Skip navigation

7 Ways Cybercriminals Steal or Defeat Login Credentials

The fight for your data is on

With all its promise of interconnectivity and easy access to information, the digital world is a dangerous neighborhood - filled with attackers poised to steal the data most personal and valuable to you and your business. Effective information security means more than using long and unique passwords, it is a multi-tiered, comprehensive approach to protecting the information that is most vital to your privacy and livelihood. To understand how to protect your data and accounts, it's helpful to know common ways in which your passwords and credentials could be stolen and used against you.

1: Malware

Malware represents a variety of nefarious threats to your system such as spyware, keyloggers, and trojans. With these types of rogue software, passwords are a high-value target for the attention of attackers infecting your system. If you think stealing passwords in malware may be tricky, you'll be shocked to find out that there are actually DIY malware kits designed to do just that. Further, trojans are now focused on stealing critical data such as your banking login credentials, such as with a Zeus variant called Gameover. Even as you read this, these sorts of Malware are ruthlessly compromising the information of the customers of some of the largest banks in the world.

2: Web Site Breach

We trust a lot of sensitive data to web sites of all sorts. Whether you’re looking for a daily deal on Living Social, trying to connect with colleagues on LinkedIn, or just trying to stay involved with your favorite content through PBS, breaches happen more often than any of us would like. Through a variety of methods (SQL Injection, Remote File Inclusion, or just typical credential brute-forcing), web sites are constantly being attacked by criminals, sophisticated and otherwise. Once your password has been stolen, that leaked data often finds its way onto sites like Pastebin and Bit Torrent, ready to be used by an awaiting crowd of would-be attackers and identity thieves. If you use the same password across multiple web sites and applications, having your information stolen once may be all it takes to compromise numerous accounts.

3: Employee Exfiltration

Whether it's a disgruntled former employee or a current employee wanting to cause trouble, the access to information your team possesses can turn from beneficial to detrimental very quickly. As the Tribune Company found out with their employee Matthew Keys, sharing the wealth when it comes to credentials can be a real problem for the security of an organization. Allegedly, Keys had provided critical credentials to members of Anonymous, allowing them to alter the content of company web properties. Imagine what would happen if a similar scenario occurred in a more serious context, such as a financial or medical organization.

4: Misconfiguration of Software

If you've ever configured a piece of enterprise software, you'll likely know that a wrong checkbox or an out-of-order policy rule can make all of the difference in being secure or being a sitting duck. The reality of misconfigurations leading to breaches is all too common and can take a well-patched and adequately protected system and lower the defenses completely. The complexities of security often result in minor oversights becoming major gaps to security. Take for example a firewall that only allows a certain IP address to visit an internal web site. An administrator could easily miss a character in their command and allow the entire Internet access to this private resource, rather than their intended single computer.

5: Application Vulnerability

Code will always have bugs. As we continually build larger and more complex applications, the likelihood of increased issues in code security is almost a certainty. A failure to check a bit of code could lead to a severe security issue, such as authentication bypass. In such a scenario, a security flaw in a piece of could might improperly verify who a user is upon login or allow for an attacker to skip authentication altogether. While the battle over your credentials is one concern, if an attacker never even has to login as you to reach your data, that provides for a whole new set of worries.

6: Phishing Scams

Phishing is a way for attackers to send out correspondence (such as an e-mail) that tricks you into following a link to a real-looking but fraudulent form, masquerading as a legitimate web site. When you fill out the form you think is real, you’re actually sending your credentials and sensitive information to cybercriminals. Spear-phishing is a more targeted form of general phishing. As security giant RSA found out back in 2011, phishing can be an extremely effective way of getting past the technical controls of a company and to the softer targets; employees. In that breach, RSA not only had attackers within their systems, but also had those same attackers steal critical details to their security platforms. A popular misconception is that attackers always go after a high-value target, such as a CEO. Instead, many attackers start with lower-level targets (such as a secretary) in order to get a foothold in an organization, allowing them to bypass security protections that more important employees may have surrounding their systems and data.

7: Access Control

The last thing any company wants to be on is a list of the biggest breaches. Trying to manage access to data (or even credentials) can be a challenge. Without strong access control, like Duo Security, a breach can occur quickly by forgetting to change a simple password or not restricting where a user can login from. Many organizations fail to limit employee privileges well enough, require strong-enough authentication methods, or in some cases, just don’t protect critical data and resources at all. Without focusing on how data flows from one part of an enterprise to another, and who can access it at each hop, information can quickly wind up in an attacker’s grasp.

Stay Vigilant - We Can Help

You and your company have a lot at stake. If cybercriminals steal your data or breach your business accounts you will lose profits, privacy, and take a significant hit to your reputation. At Duo, we’re on the front lines of the war against cybercrime and can help you with two-factor authentication that is both the strongest authentication on the market and the easiest to deploy and use. Click here to find out more.

Have you ever had a data breach affect your life, personally or professionally? Let us know in the comments!

Mark Stanislav

Security Evangelist

@markstanislav

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 75 events including including RSA, DEF CON, ShmooCon, SOURCE Boston, and THOTCON. He earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.