Account Takeover IS Your Problem — SolarWinds TechPod 020

Stream on:
Phishing and malware are scary enough, but the number one tactic used by bad actors to get access to and take over accounts is something different: using compromised credentials. Why? Because it’s so easy! Data breaches happen almost constantly, and credentials get leaked. At the same time, people are prone to reuse the same few passwords across all their accounts. These two facts spell trouble, as it’s almost impossible for an IT professional to know if working credentials to their company email or CRM are floating around the dark web. Almost impossible that is, until now. SolarWinds TechPod episode host Brandon Shopp, VP of product strategy, security, compliance, and tools discusses the threat landscape and what can we do about it, with Chris LaConte, chief strategy officer at SpyCloud. Related Links
Chris LaConte

Guest | Chief Strategy Officer, SpyCloud

Chris has a proven history of helping organizations grow rapidly through partnerships, leading the strategic roadmap and guiding them through new markets and opportunities. As… Read More
Brandon Shopp

Host | Vice President, Product, SolarWinds

Brandon Shopp is the vice president of product strategy for security, compliance, and tools at SolarWinds. He served as our director of product management since… Read More

Episode Transcript

This episode of is brought to you by SolarWinds® Identity Monitor. Check whether your credentials have been found in a data breach and get notified about any future breach exposure. Visit solarwinds.com/identity-monitor.

Brandon:
Welcome to SolarWinds TechPod. I’m your episode host Brandon Shopp, and with me today is Chris LaConte from SpyCloud, and we’re here to talk about the ever-rising threat of account takeover. Chris, can you tell us a little bit about your background?

Chris:
Absolutely. So, I’m the Chief Strategy Officer at SpyCloud. Previous to this, I was in financial services for over 15 years, spending a fair amount of that time—more than I’d like—in a lot of risk and security meetings.

Brandon:
Fantastic. So, what IT pros really want to know is: how do you be proactive against account takeover? And then, you know, from a budgetary perspective, and convincing my boss in order to provision a tool like this, what are some of the arguments and some of the data points I can use as an IT pro in order to have that discussion? So, we’ll be going through in this podcast today about the markets, about some of the higher profile type of breaches that have happened, as well as what are some mitigations you can take to prevent account takeover. So first, let’s kind of start fundamentally: what is account takeover?

Chris:
Sure. So account takeover, or also known as ATO, very frequently, is when someone gains access to an account that they shouldn’t have access to, simply put. We hear about it all the time, and we’ll talk a little bit about some of the reporting that’s been done related to how common this is. But ultimately, someone logs in to something they shouldn’t have access to.

Brandon:
Got it. And typically, you know, what are the types of tactics and methodologies people are using in order to get these credentials and accounts?

Chris:
Sure. I mean, there’s a couple of different ways an account could be taken over. The two primary ways are, certainly one, is what we would call credential stuffing, or using a compromised credential, which we’ll spend a lot of time talking about today. And then the other is phishing. Someone sends you a link, you click on it, you think you’re logging into the right site. In reality, you’re logging in to a bad actor site, and they’re capturing that information.

Brandon:
Yeah. A lot of times in the press these days when they talk about phishing, a lot of times that has to deal with malware. They don’t think of even other fundamental use cases like this to where somebody can get your credentials and then use them in order to breach your organization.

Chris:
Yeah, absolutely. And I think just to simplify it, it’s generally kind of thrown together, and they’re saying phishing is used, or how it was used. In reality, you look at something like the Verizon Data Breach Report that talks about the tactics that are used by bad actors to cause a breach—and I’d recommend to everyone listening to check out that report. It’s luckily, written in a way that’s a little bit comical, but very, very informative. And it comes out every year around the February time frame.

Chris:
And one of the things that they looked at was, what are the tactics that are being used by a bad actor to cause a data breach. The number-one tactic that was used this year, or actually last year, in the prior two years, so three years running, was the use of a compromised credential to take over an account, which ultimately caused the data breach.

Brandon:
Gotcha. So I mean, the fact that Verizon is doing a annual report on this—

Chris:
Yeah.

Brandon:
… and that sounds like it’s been happening for multiple years. I think that lends kind of to the point of that this is a pretty big problem. And so I was hoping maybe you can elaborate a little bit about that, about how big of a problem really is this, as account takeover?

Chris:
Yeah, absolutely. So first, I think you go to look at what’s the data that’s out there that these bad actors have access to, to cause this. So you think about a compromised credential, and the most common place a compromised credential comes from is from a third-party data breach. It’s this kind of cyclical cycle. They compromise a site, they take the kind of compromised credentials as well as other data, and then they use it to cause more harm, whether it be another data breach or take over your account, take over your Netflix account, your Amazon account, Facebook account, anything like that.

Chris:
So from a SpyCloud perspective, we’re out there and we’re gathering all of the data that we can from a third-party data breach. And to date, we have roughly 78 billion different assets that we’ve recovered from a data breach, or from roughly 13- to 14,000 data breaches. And when you think about an asset, just so we’re all using kind of the same terminology, an asset to us is an email, it’s a password, it’s your address information. It’s could be your social, your credit card number.

Brandon:
So, PII.

Chris:
PII, exactly. So today we probably find about 140 different unique kind of data types or data assets that we’ve categorized. The average breach really only has seven to eight in that. And most commonly, it’s an email password combination. So if we look at just the passwords that we have in our database, we have roughly 18 billion plain-text passwords today, of that 70 billion.

Brandon:
Wow.

Chris:
Yeah, it’s a significant number. And of those, well actually it’s 20 billion, but 18 billion are in plain text.

Brandon:
Got it.

Chris:
So, that’s the scary part. So, they have your email and then they have a password that’s combined to that. And so they can then use that information to try and log into your web mail account, your Salesforce account, your corporate account, those types of things. So they can use that email password combo to pretty simply login. Because, if you think about how often people use the same passwords, there’s a whole host of studies out there. IBM did a good one in February, Dashlane’s done some good ones as well. But ultimately, what we’ve seen is the average person has anywhere from, call it four to 12 unique passwords.

Chris:
But, one thing that Dashlane, who’s a password manager, has found is you would go in there, and you’d put in all the different accounts you log in to. They see about 200 accounts per person. So if you think, “About how many sites do I log in to?” There might be five or 10 that you log in to daily. But ultimately, if you think of all the accounts that you have, your email password in, Dashlane says it’s around 200. So if you take that, let’s say four to 12 passwords, but you apply that to 200 different sites. Obviously people are using the same passwords—

Brandon:
Yep.

Chris:
… over and over and over again. And even if we see some delineation between it, where normally seen things like, let’s say you use “Brother” as the main, and then “82” as the number, might be an upper case B for one, or an exclamation mark at the end for your bank account, because that’s really secure. But in reality, if you look at the data that’s been exposed, let’s say that email password combos out there, it doesn’t matter how complex your password is, it could be in the hands of bad actors who can just log in with it.

Brandon:
And even if you use something, I mean there’s dictionaries and there’s tools that will go and they’ll try various combinations. If they have kind of the roots of how the password is structured—

Chris:
Yeah.

Brandon:
…they’ll go and they’ll try things.

Chris:
We call it fuzzy matching.

Brandon:
There you go.

Chris:
And so you just kind of change the first character, the last character. And, to your point where you mentioned when they were using these dictionaries and tools, traditionally credential stuffing kind of used to be, “Hey, let’s throw a lot against this system.” But systems have gotten smart, right? And they’ve been designed as such to say if I’m seeing 10 logins come from the same IP address, there’s something wrong here.

Brandon:
Yep.

Chris:
And that’s become more commonplace by a lot of technology providers today. So, as with anything, the bad actors have gotten more intelligent and said, “Well I can’t go and throw a whole bunch of dictionary words against this email. Why don’t I go to see if this person already has an exposed password?” So my chance of success is statistically, significantly higher. And so, what we’ll see is someone coming in with that, and trying and four or five different attempts.

Chris:
And they’re using a lot of open-source technology to do this. So, you can go and download things like Sentry MBA or Sniper, which are open source, really available to anyone. And those are open-source credential-stuffing tools. So, you don’t have to be a sophisticated bad actor to use these. They can download that, and then they can go on something like Pastebin or others, and try and find these what are called combo lists. So a combo list, is when a bad actor or a group of bad actors take individual breaches, they format the file into a singular file with a very standard format.

Chris:
They don’t really care where the emails and passwords came from, LinkedIn, MySpace, whatever, some of those more well-known breaches that had passwords included. And they’ll take that information and they can simply plug that in—just like a click-and-drag, super easy to use—over into these credential-stuffing tools, and then these tools have already been set up with intelligence to fingerprint a site.

Chris:
So remember how I mentioned that some sites will say, “Hey, if this comes in 10 times from this IP address, let’s block that IP address.”

Brandon:
Yep, go and lock the account proactively.

Chris:
Exactly. So what these programs will do, it’s a constant battle between the good and the bad. The bad actors have customized and have open-source kind of communities where they can say, “Hey, here’s the new a setup file for, I don’t know, Amazon, Netflix,” doesn’t matter, any site, and that it’s added into the program and it knows, “Oh this is how they’re currently tracking or checking for credential stuffing.” So it’ll intelligently change.

Brandon:
Got it.

Chris:
And they’ll say, “Well, I’m not going to try that same email password and get rejected four times in a row, because I know the site will block it.” I’ll do three times.

Brandon:
And I’ll back off for 10 minutes.

Chris:
Or it’ll plug into a botnet. So you get a little more sophisticated, and some of these bad actors have access to botnets. And they’ll just use an IP address from that machine they’ve compromised. So it’s a constant battle.

Brandon:
Makes sense.

Chris:
But ultimately at the end of the day, they’re trying to get through the door with that email password combination. So while it’s great to try and stop it from bot detection, if you have that information, and you can say, I know this password’s been out there before, let’s make sure that we don’t let this user, an employee, use that. You can kind of stop them at the door even if they figure out interesting ways to try and open the door.

Brandon:
Got it. And so, I mean, it sounds like poor password hygiene is kind of the root, or the main—

Chris:
Yeah.

Brandon:
… thing that’s causing this problem to begin with.

Chris:
And it’s tough. I think, we’re all in IT, and so we get it. We understand. We should have unique passwords for everything.

Brandon:
It’s just human behavior.

Chris:
Exactly. And password hygiene’s just really tough for the average person.

Brandon:
Yep.

Chris:
I love my parents, but when I think about how they’re probably managing passwords and we’ve talked about password managers. It’s just easier to use what you’ve done before. You’ve got your five or six, you rotate it. Sadly, when we see that data, as you can see in Identity Monitor, that’s been compromised, it’s not uncommon for you to have a fair amount of passwords you use today that are exposed in the wild.

Brandon:
Yeah. And I’ve even seen too, where people are trying to be diligent about using different passwords, but then they’ll go and do things because they’re not going to memorize, “Okay, on this site, I use this password.” They actually write it down on a piece of paper.

Chris:
Oh yeah.

Brandon:
And then you know, they don’t sticky it to the monitor.

Chris:
Yeah.

Brandon:
But they’ll put it inside a journal or a notebook—

Chris:
Yeah.

Brandon:
… that they use on a daily basis. And it has all their credentials and it’s just as bad.

Chris:
Absolutely. And what’s worse is you normally look at that piece of paper and you see the same passwords used multiple times.

Brandon:
Yeah.

Chris:
So even though you’re keeping track, in reality, if I have one of your passwords and you’re using it five different times, there’s a high likelihood of success that I can get in, or someone could gain access to that account.

Brandon:
Yeah, I know even on the IT side, when you’re installing—pick any product in your IT environment—to do monitoring, or management, or configuration, whatever the use case may be, that product needs unique credentials for your infrastructure. And then you, go and procure another product, and you do the same thing. You insert the credentials.

Chris:
Absolutely.

Brandon:
And all of a sudden, “Okay, I changed the password.” Those products, it’s not necessarily a bad actor, but those products will go out there and try to use that old set of credentials and all of a sudden the account’s locked.

Chris:
Yep. Yeah.

Brandon:
So, yeah, I mean, people are natively or inherently will go, “What makes me feel the most secure, but it’s the easiest path forward?”

Chris:
Yeah, and on the kind of technology providers side, they’re fighting against friction. Especially if you think about consumer products. They want to let people log in as quickly and easily as possible. So they’re really not putting the NIST password framework into play.

Brandon:
Yeah.

Chris:
Sometimes we’ve all done this, even in the IT world, we go to put it in a password and it’s like uppercase, lowercase, no special character. But you can’t have this, you can’t do that. Oh, you can’t copy into this field. It’s a frustrating experience. And so these providers, they’re trying to balance between how much friction do I introduce to stop account take over. But I can’t introduce so much that even a good person can’t get in.

Brandon:
Yeah.

Chris:
So, you kind of have to help people kind of protect them against themselves.

Brandon:
Yeah. Totally makes sense. So great. So an account, your information shows up in a breach, so great, now what happened? So my credentials have been stolen. What typically happens next?

Chris:
Yeah. So let’s talk about how your credentials generally end up. So normally what happens, and let’s take it like a deep dive into the, what we would call the underground. So I think things like dark web, deep web, like more and more in the security world, we’re looking at those as buzzwords.

Brandon:
Yup. I’ve heard dark web.

Chris:
Yeah, everyone’s heard dark web. I mean Experian does a good job marketing that to people. To say, you’ve got to check the dark web and you should buy this product.

Brandon:
Yep.

Chris:
But ultimately what ends up happening is a bad actor compromises a site, could be a million different ways, could be used because compromised credentials. But generally they will compromise the site and they’ll extract the data as quickly as they can, in a format in which they are not detected. So there’s a good research report. I think the Verizon Data Breach Report mentioned this, something like 56% of breaches took longer than a month to detect.

Brandon:
Okay.

Chris:
But even if it’s a day, that data’s out there and then the tail gets pretty long. I mean, think about some of the breaches we’ve heard about recently. Think about Yahoo and things like that, with the whole class action lawsuit that’s happening now. But when you think about, they were kind of compromised over a period of time before they knew it. Those credentials have been floated around for a long time.

Chris:
So they’ll go out, they’ll extract the data, and ultimately they end up sharing it with a small group.

Brandon:
Okay.

Chris:
If you think about it from a criminal’s perspective, you’ve gone through all this work to compromise this site, or this company. To go and put the data on the dark web for sale immediately doesn’t really make a ton of sense. One, there’s law enforcement, security companies, all that type of stuff that are monitoring those open forums where you would have a transaction. And so ultimately, now you’ve just kind of disclosed that the breach happened. And now they can go and try and reset those credentials and things like that, notify people “Don’t use it.” So now the value of that data’s dropped—

Brandon:
Yep.

Chris:
… pretty quickly. So that’s why you don’t see that happen a lot. Outside of kind of reputation harm, if the bad actors’ goal is to cause harm to an organization, just through public, unless you look at some of the stock prices, that will drop after a data breach is announced. So if that’s their motivation, but ultimately, again, Verizon Data Breach Report does a good job talking about that. Most are financially, most bad actors are financially motivated in a compromise.

Brandon:
Yeah. That makes sense. I mean, everybody hates their job.

Chris:
Everybody hates their job.

Brandon:
Yeah, everybody’s coin-operated. I want to get something for my work.

Chris:
Absolutely. So they’ll go in, they’ll get the data, and then they’ll share it with a very small group.

Brandon:
So why do they do that, just with a small group?

Chris:
Well, in these communities, it’s a lot about building trust, building up your persona. And again, most of these actors, they don’t know who’s on the other side of that persona. So they compromise it, but they share it with a small group of people they think they can trust. Because that small group, just like any criminal gang, like you see on TV, if they’re going to rob a bank, you’ve got the getaway driver, you’ve got the kind of the guy who can crack the safe. You’ve got the person who’s the lookout. There’s roles.

Brandon:
Yep.

