iYahoo- 1 Billion, Myspace– 427 Million, Oracle’s Micros- 330 Million, Ashley Madison– 300 Million, LinkedIn- 167 Million, Dropbox- 68 million: these are the amounts of exposed usernames, passwords, and numerous pieces of valuable PII breached in 2016. What's incredible is that this list is just the tip of the iceberg, since these 6 companies, alone, represent a little under 2.3 Billion records exposed. Even more disconcerting is the fact that, some of the breaches occurred 4 years ago and are just now being recognized. This information should imprint itself in your train of thought as you implement data security strategies, because 2017 will be more than likely be worse. When did the breach begin? What was the method of intrusion? Why are these pieces of information so valuable? What do cyber-criminals want with all of the usernames and passwords? And, what are a few strategies we’re seeing adopted for securing customer usernames and passwords without negatively impacting your customers and business intelligence?
When Does a Breach Begin? What is the Method of Intrusion?
Some of these data breaches began in 2012, and we are just now seeing the damage done. In reality, though, the extent of that damage will not be realized for months or even years, because those hundreds of millions of exposed usernames and passwords each contained pieces that can be used by cyber-criminals now to create actual personas, false identities that will each lead back to the original victim. Furthermore, cyber-criminals know users resist changing their credentials, because it is easier to use their favorite ones. That is why cyber-criminals reuse old passwords across multiple accounts to create a match to the PII. These massive breaches are often used to engineer future breaches and phishing schemes. The frustrating part is that some organizations refuse to even admit that they were hacked, but when dumped account credentials—including emails, usernames, passwords, account types and other details—show up on online, you do the math.
Why Cyber-Criminals Want Your Usernames and Passwords
Usernames, passwords, and emails connect the dots to PII (Personally Identifiable Information)—meaning they enable little bits of one's identity to be pasted together to form a whole. You may have heard about one of the aforementioned breaches in the last year and thought something like, Well, it's only one set of usernames and passwords—it didn't include a home address or anything. The fact is that there are tremendous amounts of hackers and underground sites that leverage usernames and passwords to gain access to and collect your PII. Many even offer customer service to guarantee that the purchased Social Security Numbers, and any amount of other PII pieces, are accurate. A username and password from one account, an address from another, a Social Security Number for another, and you see where this goes. In order for this type of fraud to succeed, criminals need a massive volume of stolen data which enables them to put the all tiny pieces of the puzzle together. With those pieces in hand, though, it becomes is a disastrous house of cards for the victims whose records were compromised.
As I mentioned, with only 6 companies' breaches comprising close to 2.3 Billion exposed accounts, the pieces to the puzzle needed to perpetrate staggering numbers in fraud are definitely out there, and they are definitely being lifted and utilized en masse. Last year alone merchants lost over $8 Billion to fraud. Once all of the information is aggregated to create countless personas, cyber-criminals were able to purchase homes, cars, falsify tax returns, withdraw money, and even set up new bank accounts. Bottom line, exposed usernames and passwords create an avenue for cyber-criminals to quickly monetize their efforts.
What are some methods for securely storing Usernames and Passwords?
Generally, the most common forms of securely storing usernames and passwords include the following: plaintext, encrypted, or hashing. Plaintext is vulnerable because it utilizes no security and can be read by absolutely anyone. Encrypting values secures the data, but it is reversible, so cyber-criminals can still decrypt the data. And, hashing is a one-way function that converts the data into a random string of characters, which is not reversible.
Tokenization Secures Usernames and Passwords
I would like to introduce the idea of using tokenization for protecting username/password combinations. Tokenization, traditionally used for protecting data sets like PCI and PII data, replaces the data with a pseudo-random value (a token) that cannot be reverse engineered. In the case of a breach, the exposed data is worthless because it is merely a representation of the username/password combination. Save for plaintext, each of these solutions can be very effective in fighting against a data breach. However, tokenization is the one solution which actually removes the sensitive data from your environment while still giving you unlimited flexibility in how you access/handle your data.
Cloud Tokenization removes all sensitive data sets from your environment, leaving only tokens in their place. If breached, your organization loses nothing because tokens are useless to criminals. Yet, these tokens work in your normal business systems, affording your organization all of the capabilities present with actual sensitive data. There is no way to get back to the original value of the token, so the cyber-criminal is left with a whole lot of nothing, and your organization has continued business as usual, having simultaneously removed the risk of handling sensitive customer data. TokenEx helps organizations secure usernames and passwords by offering a controlled, auditable method of securely storing and interacting with sensitive information. The actual sensitive data is stored in a secure cloud offsite, enabling organizations to minimize the risk associated with handling this sensitive data.
TokenEx is the industry leader in cloud tokenization, and has multiple customers currently tokenizing usernames and passwords. TokenEx is patented technology. Follow us on Twitter and LinkedIn. To learn more about how TokenEx secures usernames and passwords email firstname.lastname@example.org.