The coronavirus pandemic is widely evidenced as an accelerant for digital transformation, remote working, video conferencing and ecommerce. Yet these surging trends are also exploited by nefarious characters aiming to take advantage of cybersecurity vulnerabilities, as new developments have significantly expanded attack surfaces. And, as apparent chaos reigns and emotions run high, the criminals have wasted little time.

In the two weeks to May 12, researchers at Check Point, a global cybersecurity organisation, documented 192,000 coronavirus-related cyberattacks a week, a 30 per cent rise on previous weeks.

There has been a considerable jump in COVID-19-related phishing attacks, with hackers impersonating the World Health Organization, United Nations, Google and Zoom, among others, in malicious communications. Further, some 2,500 new Zoom-related domains were registered between April 21 and May 12, with 14 per cent deemed suspicious.

Seattle-based Mike Klepper, AT&T Cybersecurity’s national practice director for application security, threat and vulnerability management, is unsurprised that cybercriminals have sharpened their tools. “Social engineering campaigns are being used to perform credential harvesting or collect personal data for fraud attempts,” he says.

“Solicited data can be used to open fraudulent accounts, take over existing accounts or through forcing a password reset by answering ‘secret’ questions. These tactics are not new, but the strong emotional response people have to the pandemic is driving the effectiveness of social engineering attempts.”

The strong emotional response people have to the pandemic is driving the effectiveness of social engineering attempts

Personal data: the greatest lure for cybercriminals

Publication, on May 19, of Verizon’s 2020 Data Breach Investigations Report (DBIR), which provides an analysis of more than 157,000 security incidents and over 3,900 confirmed data breaches investigated across 81 countries during the last 12 months, is timely. One of the key takeaways is that personal data is increasingly at risk as the greatest lure for cybercriminals.

Indeed, personal data, such as email addresses, names, phone numbers, physical addresses and other types of information found hiding in an email or stored in a misconfigured database, was involved in 58 per cent of breaches, nearly twice the percentage in Verizon’s 2019 report.

Credential theft, social attacks – phishing and business email compromise, for instance – and errors cause more than two thirds (67 per cent) of breaches, according to DBIR lead author Philippe Langlois. “These tactics prove effective for attackers, so they return to them time and again,” he says. “One of the things that we’ve seen is just the scalability of these types of attacks.

“As organisations have adopted and moved a lot of their workloads towards web applications, we’ve seen a similar trend with breaches, with over 43 per cent involving a web application, doubling from last year.

“When you look further into the attacks targeting web applications, we find the typical suspects like stolen credentials and phishing. We also find that the third most common action associated is malware based. In these cases, criminals are using compromised web servers to capture data, with the majority of it targeting financial data, such as payment cards.

“Criminals are adapting to our increased use of online ecommerce sites and leveraging that for their benefits. This should be a major focus as the ongoing COVID-19 lockdowns are likely to lead to an increase of activity being conducted online than ever before. Criminals operate based on our deficiencies and how we do business, so as we continue to evolve in our day-to-day operations, so will criminals.”

Choose your weapon: manual or automated?

Certainly, “credential stuffing”, whereby hackers use information leaked from one data breach and attempt to apply it en masse against other websites and take over user accounts, is “a problem that has exploded”. So says Jarrod Overson, director of engineering at Shape Security, which was acquired by F5 for a reported $1 billion in December.

Consider in 2018 there were one billion new credentials spilt, while the record number of attacks Shape has blocked in one day is two billion. Moreover, the most extensive recorded attack campaign against one URL in a week is three billion.

This level of brute-force attack is physically impossible for one person or even an army of humans. Thanks to recent advances in automation, though, engaging a bot militia can make good business sense for hackers. However, for more sophisticated targeted campaigns, a human touch is more rewarding.

“Manual, or low-and-slow attacks, will always be hardest to spot,” says Daniel Cohen, head of anti-fraud products and strategy at RSA Security. “Fraudsters work slowly and deliberately to establish or compromise an identity, which can then be used to apply for a loan, credit card or another instrument.

“Meanwhile, in automated attacks, fraudsters leverage software robots to carry out the fraud for them. If we consider the repetitive nature of these automated attacks, they are typically more easily detected.”

Lowering the barrier of entry for hackers

Verizon’s research into the criminal and underground marketplaces shows 5 per cent of posts offer cyberattack services, “both in terms of as a way of teaching people into the trade of fraud, but also in terms of playing a key role in an attacker’s process, such as hacking, ransomware and denial-of-service attacks”.

Langlois posits: “Through the use of these services, it lowers the barrier for entry into cybercrime and has increased its professionalisation and specialisation.”

Kevin Prone, head of service development at Derby-headquartered cybersecurity firm Nowcomm, agrees. “The dark web means hackers can search how to hack, profile, and break down a target, and how to steal credentials,” he says. “If hackers can obtain a password used for something like a wifi network, chances are it may be used all over a person’s digital footprint. “Credentials are available for purchase on the dark web in bitcoins where returns can be high. We are seeing an increase in customer details available on hacker forums hosted across the dark web, which even include accounts belonging to financial institutions, banks, and colleges.

“Finally, the availability of public cloud infrastructure has made it even easier for cybercriminals to make money out of fraudulent activities. By using services such as Amazon Web Services or Microsoft Azure, they have access to powerful virtual machines capable of running complex cyberfraud operations.”

Greater threats loom on the horizon. Klepper, of AT&T Cybersecurity, spies two trends that will drive the effectiveness of application fraud. “The first is the ability to perform data mining at scale across large populations of people,” he says. “The second is the ability to create deepfake audio and video content. This capability will significantly complicate efforts to distinguish legitimate users from fraud actors.”

Perhaps it’s time to increase the cybersecurity budget, before it’s too late.

All businesses are guided by a cost-benefit analysis of their work. It’s the same for money-motivated online fraudsters. To operate profitably, they must devise systems that bring in more money than they spend on attacks.

Two factors influence this calculation: the cost of operations and the changing security landscape.

Costs are falling fast. According to Jarrod Overson, director of engineering at Shape Security, hackers can spend a few hundred dollars to mount attacks with the potential to draw back millions.

Hackers can spend a few hundred dollars to mount attacks with the potential to draw back millions

“These are the same conversations that all businesses are dealing with. The question is how to adjust cost versus value across all aspects of business,” he says. “The same thing is happening with the attacker ecosystem.”

Credential stuffing is a popular online fraud for this reason. Hackers buy usernames and passwords at ultra-low prices from easy-to-access sources. They then use software to automate the login process across multiple user accounts, hoping that someone’s Facebook password might double as their smartphone account login or even their bank.

The traffic is distributed globally to avoid detection and, with another small investment, hackers can defeat basic automated defences such as captcha codes.

Overson calculates the cost of 100,000 account takeover attempts at roughly $200, the success rate of which is between 0.2 and 2 per cent. Successful takeovers are sold on an open market for between $2 and $150, equating to a return of between 100 and 150,000 per cent or even more. That adds up to a financial return of between $200 and $300,000-plus.

“You don’t need to be Warren Buffett or an incredibly skilled investor to understand that this is actually a very, very good idea,” says Overson.

So what is the solution? According to Overson, many organisations focus too much on fending off bot attacks, which he describes as a game of whack-a-mole, and not enough on removing the value proposition (in other words, the economics) of attacking your digital properties.

Defence costs

In layperson’s terms, it means businesses should improve their defences to the extent that it is too costly for hackers to beat them. A real-world criminal will always target an open window before they buy expensive tools to pick the lock of a solid door. The rules are the same for virtual properties.

Overson says the best method is to deploy a series of counter-measures that force hackers back to cost-incurring stages of their attacks. If this happens too many times, the cost-benefit analysis swings away from them and expenditure eventually outweighs any potential return.

“You do this until they have spent so much money that the value is just not there. At the start you must invest effort in figuring out how much it actually costs to attack you. If you don’t know how much it costs, you don’t know what kind of friction to put in place,” he says.

At the start you must invest effort in figuring out how much it actually costs to attack you

From here, Overson advises a three-point plan. First you should address obvious weak spots by auditing your network exposure to remove all low-hanging fruit. This creates a low bar which attackers must overcome.

Next, you should hack your own organisation to understand how easy or hard it is to compromise your properties. This process should be guided by evidence and not gut feeling. It will help you build a toolbox of defences that mirror likely attempts to beat security measures.

But the goal posts are always moving; the tools available to criminals improve by the day, so the third step for businesses is to upgrade security to meet the evolving risk landscape. Overson says organisations should never take their eye off the ball.

“This is a dynamic that is constantly pulling away from where we want it to be,” he argues. “You’re not going to be able to invest once and be set. You have to continually go through this process to stay ahead of attackers.”

Credential stuffing is cheap and easy, so it makes strong economic sense for fraudsters who pocket millions every year from the crime. But it is just one technique among many and criminals work daily to devise evermore devious approaches.

By updating security procedures, organisations can hit hackers where it hurts most: in the pocket.

Using passwords to access our online lives is a commonplace experience, along with the attendant frustrations. Cybersecurity demands evermore complicated credentials: the username-password combinations we use every day.

The state of password play

Passwords might necessarily be of a minimum length, use a capital, number or special character. There is the regular insistence that a password be updated and not just to something slightly different or back to one you’ve used before.

“The good thing about passwords is they’re easy to use and, if compromised, easy to replace,” says Mariam Nouh, researcher in cybersecurity at the University of Oxford. “There are no compatibility issues. You don’t need extra hardware. And businesses like them because their use can be implemented cost effectively. The problem though is they can be compromised in so many ways.”

Incidents of passwords being compromised are increasing, with credential stuffing on the rise. Cybercriminals can now harvest credentials from data breaches and then test them on a multitude of websites and apps. 

The human factor

Certainly, while attempts at cybersecurity breaches may be evermore sophisticated, the fact is passwords butt up against human psychology or, more specifically, memory. There are only so many discrete passwords an individual can retain without the security no-no of writing them down, which is one reason for the rise of password vault software.

The result is, when possible, the use of familiar, emotionally significant phrases, which is to say utilising the same mechanisms behind how humans remember a lot of things. But the familiar makes it easier for hackers to crack the password.

According to a 2018 survey by password management company LastPass and Lab42, 59 per cent of respondents use the same password across multiple accounts. A majority of people would only go through the bother of updating their passwords if they were hacked; after all, they seem secure until that point. But then, according to a 2019 study by Verizon, 80 per cent of hacking-related security breaches are a result of weak or compromised credentials.

When LinkedIn suffered a data breach in 2012 and some 117 million passwords were compromised, many were revealed to be rather obvious. Among those used hundreds of thousands of times were “123456”, “linkedin” and “password”.

Laziness vs design flaw

“There’s a lot of dissonance between how we know we should use passwords and how we actually do,” says Rachael Stockton, senior director of product at LogMeIn, makers of LastPass. And it’s not just a matter of memory. “A lot of our customers are just after simplicity, less time-wasting and more productivity. And we’re going to need more simplicity [in our password management] because the number of accounts we each use on the internet is only going to increase,” she says.

That most of us don’t make much effort with passwords isn’t just our fault. Arguably, security software design has failed to take human psychology into consideration.

A majority of people would only go through the bother of updating their passwords if they knew they were hacked

“The industry has not done well in educating consumers how to use passwords,” concedes Rolf Lindermann, vice president of product at Nok Nok Labs, an authentication software vendor. “The result is this trade-off between security and convenience. That’s the dilemma.”

And especially given the vast majority of websites still use passwords. It’s estimated there are now some 300 billion active passwords. Even Fernando Corbato, who pioneered the use of the password online, has described the situation as a “kind of nightmare”.

Redesigning passwords

There have been new kinds of passwords proposed. Because people recognise pictures better than they remember words, so-called graphical passwords request users to click certain points on an image in a certain order. The number of possible points essentially makes each user’s sequence unguessable. The efficacy of this approach is still being worked out.

Cybercriminals can now harvest credentials from data breaches and then test them on a multitude of websites and apps

But the likes of George Waller, co-founder of StrikeForce Technologies, a US startup with a number of patented cybersecurity inventions under its belt, argues the problem isn’t with passwords per se. He points out that most online businesses typically want to offer consumers the path of least resistance to gain access to their sites. The problem is with passwords’ delivery to servers down the line.

“Ultimately, it’s not really a matter of whether we use passwords or not, or whether or not you enforce stricter policies on their use. It doesn’t matter so much what you type in because there typically isn’t encryption at the key-stroke level and data is in transit [and so vulnerable] from the time you start typing your password,” he says. “We’re going to use passwords for quite some time because, from a security point of view, the whole system out there is just so complex.”

A passwordless future?

So does the password have any future, especially given the advent of the internet of things, which only looks like making cybersecurity breaches more widespread? “Passwords won’t go away completely, but I think we have to expect more multi-factor authentication, though that still needs to be convenient to use, while offering a sensible level of security to carry the public with it,” says Oxford University’s Nouh.

This layered security approach is unlikely to come in the form of biometrics, which are themselves not completely secure and, when stolen, irreplaceable, unlike a password. Or at least not just biometrics.

Lindermann at Nok Nok Labs says that however secure sites are accessed, we’re tied to a device that can be used to identify us. And this is something most of us already carry and use to access the internet: a smartphone.

We’re increasingly used to receiving confirmation text messages when working through security. But now such devices also operate their own fingerprint or facial recognition systems. Features limited to high-end, expensive phones just five years ago are more and more commonplace and accessibly priced.

Password-free authentication

Since Microsoft launched its Windows 10 operating system last year, such password-free authentication is starting to come to desktops too. Device geolocation, if users are willing to share such information, is potentially another added layer of security.

