Telecom companies have made huge leaps in security to protect their networks and their customers, but their own employees and executives remain extremely vulnerable to having their own accounts compromised, according to research from cybersecurity firm SpyCloud.
In fact, the 11 telecom companies in the Fortune 1000 comprise the most vulnerable industry in the study – at greater risk than retail, banking, healthcare and other industries. SpyCloud examined more than 100 billion account assets from previous data breaches and connected them to Fortune 1000 companies to see how exposed they are to account takeover (ATO) attacks, where hackers use someone’s login credentials to gain access to their accounts, potentially unlocking corporate data, sensitive personal information, finances and more.
The human tendency to reuse passwords across multiple accounts or use weak passwords makes ATO an effective method for accessing someone else’s accounts. If a person’s login and password was compromised by one data breach and they used the same login and password on other accounts, those other accounts are immediately at risk. Compromised or weak passwords are the No. 1 method for ATO, according to research from Verizon. Of the account assets SpyCloud looked at, there were more than 5.5 million credential pairs (corporate email accounts with decrypted passwords) and over half a million stolen phone numbers.
In theory, corporate passwords should be strong given the importance of the assets they protect and the robust guidance often provided by corporate security teams, but when an employee reuses credentials across other accounts, they are only as strong as the weakest link. SpyCloud found 74% of employees, including C-level executives, working for Fortune 1000 telecom companies are reusing passwords across multiple work and personal accounts. Some of those sites will eventually be breached if they haven’t already.
Cybercriminals inevitably test breached credentials against other logins, taking over any other accounts protected by the same username and password. If those stolen credentials contain a corporate email domain, criminals have an obvious clue that they could gain access to the corporate network and valuable enterprise systems, customer data and intellectual property.
Besides passwords, another common asset criminals use to takeover accounts is mobile phone numbers. With a simple phone call to a mobile carrier and some light social engineering, criminals can divert a victim’s phone service to their own device. Once the attacker has control of the victim’s phone number, they will receive the texts for multi-factor authentication, now commonly used as a more secure way to log into sensitive accounts.
The vast majority of attacks are what you typically see in the news and what most security organizations solve for with bot mitigation solutions that prevent credential stuffing, where criminals use bots to try stolen credentials across a high volume of accounts in a short amount of time. Credential stuffing attacks may come years after a site is breached. Stolen credentials are typically kept within a tight circle of criminals for the first 18-24 months after the breach, to be extensively monetized with more sophisticated targeted attacks before being sold in combo lists on the dark web.
It is in these early days of targeted attacks against companies and individuals that the major damage is done and where security teams should be focusing prevention efforts. Here are a few measures you can take to prevent ATO attacks and protect yourself, your employees and your company.
1. Use Multi-Factor Authentication everywhere
While I did just highlight a way that some criminals use SIM swapping to get around multi-factor authentication, it is still another layer of security and much stronger than going without.
2. Use a password manager for all of your logins (not just for work)
Even though many find the initial set up and use of a password manager somewhat tedious, it is well worth the time spent to avoid the potential damage of a successful criminal attack.
3. Stop rotating passwords every 90 days
This provides a false sense of security and frustrates people, so they may end up recycling passwords (simply adding a character at the end of a well-worn password, thinking that is safe). Instead, educate users on password hygiene and provide guidelines for creating strong passwords.
4. Don’t click on links or open attachments from unknown senders
Phishing attempts containing credential-stealing malware have grown much more sophisticated and difficult to detect. Remain vigilant and keep employees apprised of the latest fraud attempts on the rise.
5. Monitor your credentials and PII – both work and personal
There are free services available that will continuously check whether your credentials show up on breached lists, so you can secure your accounts quickly. There are also systems available for ongoing monitoring of exposed passwords for all your employees, allowing you to take swift action to prevent criminals from monetizing those credentials at the cost of your business and customers.
Because the telecom industry has so many employees, so many subscribers, and seemingly unlimited data out there in the hands of criminals, it is a prime target for bad actors looking to profit, but employees do not need to make it easy for them with sloppy password management. Proper credential management can go a long way in preventing fraudulent access to all your valuable online accounts.