Identity theft: mitigating risk for the enterprise
Today’s CIOs and CISOs have a problem. On the one hand they’re under increasing pressure to support digital transformation efforts designed to drive business growth and agility. But in moving to new technology platforms they inevitably also expose the organization to increased cyber risk. One of the most damaging repercussions of serious security breaches is identity theft.
The good news is that there are things that IT leaders can do to mitigate these risks. By focusing on compromised enterprise credentials as the primary source of attacks they can get to the heart of the problem and stem the tide of damaging Identity Theft.
What’s going on?
One of the primary reasons cyber-criminals attack organisations is to arm themselves with the kind of lucrative customer and corporate credentials that can be used to commit identity theft. In the UK this year identity fraud hit an all-time high last year and the pattern is being repeated across many parts of Europe. The world of cybercrime is fuelled by an insatiable profit motive. Credentials are either used directly by those who obtained them to make money or sold on underground forums.
Prices vary according to ever-changing supply and demand. A username and password combination for a porn site costs around $5, while prices for services like Netflix and Spotify go up to around $9, as do Facebook credentials and access to e-commerce sites like Amazon. Bank account log-ins if the account has over $10,000 in it could reach over $300 per credential.
Identity theft can take many forms, but fundamentally it involves fraudulently impersonating another individual using stolen information. With those all-important credentials a bad actor could log-in to customer or corporate users’ accounts and change the password, locking them out and taking the account over. Here are a few scenarios:
Social media: Hijacking personal social networking accounts could give an attacker some useful information to blackmail an individual, or post defamatory content. Even Mark Zuckerberg has found his account taken over in the past.
Retail: Compromised customer accounts could be monetized by using account balances and/or saved card details to make fraudulent purchases, or by cashing out gift card balances. Customer accounts could also be used by cyber-criminals to launder dirty money.
Banking: Most financial institutions have multi-factor authentication in place to guard against the worst effects of stolen bank account log-ins. But if controls aren’t strong enough then organizations may be at risk from fraudulent transactions, or even new account fraud, if the attacker is able to request a new card. Crypto-currency exchanges could be exposed in a similar way.
Insurance: If hackers are able to commit identity fraud by taking over customer accounts, they could make false insurance claims, changing the policyholder’s details so the funds are transferred into their bank account.
BEC: A compromised email account belonging to a senior executive or CEO could give attackers all they need to craft highly convincing Business Email Compromise (BEC) attacks. Social engineering is employed as the attacker emails members of the finance team, masquerading as the CEO, demanding an urgent transfer of corporate funds to a third-party bank account. A CEO’s email address could also be used to send targeted malware-laden emails to individuals, with a high chance of a successful infection given the apparent legitimacy of the email.
The fightback starts here
So how can you hope to prevent identity theft? Cyber-criminals have developed an entire industry around the acquisition of valid credentials. From classic malware infection and phishing attacks to man-in-the-middle, DNS hijacking, and vulnerability exploitation, there’s a long and growing list of techniques designed to steal corporate log-ins, with privileged accounts particularly prized. Sometimes malicious exploitation isn’t even required: simple social engineering via email, brute-force automation or even capitalizing on leaked databases can be enough.
The bottom line is that it only theoretically takes one compromised credential to unwittingly open the cyber-front door to criminals. Once inside the network they can pivot to other database stores of sensitive information and customer credentials. It’s no surprise that we’ve seen a 62% growth in the number of geolocated compromised credentials from European countries over the past year. That means organizations must focus their efforts on detection and prevention.
Effective threat intelligence is the key to mitigating the risk of compromised credential and identity theft. This means investing in tools that can spot leaked, stolen and sold user credentials on underground forums very early on, way before fraudsters have had a chance to properly test and monetize them. Threat intelligence can also provide invaluable information on any malware being used in the wild to steal data, ensuring you can take action to block similar attacks in the future. Proactive counter-intelligence could even give your user awareness and education efforts an advantage by providing information on current phishing campaigns which can be fed in to simulation exercises.
Behind this formidable first line of defense, organizations can then layer up extra security including multi-factor authentication and periodic testing of the IT infrastructure. It’s all about taking steps to maximize detection and prevention of data-stealing threats, and to ensure that if attackers do manage to infiltrate the network, they’re detected as soon as possible. The current median “dwell time” for EMEA is estimated at 175 days: that’s nearly six months attackers spend inside networks without being detected. Sometimes it’s even longer: Yahoo famously notified its three billion account holders of a massive credential and personal data breach nearly four years after it occurred. The bottom line is the longer attacks go undetected, the more data gets taken and used and the more serious the impact on the victim company and its customers.
A way forward
It’s very hard today to stop a determined attacker. They have the element of surprise and only need to get lucky once to access invaluable corporate and customer credentials to commit damaging identity theft. But with the right strategy you can get much better at blocking attacks in the first instance and then spotting the early warning signs of any others that have snuck through — before attackers have had a chance to monetize their gains.
The average cost of a data breach stands at $3.9m, but could easily be much bigger once you factor in customer loss and reputational damage. Customers have increasingly high expectations of the companies they do business with. Over-two-thirds (69%) of global consumers claim they’d boycott any company that doesn’t take data protection seriously. In today’s GDPR-centric world, accountability is crucial. You have to put cybersecurity at the heart of your organization, starting with securing those all-important credentials. It’s the key to minimizing the negative impact of everything that can follow, including wide-scale identity theft.
- To find out more on this topic, read our in-depth Credential Theft article on credential compromise and identity theft.
- The Credential Theft Ecosystem report embodies this approach – it is designed to help organizations understand the lifecycle of a compromised credential and keep their organizations’ data safe.