This past week it was revealed that cybercriminals had heisted more than a million dollars from the popular online marketplace StubHub. For those unfamiliar, StubHub is a subsidiary of eBay, that provides services for buyers and sellers of tickets for sports, concerts, theater and other live entertainment events. While the news about the attack is new, the actual activity took place in March of 2013 and behind-the-scenes the investigation has been pursued by national and international law enforcement. Total damage…over $1 million in fraudulent purchases from approximately 1,600 StubHub users. What lessons can readers learn? How can you protect your accounts—both corporate and personal?
According to Law Enforcement, in March 2013, StubHub discovered that more than 1,500 of its users’ accounts had been compromised by cybercriminals who used the accounts to purchase thousands of tickets using the service worth over USD $1 million. These tickets were then re-sold through three American “fences”, thereby laundering the proceeds. A multi-national cooperative effort by law enforcement has resulted in the arrests of 3 Russians and 3 Americans involved in the scam, some 16+ months after StubHub discovered the theft.
It is important to note that StubHub’s systems were not the source of the breach as all of the users’ account logins were compromised through some other source. The official StubHub statement, “Customer accounts were accessed by cyber criminals who had obtained the customers’ valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customer’s PC”
“Don’t Hate Me Because I’m Human”
If you’re reading this, you’re human and chances are if you’re human you use the same password on multiple web-sites, right? If you have that favorite password that you just beat to death, site after site, statistics show that you’re not alone. According to a study by Ofcom, the UK communications watchdog, in a poll of 1805 adults 16 and older, 55% used the same password for most – if not all – websites. (“Adults’ Media Use and Attitudes Report 2013” (http://media.ofcom.org.uk/news/2013/uk-adults-taking-online-password-security-risks/) And while the study included adults in the UK only, it is likely a bellwether for the population in general.
But that’s not the worst of it. That same study showed that 26% of users use passwords that are easily guessable, such as a child’s name, a birthday or anniversary or names of pets, favorite sports teams or vacation spots.
This combination of easily guessable passwords and the habit of reusing passwords over for multiple web-sites continues to be one of the primary means for cyber attackers to compromise an account.
I find that likening the abstract, digital world into the tangible real world through analogy often opens eyes and makes you think about your place in the digital world a little differently. Think about it this way…imagine if the locks on all of your neighbors’ doors used the very same key as yours. While you are extra-careful with your key, ensuring that you always have it on you, never lending it out and never losing it, you’re not so sure about everyone else in the neighborhood. In fact, maybe all of your neighbors are great about the security of their key – all except one person. And that’s all it takes, just that one person’s carelessness in losing the key or lending it to the wrong person and everyone living in the neighborhood is at-risk for a break in. You guessed it, this is precisely what happens when you elect to use the same “key” (password) on multiple web-sites. It only takes learning your credentials from one web-site and then it’s trivial for the bad guy to use those compromised credentials on other sites.
The Password Dilemma
Passwords as a mechanism for securing access to assets is obviously the standard practice, but more and more it is becoming steeped in issues as cyber criminals keep advancing their skills. In principle, passwords can be a secure means; the problem, however, stems from the human factor.
Here is just a short list of some of the primary issues of using passwords:
· Use of passwords that are too short. A common means of attacking passwords is through the use of brute force; this is the methodical testing of every single combination of characters that can be used for a password. Brute-force password cracking is 100% effective. It will ALWAYS work – it’s just a matter of how much time it requires. The analogy I like to use in this regards is those old 3 tumbler bicycle locks…the ones that from 000 to 999. I know every summer when I pulled the bicycle back out I couldn’t remember the combination, so I had to brute-force it. Probably took about 5-10 minutes to go through all combinations or at least as many as I needed to get to the magical combination that opened the lock. But one year I got a new lock and it had 4 tumblers going from 0000 to 9999. That took me considerably more time the following summer. Imagine how long it would take if it was 5, 6, 7 or even more digits. This is the idea behind using a long password. Just to give you an idea, the ability to crack 1 million or more passwords per minute is not unheard of.
· Use of passwords that are not complex. While complexity has no bearing on the ability to brute force a password, complex passwords do prevent attempts at guessing passwords. There is no official definition of what a complex password is. Microsoft defines password complexity as having 3 out of the following 4 present within a password: lowercase letters, UPPERCASE LETTERS, numbers and special characters. The problem is, that if taken literally, “Pa55w0rd” qualifies as a “complex” password by Microsoft’s definition. I assure you, it is not. I like the idea of mixing and matching the various characteristics, but substituting numbers or symb0|5 that look l1ke l3tt3rs can only get you so far – plus the bad guys know those tricks.
· Not changing passwords frequently enough. I know, your work account expires every 45-60 days and you hate it, so you’ve vowed not to change your other passwords once they’re established. This of course means that when your credentials are compromised when the provider’s system is breached, the bad guys have a valid password for you forever. By changing them on a routine basis, you significantly limit your long-term exposure.
· Using the same passwords on multiple sites. And the number one reason that users’ passwords get compromised is through the use of the same password on multiple sites. It is commonplace for a breach at one web-site to expose thousands or even millions of usernames and passwords. These credentials are bought, sold, traded and stolen around the cyber black market over-and-over. You better believe that if your credentials are compromised on one system, the bad guys will try to use those same credentials on any number of different systems that you likely have an account with (think: eBay, Amazon, Gmail, Yahoo!, FaceBook, Instagram, Twitter, banking websites, credit card websites, etc.) As I mentioned in the opening section, a compromised key in a neighborhood that shares the same key for every house, will compromise every house. While that’s illogical in the physical world, in the digital world that’s what users do all the time. The only way around this is to be diligent in creating separate passwords (and even mixing up the usernames) for every system that you’re attaching to. I know this sounds like a big task, but keep reading as I have some recommendations.
An Easy Fix
There are two specific actions you can take TODAY that will greatly improve your password sophistication and hopefully ensure that you never become a victim of a cyberintrusion like the recent StubHub breach.
1) Use a Password Manager. There are a bunch of these out there. Some are free, some are pay. There’s a high likelihood you even have one on your smartphone right now! Some of them have some great features for conveniently managing your user credentials. Some favorite features of mine: synchronization between multiple devices (i.e. computer, smartphone, etc.), randomly create passwords based upon parameters (i.e. minimum 10 characters, must have UPPER, lower, symbol and numbers, etc.), paste password from Password Manager into site.
Some things to pay attention to: obviously make sure that the Password Manager is storing the passwords with a robust encryption protocol (AES256, BlowFish, etc.)
2) Every site/system gets its own password (managed, of course, by the Password Manager)
3) Enable two-factor authentication. Two-factor authentication entails something you know (user credentials) and something you have (i.e a smart card or a PIN that is texted to the number that is associated with your credentials when you registered). A lot of on-line systems are moving to two-factor authentication because it helps protect the end-users from themselves (choosing bad passwords, etc).
By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations