A single stolen password can give a thief access to many accounts and provide numerous opportunities for fraud. For example, cyber attackers attacked the payroll provider for a healthcare vendor, then used the data they collected from employee W-2s to submit fraudulent requests for tax refunds. Once a criminal successfully steals a person’s credentials, the attacker can use them to breach the user’s account and gain access to your enterprise network.
With more than 13 million consumers falling victim to identity theft in 2014, the question remains—how are attackers stealing passwords so easily?
Cyber attackers have many tools to help them out when they want to steal passwords. Launching a dictionary attack inputs every word in a dictionary to a login program, hoping that it will hit upon the correct password.
Keystroke sniffers can record everything typed into a machine, including passwords. Phishing e-mails, malware installed on cell phones and malicious android apps can all be used to steal passwords.
Attackers can infiltrate individual devices and upload key-logger Trojan viruses or other credential-stealing malware. The malware intercepts IDs and passwords when a user logs in, then records the data and sends it back to the attackers, who can log in to the victim’s account and launch a data breach.
Back in 2012, a phishing email was used to compromise multiple employees at the South Carolina Department of Revenue. One of the recipients clicked on an embedded link, unknowingly executing a malware program that stole the person’s username and password.
A large part of the blame for password theft falls on users themselves. Willingly sharing passwords, writing them down where they can be discovered, or choosing ones that are easy to guess makes it easier for a criminal to steal them.
Cyber attackers are well-versed in compromising credentials—especially given the right tools. What users think are strong passwords can be cracked with ease.
Safeguarding Your Secrets
Two-factor authentication solutions are growing in popularity to thwart criminal access to passwords. Two different channels of authentication provide a second layer of security, requiring additional information or a second physical device, in addition to a password.
If your employees need to access the network remotely, there must be remote access clearance procedures and security training. Policies should be designed to establish session time-outs for employee devices, so that unattended laptops or PCs will not be vulnerable to unauthorized access.
Redefining Password Protection
No matter how hard you try, cyber attackers will find ways to crack the passwords of unsuspecting employees. You can slow them down, but having a strong security system in place is essential for protecting sensitive data if attackers get by that first line of defense.
Deceptions Everywhere® technology redefines the rules of the password game—even if attackers get in, they’ll have a harder time accessing your data. Don’t leave the protection of your network up to user-defined passwords.
Has your company been affected by password and credential theft? Leave a comment below and tell us how you’re recovering from enterprise identity theft.
Recommended reading for you: