One of the most important and yet challenging aspects of defending web applications is the ability to prevent account takeover attacks.
Once taken over, the potential damage can include losing access and control over the account, data breach and even fraudulent transactions. So why is account takeover prevention is so challenging? A recent article discussing the massive data breach of Alibaba Group’s website Taobao, a Chinese e-commerce website for online shopping, may offer a potential answer:
“Taobao, China's largest online marketplace that operates in a similar fashion to eBay and Amazon, has been hit with an attempted cyber-attack as hackers successfully compromised more than 20 million user accounts linked with the service. The hackers, who have already managed to amass a vast database of 99 million usernames and passwords from a number of Chinese websites unrelated to Taobao, eventually discovered that a significant amount of the data matched active user accounts on the popular ecommerce website.”
Using the Taobao data breach as an example, it is clear how hackers continue to breach secure web applications. Visitors to highly-secured web applications create login credentials and then recycle those credentials to access another potentially vulnerable web application. Once hackers breach the vulnerable web application, they have a free pass to the user’s account on the fortified web application.
Here comes the challenging part, even a fortified web application has no control over such a scenario, and many of their security authentication mechanisms are now useless in these cases. Despite the bad security practices of web application users, it ultimately remains the responsibility of the application to fortify its defenses and protect sensitive user data.
Solution? Cloud Security Intelligence!
Once data was breached, hackers will take the stolen login credentials across the internet, testing them at various web applications hoping to gain access to sensitive information. From a defensive point of view, examining a single transaction initiated with stolen credentials to a single web application will return an inconclusive insight, so therefore taking preventive action on that transaction becomes a risky decision.
However, inspecting the failure/success attempts of the same credentials across various web applications streaming through cloud networks can yield more confident insights into the use of compromised credentials. The insights can include information on the attacking resources, the attacking techniques and the targeted web applications; eventually leading to improving protections against account takeover activity.
The TaoBao data breach is another example of the frequently ignored fact that a hacker’s easiest way to cause extensive damage is by collecting login credentials - essentially collecting the users’ credentials and walking easily through the web applications’ front door.
The methods to obtain users’ credentials may vary, but once identical credentials are in the possession of an attacker it is a matter of time before the secure web applications will be compromised, regardless of existing security precautions. That is why security education is crucial – users should understand the risk associated with weak passwords and how to maintain their passwords more wisely.
We need to make sure to use state-of-the-art security authentication mechanisms such as: strict password requirements, a CAPTCHA challenge in order to avoid non-human interactions, and rate limiting on the number of login attempts per user.
At the same time, we should also find new innovative security solutions that have a fresh point of view on the entire threat landscape, eventually leading to finding more elusive threats.
Finding those wilderness landscapes and grow security solutions in them is a challenging thing to do, but maybe it’s the unavoidable move that will keep us one step ahead of those lurking threat actors out there.