Life on the road often requires WiFi-friendly stops at diners and coffee shops. I was on the road recently and ducked into a diner to have some free WiFi with my fries. I was pleased to see the WiFi was password protected. So I asked for the password, and the waitress whispered to me “Oh, we make it easy to remember: 123456.” I thanked her and logged on, but quietly cringed. Basically any of us logged on were sitting ducks because a password like that is essentially handing over access to hackers.
Account takeover attacks on the rise
Account takeover attacks (ATOs) by hackers are increasing, prompting even the IRS to warn people about them. “Don’t take the bait,” the IRS warns, specifically scolding those that fall for spear phishing, but there are plenty of other avenues for ATOs as well.
Part of what is driving the ATO train is simply the massive number of accounts out there laden with sensitive data and low-hanging financial fruit.
For instance, a recent poll by Intel Security of more than 2,000 English-speaking adults, showed that the average person has 27 discrete online logins. As reported in Buzzfeed: “The sheer number of accounts has grown dramatically over the past few years,” said Bruce Snell, cybersecurity and privacy director at Intel Security.
Not surprisingly, with this many accounts, the study found that 37 of people forget a password at least once a week. Some services like mSecure and Dashlane have tried to fill the void on password memory, but the majority of people still rely on their own.
Smarter MSP reached out to some of the best minds in the field of password security to talk about ATO risks and what role an MSP can play in combating them.
“[ATOs] are an increasingly concerning issue because more password dataset is leaked via data breaches. On one hand, hackers may try to takeover the accounts whose passwords are directly leaked. On the other hand, hackers can guess the users’ passwords of other not-yet-breached services since users often reuse passwords across different online services,” says Dr. Wang Gang, an assistant professor in the Department of Computer Science at Virginia Tech, who has studied the issue extensively.
The dangers of password reuse are echoed by others in the cybersecurity field.
“People tend to reuse passwords they created for other accounts. This is a big problem because if one account is compromised, they can all be compromised,” says Dr. Lorrie Cranor, professor of computer science and of engineering and public policy, and Director of the CyLab Usable Privacy and Security Laboratory at Carnegie-Mellon University.
“Another common mistake is putting your digits or symbols at the end of the password and capital letters at the beginning. This is very common, and attacks know this and will guess this quickly,” Cranor says.
Cranor recommends organizations require passwords to be 12 characters or longer and include at least two different character classes. A good password meter can also help improve password strength, she says.
“But many password meters use naive approaches that are not that helpful,” Cranor. To that end, Cranor’s team designed and tested an open source password meter.
Ways MSPs can help
At first blush, ATO vulnerability and weak passwords would appear to be an issue for the user, but MSPs have a role to play says Clark Thomborson, a professor in the department of computer science at the University of Auckland in New Zealand. Thomborson has studied and presented extensively on password security, and he says MSPs shouldn’t get too focused on strengthening passwords.
“If any MSP focuses on strengthening passwords as its primary response to a mounting ATOs risk, then it’s probably making a big mistake because this password-strengthening may alienate its customers if their ‘online experience’ with the MSP is degraded as a result of the change,” Thomborson says. “Usable security is a lovely idea in theory, but its only occasionally feasible. Usually we design insecure systems for end users, with detection-response systems that mitigate the damage caused by their known security defects.”
So if strengthening passwords isn’t the answer, what should an MSP do to ensure their clients aren’t handing over access to the bad guys?
Better password precautions
“If an MSP is securing an important asset on behalf of your customers (and not managing a bazillion low-value accounts), then they’d want multifactor authentication for any system that manages customer accounts,” Thomborson says. He adds that the passwords, even if they are hashed, of lots low-value accounts would still have significant value to a bad actor who knows their stuff. The “stuff” they’d know includes that a significant fraction of these passwords will be used elsewhere by a similarly-named account on some other system.
“The theft of your MSP’s password store would be a reputational risk if it’s publicized,” Thomborson says, even if there was no immediate damage evident.
Thomborson also advises any MSP to conduct a thorough security audit of the password reset procedures for its customers. This, he says, is an important avenue of an ATO attack.
And, Thomborson advises keeping an eye on those “stale” accounts. We all have them. Well, most of us do — think about that old AOL email account you haven’t opened in years but never bothered to close down.
“Your MSP should encourage all of its customers to touch base at least occasionally, as the hostile takeover of a disused account is unlikely to be detected, until it has done some significant damage to someone,” Thomborson says.
“And any account that’s very stale should probably get mothballed somehow, very carefully,” Thomborson says. “You’d want to welcome back such customers warmly but with a very careful additional round of identification!” Thomborson advises.
The bigger picture
A final piece of advice from Thomborson is to look at your customers’ systems holistically and don’t become complacent because a new online platform promises to prevent ATO attacks.
“Consider the larger context of the password system you’re trying to improve (or replace). I think most corporate decision-makers are tired of hearing salespitches for yet-another ‘security appliance’ which will (somehow!) plug into any or all of their existing systems without much difficulty while still improving their security posture — and all without any nasty side effects,” Thomborson says.
“It’s tempting to believe that such security appliances exist … and perhaps they do, but I think it much more likely that some whole-of-system analysis will be required before anyone should be confident that there won’t be nasty side effects, and that the ‘bad guys’ won’t quickly adapt their strategies to your newly configured systems,” Thomborson says.
So, the best advice for an MSP is to educate your customers on the dangers of easy-to-remember passwords and look at what your overall mission is. An MSP trying to protect sensitive medical data is in a different position than one that manages magazine subscriptions. Financial institutions are especially at risk for ATOs. If money is the goal of most hackers (it is), then what better, easier way to access it than to get some passwords and start draining accounts.
Meanwhile, back at the coffeehouse with the easily decrypted password, I conducted my business as fast as possible and got out of there. Sometimes, unfortunately, cybersecurity is easy as 123456.