Let’s look at a few scenarios that criminals use to steal passwords:
1. Spear phishing
A targeted attack designed to steal access login credentials from a ‘known’ target. Typically these present themselves in the form of a highly personalised email, which approaches the individual in a highly personalised manner.
For example, the criminal may have figured out that a particular sales team at a company they want to target uses Salesforce, and will send an email ‘from Salesforce’ asking for each member of the team to login. The user clicks on the link, is redirected to a spoof login page, which collects usernames and passwords. Once they have these, the miscreants will often attempt to login to corporate networks and other access points using the same credentials. Two for the price of one.
Company laptops and networks are not as secure as many administrators like to think, and are vulnerable to installation of information stealing software despite anti-virus software being kept up to date.
There are many attack vectors which malware can use to install itself on corporate devices and once present, it’s an easy task to log the keystrokes of users, stealing their passwords and using them to login remotely to a variety of supposedly restricted services.
3. Brute forcing
If access to corporate networks has a visible user login, you are a potential target for a ‘brute force’ attack. These systematically cycle through combinations of letters and numbers until they effectively ‘guess’ the password. Once username and passwords are compromised, they are often tried across a variety of associated accounts.
4. Social Human engineering
The least technically advanced, but often most effective form of password theft. Requiring no technical knowledge, the attacker will use old-fashioned cunning and guile to steal a password. Sometimes it’s as easy as phoning the person up, pretending to be an IT representative, and asking for the password directly!
Read more on security:
- Government to unite 50 young British cyber security experts from 13 UK universities
- Wearable technology threatens security of UK businesses
These are just some of the ways which passwords can be stolen, underlining how outmoded it is as a user authentication technique. In addition to this, is the significant threat from merely maintaining a database of usernames and passwords.
Any company that stores, in any format, databases such as this presents a ripe target for hackers, and is another reason why passwords should be banished from companies, both large and small. The recent string of high-profile mass password leaks and dumps from well-used web services is testament to this.
For this reason, organisations should look to ban the use of passwords and build more advanced methods of authenticating users into everyday practices.
Using advanced two-factor authentication, based on encryption and which doesn’t rely on a password, significantly reduces exposure. In an age where every business is open to attack from continually advancing cybercrime techniques, surely it’s time your countermeasures were at least dragged into this century?
Brian Spector is the CEO of security services provider Certivox.
Image via Shutterstock.
Share this story