Organisations and websites are suffering cybersecurity incidents on a daily basis, some of them leading to the compromise of customers’ data. Compromised data frequently include lists of usernames and passwords, which allow the bad actors who possess them to access online resources such as websites and mobile applications. These passwords are then traded and sold on the internet, mostly on dark web marketplaces, but also on publicly accessible websites. Some of these password lists can be bought for as little as $5. Moreover, nowadays, passwords can be easily mis-shared or guessed, especially when users still use weak passwords (ex. “password” or “123456”) and with the abundance of personal information available on the Internet.

A closer look at passwords.

Passwords can be big business: according to several studies, an average person can have more than 150 different online accounts. Due to insufficient security awareness, most people use the same password for several accounts, and may even utilize the same password for personal accounts, sensitive business applications that are accessible from the Internet, or for remote connections into their company’s network (like a VPN or Citrix). Thus, a compromised personal account password, even from a site hosting non-sensitive data such as dailyquizz.me, can provide threat actors with valid credentials for accessing an organisation’s systems remotely.

It is relatively easy and cheap for threat actors to perform credential stuffing attacks, which are large-scale automated login requests using stolen credentials (one authentication request per user). These attacks are often difficult to detect by IT security teams, as the threat actor is actually using valid usernames and credentials rather than brute force attacks.

The impact of such an attack depends on the type of data or access of the compromised accounts. It can vary from accessing a magazine subscription, to remotely accessing an organisation’s information systems using privileged access. Fortunately, there are several ways your organisation can protect against this risk.

The most important thing that your organisation can do is to enable Multi-Factor Authentication, or MFA.

The concept behind multifactor authentication (MFA) is not a new one.

Before keys were invented (over 6,000 years ago), you needed to identify yourself with a secret message before getting access to an important meeting room. Years later, and as humans discovered how easy it was to find or guess a secret message, keys were invented. The advent of the key represented the first version of 2-FA (two-factor authentication): something you knew (the location of the door), and something you had (a physical key).

We can apply the same concept to secure access IT nowadays: the part that you “know” (username and password or PIN) can also be known by multiple threat actors, so you need the second factor, which is the part that you “have”: this can include a mobile phone with a SIM card, a code generated on a physical token or software installed on your mobile device, an enterprise enrolled device, etc.

MFA is a very efficient way to protect your account from the above mentioned opportunistic attacks. Even if a threat actor gets access to a valid password, the second factor of your MFA would prevent them from using it to connect to your online accounts. 

2022

2022

2022

2022

2022

2022

2022

2022

2022

2022