Credential Theft: Easy as Shooting Phish in a Barrel

Imagine your best-case scenario: You’ve conducted security awareness training for your users and have educated them on all the threats that apply to them. You’ve cultivated a culture of security where everyone knows the tactics of phishers and how to avoid being compromised by a phishing email. You have anti-virus installed on all your endpoints to combat drive-by-downloads. Your users are even advanced enough to use a password manager because they know and care about the perils of weak passwords and password re-use.

Now, come back to reality. We use technology because humans are error prone. Sure, educating your users is very important because it will dramatically lower your frequency of phishing related incidents. But no matter how much you educate your users, there will always be a few that make a mistake. According to the 2016 Verizon Data Breach Investigations Report (DBIR), 13 percent of people tested for phishing click on the attachment in the phishing email. So, don’t fool yourself into thinking that none of your users would fall into that 13 percent. Mistakes aside, 20 percent of employees are willing to sell their passwords and 44 percent of those employees would do it for less than $1,000! If you’re looking at these statistics and thinking “That wouldn’t happen in my organization” – then you are the one making the mistake if you don’t anticipate and prepare for phishing incidents to occur.

An obvious motivation for phishing is to steal user credentials to then launch a deeper attack. The 2016 Verizon DBIR recorded 1,429 incidents that involved the use of compromised credentials. How is this possible? User password fatigue is a big contributor. Think of all the passwords you keep track of for your personal needs – your mobile banking app, your Gmail account, your Facebook account, your Amazon Prime… the list goes on and on. Now, apply this same situation to business where 80 percent of enterprises are delivering applications (Office 365, Salesforce, Concur, etc.) from the cloud. Enterprises’ most sensitive data resides in its applications, and those applications may have the following typical password complexity requirements:

• Minimum 8 characters
• Use of at least 1 special character (!,@,#,$, etc)
• Use of at least 1 uppercase letter (A-Z)
• Use of at least 1 number (0-9)

Best practices tell us that you’re supposed to use a unique password for each of those accounts and for many of those apps you need to change your password every 90-180 days. Good luck remembering all those passwords!

How does reality reflect those password requirements? What most users actually do is use one or two, maybe three mostly unique passwords, possibly with a slight variation (add a “1” at the end) for our more important apps. That translates into one compromised password being a great start for an attacker to compromise several sets of credentials. How do we stop this?

Implementing security is always about finding the balance between security and convenience for the user. Completely eliminating attacks spawned by phishing might be a Herculean – and quite possibly impossible – task in our fast-paced work environments. So, what are we to do? 

A great solution for stopping or at the very least, significantly reducing the damage done by compromised credentials resulting from phishing is multi-factor authentication (MFA). MFA consists of something you know (a password), something you have (a token) and even something that you are (biometrics). By entering your username, password, and providing some sort of one time token or physical verification, you ensure that only approved users are able to access your applications.

If by some chance you do work with a bunch of unicorns, as described in the first paragraph, there is still plenty of evidence to show that you should still implement an MFA solution. While web browsers and password managers are certainly useful in the fact that they help users comply with best practices, attackers have also set their sights on them. When users select the autofill feature, attackers can hide sensitive fields like street address, date of birth, and phone number, and even passwords, while displaying only basic entry boxes like name and email. This means users’ passwords and other sensitive information is unwillingly entered into text fields that the user can’t see. But, there are ways to obfuscate the entered text and to encrypt it so it cannot be readable.

Your users want to connect to applications from anywhere, with any device, so it’s up to you to help them do this securely. F5’s application access solutions provide an easy integration with numerous MFA vendors in order for you to provide choices of a second or even third factor or greater authentication for your users (i.e., one-time password [OTP] mobile phone push notifications through authenticator apps, Yubikey, and many others). Plus, when deployed in concert with F5’s anti-fraud solutions, such as F5 WebSafe, text entered into online forms, including user names and passwords, can be obfuscated and encrypted for additional protection.

Secure authentication to your applications combined with a simple but enhanced experience for your users is a secure win for everyone.