Indeed, in a sense this more efficient device-led proposal is akin to the way in which a cashpoint machine requires both PIN number and the physical bank card. Or the way in which Estonia, for example, has developed its e-identity system, which provides all citizens with a chip-and-pin e-card designed to authenticate an individual’s digital identity.

Lindermann says: “It’s a matter of leveraging these devices in the right way and in a consistent way, one that allows users to chose the modality. They can still use a PIN if they’re not comfortable with trusting their biometrics [to a third party], but which ties their identity to the specific device, a capability that can be off-loaded to devices we don’t own on the rare occasions that’s needed. It works because people want a much easier engagement with business that have secured sites and the ease of use is better for business too.”

Andrew Shikiar agrees. He’s executive director of the FIDO Alliance, a consortium of technology security companies pushing for creation of an industry standard to address security interoperability between devices and so far supported by big guns including American Express, Amazon and Google.

Passwords are the tip of the spear of the data-breach problem

“Passwords are the tip of the spear of the data-breach problem,” says Shikiar. “But the fundamental problem is the [online security] architecture itself. Using devices would not only give a better user experience – people are already used to unlocking their phones using biometrics – but it would get rid of scaleable cyberattacks. It would necessitate a behavioural change, but we have to break our dependence on passwords.”

He’s betting on this happening soon and reckons the majority of mainstream online consumer services will have a password-free means of accessing them within five years.

Credential stuffing, whereby automated systems are used to access user accounts with stolen usernames and passwords, has exploded in recent years as cybercriminals have adopted increasingly intelligent and sophisticated methods to circumvent the traditional countermeasures deployed by organisations.

In particular, hackers are deepening their capabilities around imitating legitimate users. They use the same tools that users do, automating production browsers like Chrome, Firefox and Safari, and proxying through residential IP addresses. By emulating human traffic and behaviour, they can bypass lower friction defences, MFA gates and rate limits to takeover accounts, crack cards or steal data. Malware sits resident on victims’ computers, scraping their credentials and delivering them back to fraud marketplaces.

Intelligent phishing proxies, which seamlessly skin over a legitimate website and then intercept the traffic that goes through, are also on the rise. Users are fooled into thinking they are logging into their email account or online banking, as the web page looks the same, but meanwhile their credentials are being stolen by a cybercriminal. In response, organisations have been drastically stepping up their authentication layers.

“Five years ago, it was not uncommon to find that the only way an organisation was authenticating users was through a single login form on a webpage. Fraudsters had free reign passed that point,” says Jarrod Overson, Director of Engineering at Shape Security. “Now, multi-factor authentication is commonplace, we’re seeing more magic links and then even past the first login gate companies are increasingly risk scoring each user’s behaviour to assess whether they need to be authenticated further.”

Security ≠ Friction

While organisations have undoubtedly added more security to their authentication, they’ve also added more friction to the user experience. CAPTCHA tests are frequently derided on social media networks as a painful process for proving human identity, while even multi-factor authentication causes a significant level of disruption to a customer journey, even more so if the user doesn’t have their smartphone to hand. 

This additional friction comes at a time when IT, marketing and sales departments are already eroding the seamlessness of their digital channels, whether it be through pop-ups urging people to accept privacy policies, user session tracking or customer journey mapping. When companies then start to apply security onto those applications, it can easily feel like they are imposing a dramatic amount more friction than is necessary.

Organisations that add a lot of friction to mitigate fraud may often think they're doing a good job when their threat level decreases. Meanwhile, however, they are likely overlooking the downstream damage they’re causing to their customer experience. Too much friction can negatively impact account creation, logins and conversion rates. More worryingly, they’ll soon find their social media pages are being blighted by poor reviews that damage their brand and reputation, and ultimately soon their sales will be affected.

Companies need to architect a better balance between security and user experience

“Companies need to architect a better balance between security and user experience,” says Mr Overson. “Attackers have started with basic tools that did a simple job and have evolved over the last five years to more convincingly look generically human. Now they are moving towards more aggressively looking specifically human. As defences improved to block questionable behaviour, attackers responded by creating tools to exploit and imitate individual users with all their nuances.”

Shape Security, which protects over 4 billion transactions per week from imitation attacks, leverages artificial intelligence and machine learning to build authentication solutions that are completely configurable to the customer application and attacker. This allows companies to reduce friction for their legitimate users while dynamically ramping it up for potentially bad traffic and even more aggressively for actual attackers.

“We’re showing through our solutions that authentication need not come at the expense of customer experience,” Mr Overson adds. “A combination of layered defences against attackers alongside positive rewards for legitimate users makes it easier to see how additional security can actually improve the overall experience.”

For more information, visit shapesecurity.com