Today we will discuss about Using third-party services for credential theft.
Introduction to Using third-party services for credential theft
This article covers the security of third-party services that perform specialized functions, such as storing user credentials or logging in on behalf of a user. We’ll take an overview of how these services work, how to make sure you’re actually following proper cyber hygiene to prevent hacking, whether or not you should trust your credentials to such third-party services, and finally, we’ll discuss how hackers manage to breach these solutions.
Overview of features of third-party applications
Third-party applications allow you to manage activities that would otherwise be tedious to do manually. These activities would be, for example, logging into accounts or managing multiple different sets of credentials. The sensitivity of such third-party applications has motivated attackers to invest time in finding vulnerabilities that could allow them to conveniently take over accounts.
Managing your finances can be very difficult today with all the expenses one suffers from every month. This is because some companies like Intuit have come up with financial management solutions that help people manage their spending.
Financial managers generally work by collecting all of your expenses and organizing them in an easy-to-understand format. The benefits are numerous, but in summary they are as follows:
- They allow you to create budgets that allow you to project into the future
- They allow you to visualize your accounts and remaining money
- They allow you to receive alerts when unusual expenses are detected
Mint is one of the most popular budgeting apps out there because it’s free and easy to set up. Along with other financial managers, Mint allows users to enter account information for their banks, PayPal, credit cards, and debit cards, and collects all of that information in a way that’s easy to interpret. Accounts, loans and investments can also be tracked.
These third-party applications allow users to better manage their accounts by storing and retrieving credentials from an encrypted database. You can already imagine the comfort that these solutions promise. Consider having a unique eight-digit password for each of your online accounts.
Examples of popular password managers in use today are Dashlane, 1Password7, KeePass, and LastPass. Next in this article, we’ll discuss the shortcomings of these password managers in how they use basic security best practices.
Most third-party applications (especially money managers) do not store your credentials and financial information in the same place and are protected by bank-level encryption, depending on the solution. This is to reduce support in the event of a successful attack.
Should you trust budgeting apps?
There are several measures that have been taken to ensure that the security of most budget apps can be trusted. For example, with Mint, traffic is encrypted using 128-bit SSL encryption through verified monitors such as VeriSign and TRUSTe. The servers also have 256-bit encryption to secure their files. The app itself provides two-factor authentication, touch ID, and passwords to increase the security of the app. However, we will soon see that when it comes to security, we cannot fully claim to be safe; we can only increase the difficulty of attacking each other. One way we can achieve this is by adopting healthy cyber hygiene.
If you decide to use budgeting apps, keep in mind that you’re making a trade-off—security for convenience. Banks often discourage you from using such apps, and for good reason. What is secure today may be revealed to be insecure tomorrow, and avoiding such apps will ensure that you stay safe in the event of a compromise on their part.
How do accounts take over?
Account takeover is exactly what it sounds like: A situation where hackers successfully break into user accounts and turn them (or them) into their own accounts. This is facilitated by a number of situations in third-party applications:
Exposure of master passwords in clear text, secret key, and memory records: Third-party applications, especially commonly used password managers such as 1Password, have some problems when it comes to managing password information in memory. For example, attackers can create applications/tools that can dump these passwords from memory.
Failure of these applications to clear an obfuscated master password from memory: Some third-party password managers, such as 1Password 7, fail to clear the master password, secret key, and individual database passwords from memory once the application is in a locked state. In fact, once the database is unlocked, 1Password 7 stores the entire password database in memory. This is a very worrying reality as it allows attackers to create tools that can extract these passwords from memory and use them to take over user accounts.
Failure to properly encrypt database files on disks: The ability of a third-party application to encrypt database files determines whether an attacker can successfully obtain account information if this file is compromised. It is therefore important that the encryption mechanism is properly implemented for the database files
Although adequate precautions are taken to prevent the recovery of master passwords and secret information, most password managers available today do not do a very good job of discarding previously used passwords from memory, and this may allow attackers to create tools that can retrieve these passwords from memory.
How do you ensure your accounts are secure?
Third-party applications will retain some functionality on your devices. Most of them perform the locking (encryption) and unlocking (decryption) mechanism locally on your device. Due to this, you should make sure your device is secure. Having a good password on a vulnerable machine is as bad as not having a suitable security measure in the first place, so you would want to:
- Patch your system: Ensuring that your devices have the latest operating system patches protects you from attacks that might lead to the compromise of your entire device. We have seen above that once attackers have access to your system, they can dump certain sensitive password information from memory and use that information to compromise your accounts
- Enforce two-factor authentication: Two-factor authentication on both your devices and accounts will prevent any unauthorized account access, further inhibiting attacks targeting your accounts
- Have an updated antivirus: An updated antivirus will be able to detect worms and viruses that attempt to leverage any unpatched vulnerabilities. These malware attacks may attempt to dump areas in memory where sensitive data is known to be found or points within your operating system which may allow unauthorized remote access
- Ensure proper cyberhygiene: The most common cybersecurity attacks today involve one or more aspects of social engineering. Malicious files and payloads are usually sent via this attack vector, leveraging the fact that unsuspecting victims will often click on exciting links. This is something that can only be fixed through proper awareness, as no patch will work here. Train yourself and staff to avoid downloading unknown attachments. Avoid clicking on any and every link when online
- You should also ensure you are using a third-party solution that offers security. Ensure the product regularly receives patches and updates and that the company offering it actively supports it
How do you choose third-party solutions for credential management?
Before you choose a third-party solution to manage your credentials with, there are a couple of things you must consider. Bear in mind that not all password managers will provide the following features, and you may not find some of them to be as important.
- Multi-factor authentication: Good password managers should allow you to implement multi-factor authentication for added security
- Secure password generation: As we have seen above, it is possible for attackers to perform some form of attacks against certain password managers. You need to make sure you choose a solution that, depending on your needs, will securely generate, store and retrieve your passwords
- Automated password updates: One solution we never discussed above is Avast Passwords. This solution has the ability to automatically generate new passwords once it detects that your accounts have been compromised. You can also manually check here whether any of your accounts have been hacked
- Integration: You want to consider having a password manager that integrates with your browser through plugins and extensions to autofill login forms whenever you are logging in online, and that you can access it across various platforms (Android, iOS, Linux and Windows). Your password should also sync automatically across your multiple platforms
If you can avoid using third-party solutions for your account management and still adhere to good password best practice, then you should be good to go. Most people cannot manage to do this; the pace of work requires certain potential insecure practices to provide extra convenience at the expense of security.
If this is your situation, make sure that the solution you’re resorting to provides proper security, is up-to-date and is actively supported by the provider. Most importantly, ensure you observe healthy cyberhygiene, as attacks against the “human element” have no patches.
- Is Mint Safe? What to Know About the Budgeting App in 2019, TheStreet
- Should You Trust Mint.com?, The New York Times
- Ask HN: Why would people trust their banking credentials to a service like Mint?, Hacker News
- Why banks want you to drop Mint, other ‘aggregators’, Reuters
- How Safe is Mint.com?, Smart Money Nation
- Password Managers: Under the Hood of Secrets Management, Security Evaluators