Part 1: How data breaches have become common frontpage news headlines and how they provide the data to perform ATO attacks against any given website login page.
Account Takeover – Data Breaches
Businesses work tirelessly and spend a considerable proportion of their budgets year after year to reduce the risk of falling victim to a data breach. Yet, businesses still suffer from this issue despite all the time and effort that goes into reducing their risk footprint. Data breaches & credential spills continue to happen and are directly contributing to the growing rise of account takeover attacks.
Worryingly it is now common for the public to wake up & find yet another company has had a breach; millions of people’s data has been spilt onto the internet with hundreds of thousands of people being contacted to change their passwords etc. The fact the media can quickly report on breaches and in some cases, the details of how the breaches occurred are making a data breach much harder for an organisation when they’re already going through a painful process. It’s bad enough the breach has happened, but the associated brand reputation damage that comes with sensational media headlines following the breach is an additional corporate black eye.
Given the growing rise in data breaches, the number of records being exposed, the mass media attention that data breaches get and the growing dependency on technology-based services, you get the sense that a data breach has become a normal everyday occurrence, to be expected, to no longer be a case of “if we get breached” but more a case of “when we get breached” which is a worrying state to be in.
Issues also arise when companies share customers, or conversely where those customers have poor password hygiene and use the same credentials for multiple online accounts. For example, credentials stolen and subsequently leaked onto the internet from one retailer’s breach could ultimately be used against another retailer or another company in a totally different industry. Companies are now not only attempting to minimise the level of risk of being breached by attackers who are looking for ways into their systems, but they now also must protect themselves from an external 3rd party breach which could lead to them being breached.
Statista has recorded between 2007 and September 2018 saw 23 separate breaches, where 9.4 billion records were leaked, that’s more records than the entire world population or more than twice as many as the world’s population who have access to the internet in an 11-year period. Those figures are astounding and clearly indicate the resources available to use in an account takeover attack are plentiful, an attacker has a plethora of data to utilise when attempting an attack campaign.
Fig 1 – Cyber-crime: Biggest online data breaches 2007-2018
So now we’ve established breaches are more regular and data from one company’s breach can be used against another company, it’s not difficult to see how this level of leaked data is directly contributing to the rise in account takeover attacks. Yet if a business expects to be breached, even when taking any appropriate steps to minimise risk, it makes you question how these breaches are occurring, could there be a common denominator throughout them all? Netacea investigated a small sample of the largest data breaches, and you can see a pattern emerge:
- Equifax – 143 Million Identities breached
- Reason: Vulnerable Java-Based Web application
- Anthem – 80 million Records Stolen
- Reason: Keylogger malware used to steal credentials
- JP Morgan Chase – 76 Million Personal and Business accounts breached
- Reason: Stolen Credentials and Vulnerability in OpenSSL
- Uber – 57 Million Records stolen
- Reason: Stolen Credentials
Just by looking at this small sample, you can start to realise the underlying issue with these breaches relates to either a vulnerability in an application or associated system, stolen credentials or both. It also seems that in order for an attacker to attempt a breach, you need working credentials but how exactly do you get to a point where you know you have a working credential pair?
Think about the 9.4 billion breached records we mentioned earlier: As an example, let’s assume 75% of these records are unusable for an account takeover attack as the data is comprised of things like addresses and telephone numbers, this reduces this figure to 2.35 billion potentially usable records. Let’s assume that 50% of the 2.35 billion records are for accounts for internal systems and not for public-facing web applications, that reduce the number even further to 1.175 billion potential accounts.
Let’s also assume the attacker managed to obtain all these records and attempted an attack, they would only need a 1% success rate when attempting to use all of these records against any site and it would equate to 11.7 million working accounts.
Obviously, the scenario above is completely fictitious, however, it does illustrate how the sheer volume of data that continues to be leaked onto the Internet can be used in an attempt to gain access to a person’s account.
In the next part of our account takeover series, we’re going to delve deeper into the account takeover issue and look at how habitual human behaviour is making account takeovers easier for an attacker.
Learn more about our adaptive machine-learning approach and sign up for an Account Takeover Trial, where you can access the Netacea Bot Management dashboard and test it on your live site.