Chris:
Same thing in these types of communities. So you might have extracted all this data but you can’t wrap your head around it. You can’t parse it. So they’ll go to someone they know that’s really good at data extraction. Then let’s say that these credentials are encrypted, which is becoming more and more common, but the encryption that a lot of companies still are using isn’t great. So, these passwords are very crackable. We just had the DoorDash breach was announced.

Brandon:
Yeah, I read about that.

Chris:
And in their announcement they say, “Don’t worry, we salted and hashed the passwords, which makes them indecipherable to anyone.” Technically, that’s not true.

Brandon:
Yep.

Chris:
This day and age, any type of encryption can eventually be hacked.

Brandon:
It’s just time.

Chris:
Exactly. Some can take two minutes, if your SHA1 or MD5, which are popular hashing techniques, although kind of no longer known as encryption, because it’s so easy.

Brandon:
Yeah, they’re very outdated.

Chris:
Those can take seconds.

Brandon:
Yup.

Chris:
All the way to, let’s say hard-coded, salted, peppered in a hash that could take months if not years. But a lot of companies kind of end up being on that, we’ve got SHA1, we’re salted or maybe encrypt without salt, those types of things. But ultimately, now you’ve got that person in the underground, who’s responsible for helping crack those passwords. So it’s a group. And then you’ve got the people who are kind of doing the crime after the crime’s been committed.

Chris:
They’re going and trying to gain access to high profile accounts. Let’s say the CEO of the company. They’re trying to use that email password combo. So then you’ve got like this next layer of fraud that happens. They still don’t want the breach to be publicly known. They’re still not selling the data. They would rather have someone in this group or kind of compromise an account, and they all kind of share in the financial benefit that may come from that. So we see this data stay in that cycle, especially in that longer tail of being used to kind of target people. See a lot of ransomware happening. Ultimately, ransomware certainly is malware that gets loaded on a machine that can encrypt it.

Chris:
But, how they gain access to it, we believe more and more that they’re using compromised credentials to log in and to upload this. So, they can go and do all of that. So, they sit on that for anywhere from 12, 16, 24 months, as long as possible, before the data makes it on the dark web.

Brandon:
Got it.

Chris:
Or on Pastebin. Because by the time the data’s there, we kind of look at that as a commodity. It’s already been well-filtered, shared, and then that group slowly gets bigger over time. Obviously, there’s really no honor among thieves. So if you say, “Hey, let’s not share it with anyone.” You share with your friend. This one shares it with their friend. But slowly, that data gets more and more out. So by the time it hits kind of the dark web, as it’s defined, the visible dark web, which is also kind of funny when people use that terminology, it’s like, well, if it’s visible…

Brandon:
If it’s visible, then it’s not so dark.

Chris:
Yeah, it’s not so dark and they know on those forms, like I mentioned before, that’s when law enforcement has access to it. So you can see anywhere from, depends on when it becomes public, but one month to two years when that data is being well-circulated, even if the breach’s known, that database can still be well-circulated because people don’t remember what password they used. And when you get a notice from a company that says, “Hey, you were compromised as part of this breach, we’re sorry.” They don’t tell you this was the password you used. They don’t tell you generally this is the credit card you had on file. They don’t tell you a lot of that info.

Brandon:
Yep.

Chris:
Which is really frustrating from a user perspective, because how are you supposed to protect yourself if you don’t know what the bad guys have?

Brandon:
And I’ve seen too, or I’ve heard, just because a breach is now public and an organization tells you, “Hey, we forced a reset on your account.” Or, “We recommend you change your password.” Okay. Six months down the line, 12 months, 18 months down the line. The odds of me reusing that same credential again—

Chris:
Yeah.

Brandon:
… is high.

Chris:
Absolutely.

Brandon:
Because of exactly the behavior that you outlined earlier. And so, even if I try it now or in six months and it doesn’t work, I’m going to keep trying.

Chris:
Keep going.

Brandon:
I’m going to keep going, like you said with those tools that are available.

