An access credential is basically a username and password associated with a person and the access permissions granted to that person for an application, service or system. An access credential can also be considered as a user certificate, or any other form or method of authentication for the purpose of providing access to a resource, such as an application or a web page or service.
Access credentials are used on a daily basis by all kinds of user profiles, both experts in ICT systems and people unaccustomed to new technologies. This makes them a target for cybercriminals, who also require these credentials to achieve their goals.
Crimes aimed at obtaining access credentials are growing every year, with new techniques and mechanisms being implemented to try to obtain them.
Access credentials are essential in order to protect an organisation’s information and personal data, so it is important to be clear about which attacks are focused on obtaining them and what mechanisms and techniques they employ.
Attacks on passwords
One of the most common password attacks is brute force, which consists of guessing the password on a trial-and-error basis. This method begins by trying different combinations with personal data, data collected by other means or random data.
These types of actions are automated using tools that facilitate the task and search.
Dictionary attacks are another type of password attack. They exploit the malpractice of using a word as a password. As in brute force attacks, tools are used to automate the search process.
This cyber-attack uses dictionaries, which are text files containing words and characters commonly used as passwords. There are many dictionaries on the internet, such as the widely used rockyou.txt, dictionary.
If the cyber-attack is heavily targeted against a specific person, information about the victim is also usually collected, such as dates of birth, names of family members, pets or places where the victim has lived, etc. And a customised dictionary is created with these and similar combinations to carry out the cyber-attack, taking advantage of the malpractice of using passwords based on personal data or likes and dislikes.
What can be done to prevent passwords from being vulnerable to these attacks?
Create strong passwords that meet the following guidelines:
- At least 10 to 12 characters, combining different types of characters (upper case, lower case, numbers and symbols);
- The following should not be used:
- Simple words in any language (dictionary words);
- Personal names, dates, places or personal data;
- Words that are made up of characters close together on the keyboard;
- Excessively short words.
- Avoid using passwords consisting of elements or words that may be public or easily guessable (e.g., name + date of birth);
- Create stronger and more robust passwords, totally different from others, to access critical services or applications.
Common mistakes in the use of passwords
Credential stuffing is a weakness that makes it easier for a brute-force or dictionary attack to succeed.
Password spraying is the technique of using a large number of stolen passwords (from a security breach) on a group of accounts (e.g., webmail accounts of employees of a company) to see if it can gain access where it is needed. These searches are automated with tools that limit access attempts so as not to notify the alert systems of the site to be breached.
Here are some actions that can help counter these attacks or to try to make a password less vulnerable to such attacks:
- Do not reuse passwords under any circumstances, especially those used for access to critical systems.
- Enable MFA (multiple factor authentication) or 2FA (two-factor authentication) whenever the system being accessed allows it.
- Consider access using factors other than the ‘username/password’ itself, such as:
- Biometric systems such as fingerprint, iris, etc.
- Cryptographic tokens, by software or hardware
- Coordinate cards
- Access by OTP (One time password)
- Avoid using your corporate account and email to register for non-corporate services.
Social engineering attacks focused on obtaining passwords employ a variety of different manipulation techniques in order to obtain information to help obtain passwords and in some cases, to obtain credentials directly.
Phishing, smishing, vishing and warshipping
These types of cyber-attacks mainly take advantage of misinformation and human naivety. They impersonate, by various mechanisms and means, a trusted manager or agent (bank, post office, tax authorities, etc.) in order to request the victim’s credentials. To do so, they use different entry vectors such as emails, SMS, calls or devices.
- Phishing: A technique that consists of sending an e-mail with an urgent or eye-catching subject (banking matters, tax office, post office, etc.). In this message, a link or button is added that leads to a website designed to look very similar to the legitimate website of the entity they claim to be and they request that you enter your credentials to log in. These fake websites will record the credentials entered and pass them to the attackers and redirect the victim to the original website of the spoofed company or organisation. There are several variants of phishing, such as spear-phishing and whaling.
- Smishing: A technique that consists of a cybercriminal sending an SMS to a user pretending to be a legitimate entity – social network, bank, public institution, etc. – with the same purpose as in the case of phishing.
- Vishing: A phone call that employs phishing techniques and using social engineering and similar techniques, seeks to obtain the user’s credentials, as in phishing and smishing.
- Warshipping: A technological gift (usually a USB device or similar) infected with malware that, when connected to our systems and elements, will use different mechanisms to obtain credentials and other data and send them to the cybercriminal. It is also feasible to include in this type baiting, where an infected USB device is given away at conferences, conventions, or through websites with pop-up windows, advertised prizes, or other mechanisms.
This technique consists of spying on the victim as they type in their credentials, either because they are in a public or insecure environment or because of the cybercriminal’s skill in perceiving the credentials they type in. In some cases, they gain the user’s trust by impersonating technical or trusted personnel, causing the victim to relax and enter credentials without fear.
It is therefore advisable to be aware of the environment you are in, being alert to any suspicious activity that may occur around you.
Dumpster diving attack
This technique aims to obtain information by searching through the victim’s trash. They usually look for notes, notebooks, annotations, which give rise to seeing the type of credentials that are used or a credential noted in a note or notebook.
The following guidelines are recommended in order to protect against social engineering attacks focused on obtaining credentials:
- Use common sense and be cautious at all times.
- Attend digital security awareness and training sessions. The first line of defence is the end user.
- Avoid clicking on links that arrive via SMS or emails. Banks, for example, do not send SMS of the type used in these attacks. If you want to access these services and websites, do so through the official channels and routes they offer.
- Use biometric logins and accesses such as facial recognition, fingerprint, etc.
- Enable 2FA or MFA on all logins where possible.
- Do not trust gifts from strangers and check them in advance with security software, under secure environments.
- Do not trust any phone call requesting access credentials.
Other attacks on credentials
Other cyber-attacks against credentials use malicious software such as keyloggers. A keylogger is a programme that can extract anything typed on the computer infected with this malicious software. Cybercriminals use them in advance by infecting the victim’s computer via USB, email or any known attack vector.
Another cyber-attack that may be aimed at obtaining credentials is Man in the Middle. This involves intercepting communication between two or more parties, impersonating one or the other as desired, in order to view and obtain information and modify it at will.
Once communications have been intercepted, the responses received at either end may have been manipulated or may not have come from the legitimate interlocutor. Therefore, the sender could use various social engineering techniques in these messages, send malicious attachments to install software or use spoofing techniques to steal the victim’s passwords.