
“Behavioral biometrics are another layer that can strengthen the traditional biometric authentication process,” Spencer said.
The threat is coming from the inside the company!
Humans, this year let’s try our best to be a stronger link in the security chain and be less of an insider threat. Historically, this is an area where we’ve stumbled. We write the password we use to log-in to our computers on a sticky note and leave it on our monitors or under our keyboards. We fall for phishing emails and open malicious Word documents or click on links that lead to fake websites where we enter our login credentials.
In case you need a refresher, insider threats are malicious activities carried out by an employee, contractor or associate at an organization. Incidents involving insider threats are both intentional and accidental. There are the traditional examples of dishonest behavior, like the Web producer who gave log-in credentials to Anonymous or the engineer who hacked into a co-worker’s email account, stole proprietary information and shared it with competitors.
But some insider threats are also due to employee negligence. This includes falling victim to phishing scams or leaving login credentials in places where anyone can see them. For example, you may have thought that the email from IT support asking you to change your Outlook password was legitimate. So you clicked on the link in the email and when the page that opened asked you for your credentials, you entered them. You didn’t realize that the email was fake and the site was set up to harvest credentials.
Or maybe you wrote the password you use to access Citrix on a sticky note and stuck it on your keyboard because you always forget it. You never thought a dishonest co-worker would use your login information to access proprietary business information and share it with a competitor. Or maybe you’re a government worker who thought that the press photos of your office that conspicuously (and inadvertently) show passwords written on Post-Its and stuck to monitors would never be used by the media.
Insider threats are costly, according to the Ponemon Institute. Incidents involving a negligent employee or contractor cost organizations $283,281 while those involving either an imposter or thief who steals credentials cost $648,845 in 2018.
Resolving insider threats is even more expensive. The Ponemon Institute found that organizations with more than 75,000 employees spent an average of $2 million to resolve insider threat incidents and organizations with fewer than 5,000 employees spent an average of $1.8 million.
Cybercriminals follow the money so perhaps the fact that insider threats cost financial services the most money ($12.05 million), followed by energy and utility companies ($10.23 million) and industrial and manufacturing organizations ($8.86 million), according to the Ponemon Institute. Here’s how much other verticals spent:
Professional services: $8.84 million
Health and pharmaceuticals: $8.72 million
Retail: $7.41 million
Technology: $7.35 million
Consumer products: $6.64 million
Hospitality: $6.28 million
Communications: $6.01 million
Transportation: $5.9 million
Education and research: $5.14 million
Entertainment and media: $3.09 million
Phishing: Still taking the bait
We’re diving deeper into phishing because it’s still a key threat vector used by attackers. The main reason why it’s still the go-to threat in an attacker’s toolbox. Email is still the main way of communication in enterprises, Aaron Higbee, co-founder and CTO at anti-phishing company Cofense, told ZDNet.
“Email is still the main way that two entities who may not have a relationship get together and communicate. Whether it’s a law firm communicating with a business or a candidate applying for a job, email is still the bridge to getting these entities communicating. It’s not going away,” he said.
And, of course, phishing is still used because it works. People still click on the links or open the attached malicious document. In fairness, today’s phishing emails aren’t filled with typos and awkward English. Phishing victims are now likely to receive a well-written email allegedly from an executive in the company who needs payroll information on all of the organization’s employees. To make the email seem authentic, it likely contains details gleaned from social media. For example, attackers could have seen a Twitter message from the company that its CEO recently spoke at a conference and included that information in their phishing email.
Here’s a look at how many unique phishing campaigns were detected in the first three quarters of 2018 (the fourth quarter’s figures are still being gathered) and what verticals were targeted the most in each quarter, according to the Antiphishing Work Group, or APWG, a consortium of business, government agencies and security vendors that look to combat cybercrime, especially phishing. Once again, attackers are launching phishing campaigns against organizations that handle money, based on APWG data. In the first quarter, 39.4 percent of the phishing attacks were launched against the companies in the payment industry, and that figure remained consistent across the second and third quarters (36 percent and 38.2, respectively). Meanwhile, insider threats cost the financial services industry the most money, followed by the energy and utilities industry with the industrial and manufacturing industry taking third according to the APWG.
How biometrics can help with insider threats
Using biometrics for authentication reduces the risks associated with using passwords. Biometric authentication mitigates the chances of employees falling for phishing scams. If biometrics are the main method employees use to access applications, they can be instructed to report any email that asks them to reset their password. As long as email continues to be the dominant form of communication at organizations, don’t expect phishing scams to decrease.
Biometric authentication also offers a more secure form of password management. Instead of having to remember a multi-character password with numbers, special characters and uppercase letters to authenticate, employees only need what they are (their fingerprints or their face) and something they have (like their mobile phone). This decreases the need for people to use the Post-It-on-a-monitor method of password management, lowering the chances of a dishonest employee using their co-worker’s credentials for malicious activities.
Cheers to reducing authentication risks in 2019
Let’s start the new year with a new approach to authentication security. Maybe 2019 will be the year that people break the bad habit of password reuse, insecure password management and falling for phishing scams. And maybe this year more organizations will consider using biometric authentication technology to reduce the risks associated with using passwords.