Chris:
Absolutely. And that’s great point on password reuse. It’s interesting the new NIST guidelines say that you actually should not tell people to change your password every 90 days, which was, it was one of those things like this is what we’re supposed to do. We’re supposed to rotate passwords, because it’s more secure. But exactly to your point, I think what we figured out now, is we’re just giving bad actors a bigger bite at the apple. More bites at the apple.

Brandon:
Yeah.

Chris:
So now it’s better to make sure the NIST framework that came out, I think it’s last summer, but it’s now being kind of more heavily rolled-out, is one of the main tenets of that is check any of those passwords against what they call a previously breached corpus, which in I think normal person talk, means a previously breached database, which through Identity Monitor they’re able to do.

Brandon:
So we’ve talked a little bit, so far already in about credential-stuffing, but we haven’t really kind of dived into that to define what exactly is credential-stuffing. And what does that mean and what kind of tools are people using in order to do those types of activities?

Chris:
Sure. So credential-stuffing is just simply taking those combo lists, and then using those tools that we mentioned, kind of Sentry MBA, Sniper, or you could just, I guess build your own. But there’s 10 other ones that are out there that are constantly being updated. And it’s continuing to check those credentials against the third-party site for the purpose of account takeover.

Brandon:
Got it. Okay. That makes sense. And so, from an identity monitor perspective, you mentioned that gathering those credentials, so how are you all going about gathering those credentials down in the dark web?

Chris:
Sure. So, and what we do, and there’s two ways to do it. You’ve got to, like with anything, any security posture, anything like this, you’ve got to have multiple kind of redundancies and techniques. And so, just like Fort Knox doesn’t just have one lock to gain access, they’ve got multiple layers of protection. We go about recovering these credentials through multiple ways. So one is you can scan, it’s great, the dark web. Which again, at that point, these are kind of commoditized credentials. But, sometimes someone’s trying to cause reputation harm. Sometimes something will pop up that wasn’t really actively being traded. So you want to make sure you’re monitoring for that.

Chris:
And so that’s one of the things we do and we gather a fair amount of data through there. But the majority of the data we gather, is actually through our research analysts. So our research analysts aren’t just on these forms waiting for data to get posted. They’ve actually done the best that they can do to infiltrate these cyber criminal groups, and get to the forms, or deeper than the forums where these things are being traded or talked about. And we do our best to socially engineer those bad actors out of that data as quickly as possible.

Brandon:
Okay. Got it. So you’re trying to go from the top, the higher level to that next level, or two down, where like you said, it’s a smaller group—

Chris:
Exactly.

Brandon:
… of people that are sharing information. And so how can you get into that group, get invited into that inner circle?

Chris:
Yeah, so we’re moving up the timeline. Our goal as an organization is to limit the value that bad actors get from this type of data. If we can make this data no longer valuable, we can help fight the fight against causing data breaches. If there’s nothing there to go get any more, than they’ll turn their eyes or techniques somewhere else.

Brandon:
Makes sense. So, let’s just say as an organization, we’re not a very big organization. So I’m an IT pro responsible for everything.

Chris:
Yeah.

Brandon:
I own security. I own network.

Chris:
Of course.

Brandon:
I own servers.

Chris:
Yeah.

Brandon:
Or, I’m in a larger organization. We actually have a security admin, or security pro team separate from our IT professionals. And so, whose problem really is they ultimately to solve?

Chris:
Well, it’s everyone’s problem, sadly. And more and more organizations are installing things like chief risk officers. CISO has become incredibly popular as a role more than it was 15, 20 years ago. Even smaller and smaller organizations are having someone on their team, and sometimes it’s someone on the IT team, because they don’t have people dedicated just to security. They also kind of own that kind of CISO role.

Brandon:
Yep.

Chris:
And so, at the end of the day, to solve it, it relies on the IT group. You have access and can communicate to users, here are the credentials through identity monitor that have been exposed.

Brandon:
Got it.

Chris:
So, they’re able to actually kind of fix the problem, help with the mitigation side of the issue.

Brandon:
Okay. So, my credentials are now out there. They’re exposed and now, okay, great, now what do I do?

Chris:
Well, user training’s always great.

Brandon:
Yup.

