Here's a sobering fact: Over three billion passwords were stolen in 2016. Common statistics suggest that most people shuffle through several passwords to access a couple dozen or so online sites on a regular basis. If we wanted to make things easier for hackers, we’d have a hard time being more helpful than we are now. With more than 80% of attacks being initiated using stolen credentials, this is quickly emerging as one of the biggest threats to security on the Internet.
Advanced automated techniques based on analysis, investigation, and intelligence have thus emerged in commercially available platforms to identify compromised credentials quickly and accurately. This is good news for enterprise security teams, as identity-related compromises just continue to happen. Monica Pal, CEO of 4iQ, sat down with us recently to explain how identity threat intelligence can be used to alert users if their stolen passwords and exposed personal information are discovered in the surface, deep, or dark web.
EA: Monica, what are the risks to digital identities that individuals face on the Internet today?
MP: The risks individuals face regarding their digital identities stem from the types of decisions and behaviors these users exhibit, as well as weaknesses in the systems they are using. For example, most people set up accounts that they might quickly forget are even in existence. They might reuse the same usernames on multiple accounts, and this is often just an email address. The might recycle passwords across different accounts, which is hard for security systems to detect, simply because the infrastructure behind different Internet-based services is not common or unified. Even if users are forced to reset their passwords, they will typically rotate through a few favorite passwords. Hackers thus know that your Hotmail or LinkedIn passwords, for example, are probably the same ones being used for Dropbox and banking. So, they use credentials stolen from one account to test and unlock other accounts. Once they take over, say, an email account, they could have access to conversations, chats, contacts, calendar, documents, photos, and more. They can invade your privacy, learn about who you are, determine where you live and what you think, access your calendar, publish conversations and photos, or use information for social engineering. They can spam your email, access your social contacts, send phishing messages, and infect them with malware and ransomware.
EA: Do businesses face similar risk? And do you see these risks increasing with social media?
MP: Yes, businesses face similar risks. The lines are blurring between personal and business, as well as on-line and off-line. For example, most people no longer switch phones or tablets for business and personal use, and we all use the same passwords for personal and business accounts. So, although businesses continue to invest money protecting IT infrastructure, a hack on a small gaming site can leave the door wide open to the corporate enterprise. Social media also increases these risks exponentially. The sharing that occurs with family, friends, and business contacts creates a treasure trove for criminals as they try to figure out who to target and how to attack. Executives and boards are especially susceptible to this risk.
EA: What are the best sources of intelligence about threats to our digital identities?
MP: Once hackers exfiltrate usernames, passwords, and other online account data, they might use it themselves, sometimes over months and years. Alternatively, they might give the stolen data to brokers who trade amongst friend groups, which are rings of anonymous personas talking in IRC channels in the dark web. If you follow this trail, the best sources of intelligence are in these tight-knit communities of the dark web, where you need to know the right personas and have the right reputation. Next come black markets in the dark web, where these data sets are sold, followed by a couple hundred other forums and Twitter handles, where information on stolen credentials and personal information packages are exposed. Since digital identities are central to our digital lives, our team at 4iQ has focused on searching the surface, social, deep, and dark web, looking specifically for stolen, lost, and leaked data that might contain personal information.
EA: What more can you tell us about the surface, dark, and deep web, and your platform accesses these sources of information?
MP: The surface web is the most common and well-known. It is that portion of the web that we use every day, and is indexed by standard search engines. The deep web, in contrast, is bigger and includes content that is not indexed by search engines. The dark web is smaller and contains content not indexed and not available via standard browsers. You must use special browsers like Tor to anonymously access sites, forums, and IRC channels. In addition, sites in this part of the Internet are transient. That is, they come and go – sometimes up and sometimes down. The more coverage and context, the better the intelligence, so our 4iQ platform scans all parts of the web, including surface, social, deep and dark. Many parts of the dark web cannot automatically be accessed, so our subject matter experts visit these places and manually monitor chatter and collect information. Once data is collected, our system automatically structures or normalizes the data, extracts and disambiguates identities, and stores a hash of the information. Customers who have registered a hash of their digital identity with us are sent an alert as soon as new exposed information on them is found. This allows them to change passwords, adjust privacy settings, reconfigure servers, and limit damage.
EA: Won’t passwords soon be a thing of the past? Aren’t people going to use two-factor authentication and then this problem will be gone?
MP: The problem may have more to do with human nature than technology. For example, two-factor authentication has been available for decades. But it is hasn’t been easy or cheap. Even today with mobile devices used as the second factor, it is not easy for businesses to simply move to 2FA. It is a speed bump that could turn off users and negatively impact the bottom line. And for many businesses, given the choice, very few people will turn 2FA on. But even if 2FA is widely adopted, clever criminals can still trick users into sending their PINs to the hacker. The bottom line is that no matter what types of authentication are being deployed, clever hackers will find some way to steal and share sensitive information.