Demystifying hacking attacks

Rakesh Thatha ArrayShieldMany organizations protect their infrastructure with a simple username and password. Entering this information grants access to organization’s sensitive data that is present in servers, databases, applications, email accounts, and other places. But it is widely acknowledged by Information Security Experts that passwords are notoriously insecure. Many users choose weak passwords which can be easily guessed or cracked. When password policies are enforced, users end up noting down their passwords on Post-It notes, mobiles, email or on their laptops which is serious security vulnerability.

In a nutshell, passwords are not sufficient for protecting organization’s data as
– Easy passwords can be cracked
– Random passwords can’t be remembered
– Same passwords are used at multiple places
– Passwords that needs to be continuously changed are not user-friendly

We are all aware that being careless with passwords, has resulted in organizations of all sizes including Fortune 500 and Government, witnessing multiple hacking attacks. This is a cause for concern when you consider the cost associated with a data breach has reached an estimate of $ 6.6 million.

Additionally, government regulations such as Sarbanes-Oxley, PCI Data Security Standard, US Data
Breach Notification Laws and others have been put in place to protect access to corporate networks.

Failure to meet requirements that call for the implementation of two-factor authentication could result in regulatory fines and irreversible damage to a brand’s reputation.

To understand more about hacking attacks, let us take a look at the various hacking vectors that compromise traditional authentication mechanisms.

Keyloggers: Keyloggers are applications or hardware devices that monitor a user’s keystrokes and sends this information back to the malicious user over internet. Hardware Keyloggers are small inline devices placed between the keyboard and the computer. The other kind of Keyloggers are Software Keyloggers, these are also referred as spywares. Spyware usually gets into the computer through banner ad-based software where the user is enticed to install the software for free.

Real-time replay attack: Malware sits inside a user’s browser and waits for the user to log into a bank. During login, the malware copies the user’s ID, password and OTP, sends them to the attacker and stops the browser from sending the login request to the bank’s website, telling the user that the service is “temporarily unavailable.” The fraudster immediately uses the User ID, password and OTP to log in and drain the user’s accounts.

Man in the browser attack: Malware overwrites transactions sent by a user to the online banking website with the criminal’s own transactions. This overwrite happens behind the scenes so that the user does not see the revised transaction values. This way, neither the user nor the bank realizes that the data sent to the bank has been altered.

Phishing: The attacker targets users and fools them into entering their credentials into a fake web site. This usually occurs when a criminal sends an email impersonating a customer service organization and asks recipients to click on a URL to perform account maintenance or verification. The link takes them to a fraudulent site, which prompts them for their valid credentials.

Pharming: The attacker poisons the DNS server and redirects users to the fraudulent web site. Users do not suspect anything because the redirect happens even when the user selects the web site from a saved favorite or actually types in the correct URL.

Shoulder surfing: Shoulder surfing is looking over someone’s shoulder, to get information about his identity. Shoulder surfing is an effective way to get information in crowded places because it is easy to stand next to someone and watch as they fill out a form. Shoulder surfing becomes a serious problem both in cases user enters password directly or if the user is entering the password through a virtual keyboard. In the case of virtual keyboard it is relatively easy for the hacker to see the mouse clicks on the screen.

Guessing: Guessing is the simplest attack that a hacker can do on a User Authentication system. One of the main problems with the username-password system is ‘selection of password’ itself. Studies show that users always pick passwords which are short and easy to remember. Often it is very easy to break the user’s password, if the personal information about him/her is known and more often than not, it is widely known

Social engineering: Social engineering is the act of manipulating people to reveal their private details, rather than by breaking in or using technical cracking techniques. Examples of the same is to access the user’s social media accounts or call them over phone and know more about the user personal details and possibly authentication credentials.

BruteForce attack: In a Bruteforce attack, an intruder or hacker tries all possible combinations to crack the secret of the user. The hacker will do an exhaustive search on the complete space to find the secret of the user.

Dictionary attack: Dictionary attack is improved version of Bruteforce attack. In Dictionary attack, instead of searching all possible combinations the hacker will search only the possibilities which are most likely to be selected by the user.

As we see, all the above mentioned scenarios make it very difficult for organizations to protect their sensitive data from the hands of hackers and competitors. Hence, security experts worldwide suggest the usage of a strong, two-factor authentication to protect organizations assets. The same is also recommended by various compliances/certifications like PCI-DSS, HIPAA, SAS 70, ISO 27001 and others. It’s only if organizations implement these suggestions will they be able to keep hackers at bay.

The author, Rakesh Thatha, is Co-Founder & CTO at ArrayShield Technologies. Rakesh’s Twitter handle is @rakeshthatha