It’s much easier to remember your password if you use the same one across multiple platforms. And that’s probably why so many people keep using the same password despite being warned for years not to do so.
Password reuse remains one of the biggest cybersecurity risks on the radar of Chip Witt, head of product strategy for SpyCloud, an Austin, Texas-based company that alerts customers when employee or company assets have been compromised.
Witt gave a presentation on cybersecurity Tuesday at the AICPA ENGAGE 2019 conference in Las Vegas. He discussed the growing risks of password reuse and account takeover as well as how to keep credentials and data from being monetized on the “dark web” by cybercriminals.
“Password reuse is a really big problem,” he said in an interview before ENGAGE. “Once people find a good password, they’ll continue to reuse that password exactly, or variations of it. This is dangerous because the cybercriminal, once he has your password, can very easily access your accounts and the loyalty points, cash, and/or personally identifiable information within.”
A one-password — or weak-password — approach places the user at significant risk of fraud, theft, and professional liability, Witt said, adding that hackers have a variety of tools for stealing account credentials, including social engineering manipulation, malware, prior breaches, and other tech tools.
It’s not just personal data that are in jeopardy. Firms of all sizes are at significant risk of companywide data breaches when employee accounts are hacked; once criminals break in, they can leverage stolen data for a variety of fraud schemes, such as business email compromise, invoice fraud, and employment fraud. They also gain access to corporate secrets, financial accounts, employee personnel records, and business plans, putting the company at high risk for financial and reputational damage.
As dangerous as that sounds, the risk doesn’t stop there. Criminals can also sell your stolen credentials to other criminals on the deep web, which is the part of the internet not indexed by search engines. Most of the credential sales take place on the dark web, which essentially is a sliver of the deep web, accessible only by special browsers. The dark web provides a level of seclusion and anonymity that makes it an attractive place for criminals to digitally congregate for illegal activities.
“Once information shows up on the dark web, it’s no longer a secret,” Witt said. “A wide variety of people have access to it.”
Witt offered several tips for how individuals and companies can protect themselves against account takeover and credential theft.
Use a password manager. Password managers like Keeper, Zoho Vault, True Key, and many others generate complex, unique, and encrypted passwords for every site you need access to. There are many types of password managers, but no matter which you choose, they go a long way toward erasing the password reuse problem, according to Witt. In combination with other security steps, such as two-factor authentication, password managers can create significant hurdles for cybercriminals trying to break in to your accounts.
Be proactive. Witt recommends allocating part of your budget to external-credential and identity-monitoring systems, which mitigate the risk of your data being disseminated after a breach.
Quite often, companies don’t know they’ve been breached until after the harm is done. Criminals can sit on breach data for 12 to 18 months before exploiting them, giving your data time to clandestinely circulate, Witt said. However, they may share or sell breach data on the dark web without acting on them, which gives companies an opportunity to find their stolen material before criminals use it.
“You want to constantly monitor your credentials and identity for exposure,” said Witt.
Protect employees’ personal accounts. Because people tend to use the same password across multiple accounts, if an employee’s personal email account is hacked, cybercriminals may potentially gain access to your company’s networks, using that same password. Witt suggested that companies extend security protection to employees’ accounts to lessen the risk of password reuse damage. He also recommends extending those protections to employees’ family members to protect their larger online networks.
“The majority of individuals will use the same password across multiple aspects of their identity. They'll use it for their work mail, for their personal email, et cetera,” he said. “Know an exposure in one area could definitely affect another.”
When an employee or customer whose credentials have been compromised logs in to your systems, “if a password has been exposed, criminals are likely to use it.”
Automate account takeover prevention. Witt advocated taking choice out of the equation when it comes to password and account protection by automating every possible stage in the process, such as scanning the web for credentials, comparing credentials against known compromised material, and monitoring account creation for fraud warning signs. Automation using technology like SpyCloud’s ATO Prevention software, Imperva’s ThreatRadar, or LexisNexis’s ThreatMetrix ensures that your protection activities are constant, current, and as habitual as possible.
“Whatever technologies you leverage, build them in to your environment and automate the process. Anything that relies on a human doing something is going to get set aside or pushed back to the back burner,” Witt said. “Automate your security measures wherever possible.”
— Drew Adamek is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at Andrew.Adamek@aicpa-cima.com.