According to the World Economic Forum, cyber-attacks and data fraud are perceived, in North America at least, to be two of the three biggest risks for 2016. In Europe, ongoing migration, economic and employment crises mean that cybercrime is a lesser concern but no less of a danger. In fact, cybercrime has become so commonplace that it takes a big name breach to make people sit up and take notice.
Hacked accounts at a major retailer or an online marketplace still make the headlines, particularly if many people are affected. When it occurs, most readers assume that the company has suffered a data breach of some kind. In fact, it’s far more likely to be a problem of their customers’ own making. Namely, re-used passwords subverting the company’s security measures.
The enormous growth in online services and commerce over the last decade has led to a proliferation of personal accounts – for social media, shopping, news, entertainment, and much else – as providers try to lock in loyalty. The average UK consumer now has 118 online accounts, a number predicted to grow to 207 by the end of the decade. Each time we sign up, we’re required to create a username and a password that is unique, memorable, yet hard-to-guess. Of course, this quickly becomes difficult and time-consuming, and gets in the way of accessing the information we need, so most people fall back on using the same easy-to-remember details. Some 60% of people admit to regularly re-using passwords; and it’s likely many of the virtuous 40% also do so, but don’t want to admit it.
The drive to force people to use stronger passwords has probably exacerbated the problem. Passwords have more become difficult for us to remember – leading to greater use of the same combinations – but no harder for a computer to crack. Using a relatively obscure word, including a few simple number-letter substitutions, gives people the false sense that their password is unguessable and therefore good to use everywhere. In reality, if hackers can find few personal details, often easily gleaned from social media or other sites, they already have the seeds of many passwords. Readily available tools allow them to test thousands of possible permutations, effortlessly, on hundreds of commercial sites. Password re-use means that one correct ‘guess’ gives access to multiple sites.
More importantly, it doesn’t matter how cryptic your ‘go-to’ password is if it is stolen in a data breach. Re-using passwords reduces your security to that of the least secure system you use them with. That won’t be a major commercial site, but something smaller, which doesn’t pay too much attention to security because it doesn’t store any sensitive personal information – except, of course, for those all-purpose usernames and passwords.
This is a huge danger for business. Password reuse means that any breach at another company; any malware infection on a computer belonging to an employee or customer; or any successful phishing attack could directly affect your business. In particular, if hackers obtain a password belonging to a member of staff, and establish that the owner has used it elsewhere, a relatively small amount of digging can reveal who they work for, the format for network IDs, and so on. If the password gives access to the company network, then attackers are in a position to cause chaos or to steal sensitive data and intellectual property. Internal access can also be a launchpad for social engineering attacks, particularly if the employee is senior in the organisation.
As IT security has improved, fraudsters have identified people as the organisation’s weak point, and social attacks have become increasingly subtle and sophisticated. They can be targeted at specific individuals and times, like busy periods when people are distracted and checks are less likely. They can also be highly convincing: many companies have lost millions of pounds thanks to fake emails from the CEO, or mocked up demands from regular suppliers with subtly different bank details.
In summary, password re-use renders the most comprehensive security measures ineffective. The industrialisation of the cyber threat means that there’s no hiding place; companies of all sizes are equally vulnerable to opportunistic thieves. Furthermore, the risks are so evident that insurers will surely need to look more closely at password policies for both employees and customers, as part of their rating process. Businesses need to protect themselves, and their users, by adopting these measures:
– Embargo the use of work passwords for personal accounts. Staff must be educated on this, given the reasons, and shown the likely outcome of ignoring the policy.
– Introduce ‘two-factor authentication’, such as a telephone call or shared secret word for any major financial process. Email authentication is insufficient.
– Employ considered password expiry and re-use protocols. This doesn’t just mean making the users change their passwords every month – many will re-use the old one, or cycle through a series until they’re able to start again. These precautions often cause users aggravation, so recognise that education is important here.
By CSID, provider of global identity protection and fraud detection technologies.