Riverbank Ruminations

Observations from the Banks of the Technology River

No more for me, thanks. I’m stuffed.

As long as people have been able to transact business on the internet, bad guys have been trying to compromise accounts to gain money or merchandise illegally. Before the advent of electronic commerce on a large scale, the bad guy had to physically get your credit card in hand to do some damage. Now with so much data stored online, the bad guys have a large number of data sources to tap, from the store databases and websites to data dumps on the dark web where identity information is for sale in volume.

Go back a few years and the bad guys had to work a little to get your information. Let’s say your name is Albert Bartholomew Jones. What would your user name be? ABJones, ALB, bartj, albj, or any number of other possibilities would present themselves. This would hold for user names and email addresses. What about passwords? Google weak/bad passwords and for the last 10 years or so the top 10 have included in varying order: 12345, 123456, 1234567, password, qwerty, and others equally weak. If you went to something creative like the commonly specified complex password (upper case, lower case, number, special character) you made their job harder. As password policies forced more complex and longer passwords, the bad guys had to work a little harder. Then a trend started that changed the landscape for bad guys, data breaches.

Now you don’t need to guess anything. Huge datasets of usernames and passwords went up for sale on the dark web and credential stuffing attacks were born. Rather than trying to guess usernames and passwords, the bad guys had lists of both that worked at one time.

Three things work in the bad guys’ favor. We are creatures of habit so a username on Amazon is probably the same on eBay. Secondly, people are terrible at complex passwords and password management, so passwords are routinely used on multiple accounts and they are not robust. Thirdly, people are not typically security conscious. When there is a breach, unless forced to do so, very few of us bother to change our password.

A study by Carnegie Mellon showed that about 1/3 of users changed their password after a breach. We got an email from CafePress recently stating that there had been a breach. My wife asked me what to do about it. We changed the password.

Ashton monitors clients for email addresses that have shown up in database breaches. The real issue is not that the data is out there but that the data is corporate email addresses being used for non-business accounts; eBay, Amazon, etc. This means a breach outside of the business exposes business addresses unnecessarily. This gives the bad guys a way to contact your employees directly and also pose as employees. The recent transition to remote work has moved people outside of the enterprise protection and opened up businesses to attack, along with the individuals.

Given the risk factors mentioned above, the chance of a bad actor being successful with a credential stuffing attack is very good. Victims may be unaware of the problem until they discover their bank account has been accessed or their cell phone number has been hijacked.

This article discussed these attacks and mentioned an interesting point. You might create an account for a trivial reason and decide it isn’t important to you. So you use a throwaway or weak password. If in the future the account does become valuable or you decide that you need to add some data that should be confidential, you have exposure. It is easy to forget what information we provide for an account over time, but we will rarely remove information from an account. As the list of accounts grows, our information exposure grows. I wholeheartedly agree with (and have been a longtime proponent of) this statement on passwords:

 “The key defense against credential stuffing is unique passwords to the individual account and passwords that are both complex and long. Humans have a hard time creating complex passwords, leading to passwords that are often shared, recycled, and reused. This is why password managers are important.”

You have very little control over the information you provide to an online account. Data breaches are a fact of life. Don’t make the bad guy’s job any easier. Unique passwords for each account will help prevent you from getting stuffed.