My Sports Tracker Password Is Not Just My Private Business
I exercise, and I like to track it. If I’m not careful, others might suffer a security breach because of it. How is that possible?
One of our jobs at badrap.io is to provide simple explanations to (sometimes) complex security issues. This time we are going to take a look at a bit complex but succesfull approach to attack others. It is called credential stuffing. It relies on poor password hygiene and data breaches.
27% of people use the same or similar passwords
Hasso Plattner Institute studied available data breach dumps in 2016 [1]. Their study revealed that a whopping 27% of people behind the leaked email addresses reuse passwords in different services (Figure 1).
Criminals exploit this fact
Here is how it works. Many users reuse same passwords for multiple services. Some of these services may have data breaches (like the imaginary “Runtracking” service in Figure 2). Criminals who get their hands on the user data run automated tests to see if those username/password pairs work against different companies. If they also test variations of those passwords, like by replacing letter o’s with zeroes, you c0ver an even larger am0unt of pe0ple.
This method is called Credential Stuffing (or Password Stuffing). This approach has started receiving public attention fairly recently. It was introduced in Wikipedia only back in 2016. A sign of a growing trend is that most edits have happened after the beginning of 2018 [2].
The method is highly successful
Shape Security “protects the online applications of the world’s largest corporations in financial services”. They have “identified millions of instances of credentials from reported breaches being usedin credential stuffing attacks on other websites, with up to a 2% success rate”. [3] Verizon observed in 2018 that 82% of data breaches in Accommodation and Food sector were because of stolen passwords [4].
What can you do
If you are an individual, good password hygiene with unique passwords everywhere is your starting point. Enable two-factor authentication in services that offer it. Read practical tips on how to achieve that from Ville Alatalo’s excellent blog post.
Employer: improve awareness in small doses
Less is more, instead of expecting everyone to learn all your security policies at once, drop pieces of information in small doses. Have weekly campaigns with a very specific topic. And while you’re at it, why not do it publicly on social media, letting others see that you care about security.
What Badrap can do for you
If you are an individual, register to badrap.io. It is a free service which will warn you if you have security issues. It does not overwhelm you with information, but it will reveal educative and practical instructions when you need them, e.g. when you have a security issues.
If you are an employer, consider providing Cyber Hygiene for Your Employees. It uses an approach inspired by occupational health to tackle the credential stuffing problem shown in Figures 1 & 2. The key for covering both work and personal identities is to keep the user’s security issues private. That is how they can feel comfortable to start protecting also their personal identities, such as personal email addresses and IP address (Figure 3).
Just like in occupational health, you can provide a service to your employees to keep them healthy. Read more about Cyber Hygiene for Your Employees
Further reading
[1] HPI Study on password reuse
[2] Credential stuffing in Wikipedia
[3] 2017 Credential Spill Report by Shape Security (Registration required, but email address is not confirmed)
[4] 2018 Data Breach Investigations Report by Verizon
