Poor passwords become everyone’s problem
By Dzof Azmi October 8, 2019
- Professional criminals increasingly turning to credit stuffing to take advantage
- Over 3.5 billion malicious login attempts by automated bots against financial servers
"I think passwords are (a) nice but slightly dated idea," said Jason Hatch, Akamai Senior Director Product Management, Security and Performance, Asia Pacific & Japan.
He was referring to the weaknesses in how users generate passwords, which in turn have resulted in an increase in credential stuffing attacks against financial services on the Internet, as highlighted in the recent Akamai's recent 2019 Security Financial Services Attack Economy Report.
(“Credential stuffing” is when an attacker attempts to log into a server using a list of stolen usernames and passwords. It is especially effective against users who reuse passwords on multiple accounts, and don’t change them regularly.)
"Whereas before you needed a certain amount of sophistication and time and interest to make one of these attacks, these days the tools - and organizations which will customize those tools - are relatively easily available."
He was referring to report that highlighted the cost of obtaining a list of 50,000 emails and passwords as about US$5.50 (RM23), and online bots to automate credit stuffing is available for about US$20 (RM84).
"What started off as hobbyist attackers are turning into more professional criminals," continued Hatch (pic, right). In the 18-month period between November 2017 and April 2019, there were over 3.5 billion malicious login attempts by automated bots against financial servers.
Why the sudden uptick? "Basically, because they work."
Southeast Asia as a launchpad
One statistic that stood out is that Southeast Asia seems to be a launchpad for attacks, with Thailand, Indonesia, Vietnam, Malaysian and Singapore all featuring in the top 20 source countries from where malicious logins originate
Perhaps it is the environment that is conducive. As connectivity improves and internet penetration increases, more and more people are finding innovative ways of connecting to the net. "IOT devices can be a source of attacks. They're often vulnerable, (and) they are often unpatched," observed Hatch, “(And a) high number of IOT devices look very attractive to harness for botnets."
Ultimately, Hatch believes that in the short-term, cybersecurity will be harder rather than easier to solve. "I think it's really hard especially in Southeast Asia because we've seen an extremely fast growth in GDP, in organizations and the government, and the regulations are playing catch-up,” he admitted. “This growth brings a lot of complexity."
So what kind of security is possible? “A lot of governments in Southeast Asia are doing all the right things,” referring to policies being put in place, such as the Monetary Authority of Singapore’s (MAS) guidelines on how to use the cloud, while more generally, ASEAN has a Cybersecurity Cooperation Strategy. “(They are) putting the policies in place - but this takes time".
Efforts by the private sector
Credential stuffing is just one facet of the larger problem of cybersecurity. Hatch suggested that organizations working in the same sector should share information where possible on attacks and vulnerabilities discovered in their system. “Rather than seeing the other organizations as competition, from a security point of view you are on the same side,” he said. “It's the organizations versus the criminals."
The problem with the industry (and not just in the region) is a global shortage of experienced cybersecurity professionals that needs to be met. “It isn't something that can happen overnight.”
Meanwhile, the security experts in Akamai are exploring how to make system less reliant on passwords to authenticate users – or at least spot the difference between automated bots and humans.
"I have a typing pattern that's pretty unique to me, I have times of the day when I work that are unique to me, and the way I hold my phone that is unique to me," said Hatch. "You have enough of these indicators you could have a fairly good idea who a person is or at least who a person is not."