Friday, December 15, 2017
The database is an aggregated "dump file" of 252 high-profile data breaches, researchers noted. In addition to its record-breaking volume, the database has a user-friendly format with interactive tools to enable criminals to import new exploits as they occur. "The database was recently updated with the last set of data inserted on 11/29/2017," investigators reported. "The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869."
Byron Rashed, Director of Marketing at SiO4 Ltd., said its turn-key characteristics and built-in tools make the database "a very efficient threat vector," that enables cyber gangs to deliver customized information to potential buyers in the underground economy. These tools can be repurposed on newly compromised caches of credentials, he noted. "This is especially dangerous since many users use their work credentials (both email and passwords) to access breached third-party sites, and in some cases of ISPs they use their [work] credentials a backup email, creating a potential threat vector for businesses."
Experts are calling for more advanced tools to fight cybercrime's rapidly scaling infrastructure. Satya Gupta, founder and Chief Technology Officer at Virsec Systems said 4iQ's discovery highlights cybercrime's organizational efficiencies enable unskilled criminals to acquire stolen data. "As this data becomes commoditized, its value does diminish, but [this is] of little comfort to consumers whose data is available to thousands of criminals," he stated. "These dark web marketplaces are probably also funding more advanced, and stealthy attacks being designed against high-value corporate, government and infrastructure targets."
The ability to cultivate nascent criminals is an especially disturbing trend, agreed Michael Magrath, Director of Global Regulations & Standards at Vasco Data Security. "Not only is stolen data aggregated, it has been catalogued and packaged so even novices to the Dark Web can easily search and acquire targeted data in similar fashion to a marketer renting a mailing list from a list broker targeting specific demographics," he noted.
John Gunn, Chief Marketing Officer at Vasco, said passwords insufficiently protect against escalating attack vectors, and are sometimes "more effective at keeping legitimate users out of their own accounts than at stopping hackers." Advanced, multilayered security such as "biometrics, behavior analysis, and adaptive authentication are far more effective at stopping crime than passwords and they don't place any burden on the user," he added. He predicted these methods will soon become new, universal standards.
The need for advanced security methods is critically imperative for organizations that manage and store data, said Lisa Baergen, APR, MCC, Marketing Director at NuData Security Inc., a Mastercard company. Financial institutions and payments industry stakeholders must migrate beyond collecting and storing static data that can be easily spoofed, she noted.
"With [GDPR] liability findings and rulings of the last year and this new discovery underscoring the scope and usability of personally identifiable information (PII) on the dark web, it's time to adopt technologies that look beyond the user's PII, such as biometrics," Baergen stated. "Taking a multi-layered approach that integrates authentication factors such as how the user behaves, their environment, and their patterns will give companies a holistic view of who the legitimate and would-be fraudulent are, and helps substantially decrease their liability exposure."
Gabriel Gumbs, Vice President of Product Strategy at Stealthbits Technologies, said 4iQ's discovery has implications beyond attackers gaining unauthorized access to personal and financial information; it points to a need for enterprises to improve their "corporate hygiene," by implementing stronger security and ending their dependence on passwords for protection.
"Protecting against these types of attacks means that organizations need to adopt policies that not only protect against 'weak' passwords, but known breached ones as well," he stated. "A strong password policy simply cannot protect against an attacker [that has] access to the clear text version of that strong password."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
