A total of 500 million accounts Zooms are sold on the dark web thanks to “credential stuffing”.
It is a common way for criminals to access online accounts. Here is what this term means and how you can protect yourself.
It starts with databases and password leakage
Συχνές είναι οι επιθέσεις εναντίον διαδικτυακών υπηρεσιών. Οι εγκληματίες συχνά εκμεταλλεύονται ατέλειες security στα συστήματα για να αποκτήσουν βάσεις δεδομένων ονομάτων χρήστη και κωδικών πρόσβασης. Οι βάσεις δεδομένων των κλεμμένων διαπιστευτηρίων σύνδεσης συχνά πωλούνται διαδικτυακά στον σκοτεινό ιστό, με εγκληματίες να πληρώνουν σε Bitcoin για το προνόμιο της πρόσβασης στη βάση δεδομένων.
Let's say you had an Avast forum account that was hacked in 2014. This account was hacked and criminals may have the name and your Avast Forum password. Avast contacted you to change your forum password, so what's the problem?
Unfortunately, the problem is that many people reuse the same passwords on different websites. Suppose that the data Avast forum logins were “you@example.com” and “gamatoPassword”. If you signed in to other websites with the same username (your email address) and password, any criminal who obtains the leaked passwords can gain access to those other accounts.
Monitoring credentials in action
The "Credential stuffing”Includes the use of these databases by leaking connection information and attempting to connect to other Internet services.
Criminals obtain large databases of username and password combinations that have been leaked - often millions of login credentials - and try to link to other sites. Some people reuse the same password on multiple sites, so something will fit. This can generally be automated with software, quickly testing many connection combinations.
In other words, "hackers" fill in all these login credentials on the login form and see what happens. Some of them are sure to work.
This is one of the most common ways for hackers to hack online accounts these days. In 2018 alone, the Akamai content network recorded approximately 30 billion attacks with credentials.
How to protect yourself
Protecting yourself from completing credentials is very simple and you should follow the same password security practices that have been recommended by security experts for years. There is no magic solution - just good passwords:
- Avoid reusing passwords: Use a unique password for each account you use online. This way, even if your password is leaked, it cannot be used to link to other sites. Intruders may try to fill out your credentials on other login forms, but they will not work.
- Using a Password Manager: Storing strong unique passwords is almost impossible if you have accounts on several sites and almost everyone does. We recommend that you use a password manager like KeePass who will "remember" the passwords for you.
- Enable two-factor authentication: With two-step authentication, you need to provide something else - such as a password generated by an app or sent to you via SMS - each time you link to a website. Even if an attacker has your username and password, he or she will not be able to log in to your account without this password.
- Receive notifications in the event of a data leak: With a service like Have I Have Pwned? you may be notified when your credentials appear in a leak.
How services can protect against credentials
There are many ways to protect online services from attacks with credentials.
- Scan Database Leaks for User Codes: Facebook and Netflix scan leaked databases for passwords that exist on their own services. If there is a match, Facebook or Netflix may ask the user to change their password.
- Two-factor authentication offer: Users should be able to choose a two-factor authentication for the security of their online accounts. Particularly sensitive services can make operation mandatory.
- CAPTCHA requirement: If a login attempt seems strange, a service may require you to enter a CAPTCHA code that appears in an image or by clicking on another form to verify that a person - not a bot - is trying to log in.
- Limit repetitive connection attempts: Services should try to exclude bots from attempting a large number of login attempts in the short term. Modern sophisticated bots may try to connect to multiple IP addresses at once to disguise their efforts.
Bad password practices - and, to be fair, insecure internet systems are very easy to break. So it is no wonder that many companies in the technology industry want to develop more secure systems without passwords.
