Break the Account Takeover Kill Chain with Better Password Encryption
Alex McConnell, Cybersecurity Content Specialist
5 minutes read
The new currency in the digital age is personally identifiable information (PII). Information about who we are, what we like, how we act, where we go and why we do things is a valuable resource which organizations use to sell to us more effectively.
Users rightly expect businesses to take proper care of this information, because in the wrong hands, it can be used to harm the user. For example, stolen information could be used to commit identity fraud against an individual, and misplaced credentials can be used to log into their accounts to steal financial assets.
The latter attack is known as account takeover (ATO) and cases have skyrocketed in recent years. ATO attacks exploit business logic by logging in using genuine username and password pairs. Sometimes these are stolen in full, or stolen passwords are encrypted but cracked over time. Other times criminals use brute force to try lists of common passwords. This is usually automated using bots to flood authentication services with login requests.
Account takeover hurts businesses and their customers
ATO has many negative outcomes for both businesses and their customers. Not only could the user lose access to their account and any associated credits or assets they have stored, but the business must spend time and resource repatriating the account to the customer and reimbursing the stolen assets.
This also harms the trust between the business and the customer, even though account takeover attacks are usually the fault of another company getting breached, plus the customer not practicing good password hygiene (e.g., re-using the same password across different services).
Despite this, businesses can still minimize the risk of ATO attacks by identifying suspicious traffic based on its behavior, origin or velocity of requests.
But there is another way businesses can help not just themselves but also other businesses from being vulnerable to ATO attacks: Through appropriate use of modern password encryption methods
Strong password encryption makes credential stuffing and ATO less viable
While some attacks can go back and forward through the stages, in general every attack must ‘start at the start’. Understanding how these attacks work gives the opportunity to disrupt their ‘kill chain’ early and thwart the attack.
The credential stuffing kill chain as defined by the BLADE Framework
The first tactic of most attacks is resource development, and an essential technique at this stage for any ATO attacks is credential acquisition. This is the stage where the attacker obtains usernames and passwords, either partially or in full, to be used against their target.
Most commonly, attackers will buy leaked data from the dark web. This data is usually stolen by other attackers by infiltrating data sources using methods such as phishing, man-in-the-middle attacks or malware.
Properly encrypting sensitive data benefits not only a business’s users, but also other businesses, because it makes credential stuffing and ATO attacks much harder for criminals to launch.
What is good and bad password encryption?
To know what is considered good or bad encryption and why this matters, let’s dissect what encryption actually is.
Encryption involves “hashing” the password, which means converting it into a string of characters, or a “hash”, using a key and an algorithm. The hash can be changed back to the password using the key. It’s good practice to ‘salt’ hashes, which is a method of preventing identical passwords from mapping to the same hash value.
The purpose of encryption is to prevent attackers from knowing what passwords are without access to the key, however technically any encryption can be ‘brute forced’ given enough time and compute resource.
Depending on the sophistication of the encryption method, the cost of a successful brute force attack is often not worth the outcome for criminals, depending on how much time and compute power is needed and how valuable the data is.
Anyone can visit haveibeenpwned.com to see which data leaks their email address has been exposed by. The site also gives details on each data breach, including when it was discovered, how many records were leaked, what kind of data was leaked, and whether passwords were encrypted, if so by which method, and whether their hashes were salted.
This gives a good indication of whether the target company was acting irresponsibly with their users’ data, for example if the passwords were inadequately encrypted or unsalted.
Details of which data leaks contained your email address, and how securely your data was being stored, can be found on haveibeenpwned.com
Popular password encryption tools and their strengths
Here is a short list of examples of commonly used password encryption methods, although many more exist.
MD5 (message-Digest Algorithm)
Historically popular, but because of a known collision attack allowing cracking to complete within seconds, MD5 isn’t deemed a secure password encryption method anymore.
SHA-1 (secure Hash Algorithm)
No longer considered secure because it generates digital fingerprints that can be forged by hackers.