Chris:
Being proactive. Trying to educate people about, here are the things you can do to be a smarter user. I mean, you see all those comics that talk about, you can have all this crazy infrastructure and stuff, but it’s the person at the end of the keyboard—

Brandon:
Single point of failure.

Chris:
… that’s your biggest risk. And again, it’s understandable. We all have a tough time on the IT side, but we know that for us, on the IT side it’s our day job. This is our responsibility. But ultimately, for a user, they’re worried about email, they’re worried about closing the deal, they’re worried about those types of things. So, certainly do education as much as possible, and even reiterated through the every day, every month as you can, not just during Cybersecurity Awareness Month, which is great, which is happening.

Chris:
Multi-factor, great, little bit of friction.

Brandon:
Yeah, two-factor authentication.

Chris:
Two-factor authentication is great. It’s better to have that friction on the enterprise side. And then using something like Identity Monitor, at least trying to check those credentials, going back to that NIST framework, make sure those credentials that those users are using is not a part of a third-party data breach.

Brandon:
Got you. And so, how will you know if actually something does happen?

Chris:
So, with Identity Monitor, you’re able to log in, add your domains. So, it knows all the employees from this domain. Anytime SpyCloud finds a credential, and we’re adding sometimes billions of credentials a month to this, which all flow into identity monitor. Anytime what those credentials are found, you’ll receive a notification that they were recovered. And you can see exactly the information that was recovered. Even the plain-text password.

Brandon:
So we’ve talked a lot about account takeover, and some methodologies, the means, like two-factor authentication.

Chris:
Yep.

Brandon:
What would you say is kind of the next big threat in this space that you’re seeing?

Chris:
Yeah, so I talked about two-factor. And two-factor’s great. But also, everyone in the security community has been adding two factor. And if you think about it, you’re a bad actor. You used to have a lot easier access to this type of data. Now people are putting this new hurdle in front of you and it’s two-factor. Well, I’m going to attack two-factor. How can I go after two-factor? And the most common way of two-factor for today’s SMS-based two-factor, right?

Brandon:
Correct.

Chris:
Go to a site, get a text, it has the number, put it in.

Brandon:
Yep. I get it from Outlook, or Office 365.

Chris:
Gain access. Office 365, any website you go into. The problem with that is, and it’s also, it’s seen a ton of pickup because pretty much every consumer gets texts now. We’re not getting charged 10 cents like we used to.

Brandon:
Yep.

Chris:
Is that, that relies on your phone, and your telecom provider. If you’re familiar with SIM-swapping, if you’ve ever traded, “Hey, I’m going to go from Verizon to T-Mobile or AT&T, whatever.” You can port your number over. Super convenient. Really helpful.

Brandon:
Yep.

Chris:
Also, really helpful for bad actors. So we’re seeing SIM-swapping as becoming a new vector of attack, where they’re going after it solely for the purpose of that two-factor token. Let’s say you’re a T-Mobile customer, they’ll call up T-Mobile, they’ll act like they’re you—and there’s some great videos online that were done at BlackHat or DEFCON and others about where you can watch someone like a social engineer, a telecom customer service agent into letting them SIM-swap. And then, they’ll gain access to your phone number. They’ll go to change your bank account. They’ll say, “Oh, I forgot my two-factor, or I need to reset my password.” They’ll say, “Oh, we’ll send you this code to make sure it’s you.” They’ll get the code and then we’ll actually swap it back.

Brandon:
Got you.

Chris:
So, sometimes that happens at night depending on who you are and how sophisticated. But we even read a story or read a story a couple of weeks ago about a gentleman in San Francisco through SIM-swapping got his entire investment account wiped out.

Brandon:
Oh, wow.

Chris:
Million dollars, because of that, so.

Brandon:
That’s crazy. Chris, I appreciate you joining us today on this episode. A lot of great insight around account takeover.

Chris:
Yeah, thanks for having me. It was great.

Brandon:
All right, and folks, thank you again for joining our podcast today. We recommend, if you want to see if your information is actually shown up in any third-party breach information, or databases, to go to solarwinds.com/identity-monitor, and enter your email address and see what you can learn.