10 July 2015
Interesting information from two separate sources confirms what everyone has long suspected: compromised email accounts are a primary route by which digital takeovers are executed.
BreachAlarm have compiled statistics from their own database of known-compromised email accounts which suggest that 41% of tested email addresses are compromised. They admit the data is likely to be skewed (most people only go and check if they already think they have been compromised), but that’s still a really high number.
Now combine that with Experian’s recent commentary – specific to bank checking (current) accounts in the UK – that “89 in every 10,000 current account applications is by a fraudster using a stolen ID”.
So you’re thinking: OK, just under 1% of applications; that’s not such a big deal, right?
In the 2014-2015 period, in the UK alone, over 1 million bank account switches took place. Which means that potentially a hundred thousand personal bank accounts were taken over during that one-year period. In the UK alone.
The reason for this is simple: the vast majority of online services use email as the route to establish identity when a password reset is requested.
Once the email account is compromised, it becomes significantly easier for the attacker to complete the rest of the digital takeover by progressively resetting passwords across accounts. The more services they compromise, the more information they have about the individual, making it that much more feasible to takeover the digital persona in its entirety. Alex Simons walked through a real-world example at Cloud Identity Summit earlier this year (the relevant section starts about 9′35″ in).
So what do we do about it? Well, 2(+)FA can help, clearly. But that’s still shutting the stable door after the horse – and remember that the chain is really only as strong as its weakest links. The majority of services today sadly don’t implement multifactor, or federation; or their customers chose not to switch it on. And why should they? For most people, 2FA (at least the way it’s generally implemented today) is an inconvenience.
There are improvements coming, for sure (Mobile Connect, FIDO and a range of startups and new market entrants with innovative solutions) but the adoption curve will be slow; and it’s going to take a while before we get to Bob Blakley’s utopia of security designed for the bad guy, not the good guy.
In the meantime, then, sharing intelligent, real-term alerts about potentially compromised accounts – not just email, but other cyber-services too – will help companies more intelligently target their step-up verification processes, and put a roadblock in this superhighway of fraud.