Threat of the Week: The Bumper Crop of Purloined Credentials
Cyber crooks now have more bank account login credentials than they know what to do with.
That is a frightening bottom-line conclusion of new findings released by Dell SecureWorks, which pegs the cost to buy a username/password log in to a bank account with at least $70,000 in it at $300 or less.
The question credit union executives need to ask themselves is: what can be done to secure accounts in an era where criminals seemingly have as many valid login credentials as they want?
They get them by hacking into systems, they get them by tricking users into giving them over, they get them by installing malware on target computers – but however they get them, they have gotten huge numbers of them.
Case in point: Credit card numbers range in price from a few dollars to maybe $8 or $10, according to Dell SecureWorks.
A so-called “fullz” – which Dell SecureWorks describes as “a dossier of credentials for an individual, which also include Personally Identifiable Information (PII), which can be used to commit identity theft and fraud.
Fullz usually include: Full name, address, phone numbers, email addresses (with passwords), date of birth, SSN or Employee ID Number (EIN), one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including any associated PINs)” – will run you $25.
It gets worse. According to Dell SecureWorks malware researcher Joe Stewart, there are so many stolen credentials in hackers’ hands that prices are plummeting.
Know, too, that “this problem is getting worse,” said Paul Ferguson, a vice president at IID, an Internet security firm. “Every day there is another breach,” he said, meaning a penetration of a large database of IDs by hackers.
Question: How hard is it to find these hacker bazaars and how hard is it to buy at one? The answer to both is: easy, according to Stewart. He added: “if you have the money to spend and you are willing to use their channels (such as paying via Bitcoin), they will sell you the goods.”
As far as fighting back, experts – although many acknowledge growing pessimism about how this war is going – offer tips they say will help credit unions fight off criminals.
* Tap into the same stolen resources crooks are using, is advice from Tommy Chin, technical support engineer at CORE Security. He pointed to massive breaches such as the recent Adobe breach which put tens of millions of user names and passwords into the hands of crooks. They mine that data because they know many people use the same credentials at multiple sites. Financial institutions can take a page from that same book, suggested Chin. “Companies can cross-reference that list of leaked credentials, pinpoint those who are at risk and teach them how to mitigate risk by choosing a much stronger password.”
Some companies are in fact said to be proactively hunting into those hacked data sets, looking for their own users and when they find a match, they contact the person, urging them to do a password reset.
* Use geolocation is advice from Benjamin Caudill, principal consultant at Rhino Security Labs. He elaborated: “The best thing financial institutions can do to tighten their defenses is to use geolocation services to identify the [Internet providers] and areas each customer logs in from, and disallow anomalous behavior based on that. It's not perfect, but it's a very intuitive and effective way to eliminate most malicious activity on accounts.”
When a Texarkana accountholder seeks to log in from Lahore, Pakistan, isn’t that a red flag? Especially when this accountholder has no prior history of international log-ins? Smart institutions are making more use of the location data they have in hand to make fast decisions about access, suggested Caudill.
* Use two-factor authentication is advice from Richard Henderson, a security strategist with Fortinet's FortiGuard Labs. “While not a panacea, it offers another layer of security for your customers. Unfamiliar login? Require the user to accept a text message with a one-time code that must be entered. Better still, have them use a two-factor authentication application all the time.”
Tim Keanini, chief technology officer at security company Lancope, agreed: “It is nuts to rely on username and password for perimeter defense. People will start to use two-factor. There is a real opportunity to up defenses with two-factor and mobile phones.”
The basic idea: require users when logging into a financial account, especially from an untrusted device or a new location, to receive a verifying SMS on a cellphone and then enter that code to get permission to proceed.
Is that perfect? Nobody thinks so – but just about everybody thinks it is a big step over the current, and porous, perimeter defenses that now seem thoroughly broken.