5 min

Account hacks: the user or the company – who’s to blame? {By Mike Milner, CTO and Co-founder, IMMUNIO}

Operational security - January 09, 2017

When people choose weak passwords and reuse those same passwords across a variety of websites, they bear some responsibility for the security breaches that impact them. Historically, this was where it stopped: if you got hacked, it was your fault. But as Account Takeover (ATO) attacks become more common and more damaging to companies and websites, organizations must consider sharing responsibility for their customers’ faulty passwords.

This argument may sound counterintuitive: shouldn’t individuals bear the blame if their poor choices leave the door open to cyberattackers? Perhaps. Yet since the damage caused by negligent users ripples across the entire organization, it makes sense to improve web application security broadly, throughout the software development lifecycle – long before end users set up their credentials. This is ultimately the best way to minimize the impact of ATO and credential stuffing attacks, while also building credibility with users.



The security problem arising from stolen credentials is only getting worse. Not a week goes by without numerous disclosures of organizations impacted by such attacks, and the damage these attacks cause can linger for years. The 2013 Adobe breach – a single attack – resulted in more than 100 million username/ password combinations being leaked to the dark web, where they were easily accessible to criminals who could then use that information to break into other personal accounts. The massive data breach at Yahoo is another recent security story stealing headlines. The implications of this breach – widely reported to be the largest of its kind – will be wide-ranging and complex. As the Yahoo hack and many others like it prove, it’s still very difficult for companies to ensure the security of their websites, applications and customer data. Furthermore, there’s no doubt that security posture is emerging as a major factor in corporate valuations. In Yahoo’s case, most of the passwords were hashed with the secure algorithm bcrypt, but, while some security questions were encrypted, others were not. This was a textbook example of a cyberattack enabling massive credential stuffing/ATO breaches – which are now the single largest attack vector for cybercriminals, according to researchers at Verizon.

One could argue that organizations have become too good at shielding users from the impacts of such breaches. If a user knows that Facebook is really good at protecting his or her account, even though that individual chose a weak password, he or she might be less motivated to pick a stronger one. If a bank automatically refunds any fraudulent charges resulting from security breaches, it might make customers lazier when it comes to being cautious of hacks.

Meanwhile, insecure web applications give attackers a relatively simple mechanism by which to steal user credentials, and commonly used security tools, such as Web Application Firewalls (WAFs), fall short as they require developers to comb through lines of code to locate a single vulnerability before manually fixing the issue. Security tools like WAFs were designed only to protect the perimeter of an application, which makes things particularly difficult since ATO and credential stuffing attacks can easily bypass the perimeter and target web applications directly from within. Adding to this problem is the fact that protecting user accounts piecemeal is all but impossible when every application uses custom security measures. It quickly becomes a management nightmare to keep these security measures up to date, but failing to do so means web applications become security liabilities.



Fortunately, there are proactive steps organizations can take right away to minimize the risks to their web applications. Encouraging secure password practices is a good place to start. Companies should put mechanisms in place to enforce a minimum level of password security, alerting users if their chosen passwords are too weak and prompting them to choose ones that are harder for attackers to guess.

It is important to note in this process that each organization will have a different level of tolerance for relative password weakness. If a particular web application deals with sensitive financial information, protected health data or other highly valuable information, it’s wise to make two-factor authentication mandatory. In addition, companies should develop a backup plan for instances when password authentication can’t be trusted. In some cases, users can acquire another user’s credentials and gain fraudulent access. For this reason, it’s equally important to add an extra layer of security and implement capabilities that detect deceptive logins. Finally, ensuring that organizations have secondary email addresses and/ or phone numbers for all users covers all their bases in the event that they must contact users to verify their identities.

Unfortunately, web application security breaches are a fact of life in the modern world. Yet by focusing on comprehensive user security education and performing a web application vulnerability assessment to identify cross-site scripting, SQL injection, input validation issues and other vulnerabilities, organizations can lay the groundwork for more secure web applications. In addition to putting more processes in place, organizations can also look to technology solutions that can help protect their web applications from the inside. One of these technologies is Runtime Application Self-Protection (RASP), which is designed to identify ATO attacks in real time.

Just as there’s no single point of entry to the corporate enterprise, there’s no single solution that addresses all threats to an organization’s information assets. Protecting the network perimeter is critical, but with hackers increasingly targeting the low-hanging fruit of web applications, securing applications is the key to guarding against attacks that can breach the perimeter.



Mike Milner is a critical thinker and technical strategist with a measured approach to effective execution, Mike is the Co-founder and Chief Technology Officer of IMMUNIO. While he’s witnessed the breadth of opportunities technology and data intelligence have created for business and government, Mike’s focus has always been on their vulnerabilities. Between fighting cybercrime for the Canadian government and working for security agencies overseas, Mike has developed a deep understanding of the global security landscape and how the underground economy dictates hacks and ultimately drives breaches. This unique experience, paired with his robust technical prowess, helped Mike uncover what the next generation of security software should look like in IMMUNIO. Prior to founding IMMUNIO, Mike was a lead member of the technical staff at Salesforce.com, where he gained insight into the business side of web applications. He also served as a software engineer at Canonical, working on the world’s most popular free operating system, Ubuntu, following his time serving both the Canadian and UK governments.

Send this to a friend