Using third-party services for credential theft
In this article, we discuss the security of third-party services which perform specialized functions, such as storing user credentials or logging in on behalf of the user. We’ll look at an overview of how these services work, how to ensure that you actually observe proper cyberhygiene to prevent being hacked, whether or not you should trust your credentials to such third-party services and, finally, discuss how hackers manage to breach these solutions.
Overview of third-party app functionality
Third-party applications allow you to manage activities that otherwise would be tedious to accomplish manually. These activities would for instance be, for example, signing into accounts or managing multiple different sets of credentials. The sensitivity of such third-party applications has motivated attackers to invest time into finding vulnerabilities that could allow them to comfortably perform account takeovers.
Managing your finances can be a very difficult thing to do today with all the expenses that one suffers on a monthly basis. It is because of this that some companies such as Intuit have come up with finance managing solutions that help people manage their expenditure.
For the most part, finance managers work by collecting all your expenditure and organizing it in an easy-to-understand format. The benefits are numerous, but in summary are as follows:
- They allow you to create budgets that allow you to project for the future
- They allow you visualize your bills and remaining money
- They allow you receive notifications when unusual expenditure is detected
Mint is one of the most popular budgeting apps because it is free and easy to set up. Together with other finance managers, Mint allows users to input account information for their banks, PayPal, credit cards and debit cards, and aggregates all this information in a manner that is easy to interpret. Bills, loans and investments can also be tracked.
These third-party applications allow users to better manage their accounts through the storage and retrieval of credentials from an encrypted database. You can already visualize the convenience that these solutions promise. Think about having a unique eight-character password for each of your online accounts.
Examples of popular password managers in use today are Dashlane, 1Password7, KeePass and LastPass. Later on in this article, we’ll discuss the shortcomings of these password managers in how they employ basic security best practices.
Most of the third-party applications (especially finance managers) do not store your credentials and financial information within the same location, and are protected by bank-level encryption, depending on the solution in question. This is intended to reduce the foothold in case of a successful attack.
Should you trust budgeting apps?
There are a couple of measures that have been taken to ensure that the security of most budgeting apps can be trusted. For instance, with Mint, traffic is encrypted using 128-bit SSL encryption through verified monitors such as VeriSign and TRUSTe. The servers also have 256-bit encryption securing their files. The app itself provides two-factor authentication, touch ID and passwords, which serve to increase the app’s security. However, we shall soon see that when it comes to security, we cannot fully claim to be secure; we can only increase the difficulty of an attack against ourselves. One such way that we can do this is by adopting healthy cyberhygiene.
If you choose to use budgeting apps, bear in mind that this you will be making a compromise — security for convenience. Banks will often discourage you from using such apps, and with good reason. What is secure today might be discovered to be insecure tomorrow, and avoiding such apps ensures that you remain secure in the event of a compromise on their part.
How do account takeovers occur?
Account takeovers are exactly what they sound like: Situations where hackers successfully manage to break into user accounts, turning it (or them) into their own accounts. These are facilitated by a number of situations within third-party applications:
- Exposure of clear text master passwords, secret key and entries in memory: Third-party applications, especially commonly used password managers such as 1Password, have some problems when it comes to managing password information within memory. It is, for instance, possible for attackers to build applications/tools that can dump these passwords from memory
- Failure of these applications to scrub obfuscated master password from memory: Some third-party password managers such as 1Password 7 fail to scrap the master password, secret key and individual database passwords from memory once the application is in a locked state. In fact, once the database is unlocked, 1Password 7 caches the entire database of passwords in memory. This is a very disturbing reality, since it makes it possible for attackers to build tools that can extract these passwords from memory and use them to take over user accounts
- Failure to properly encrypt database files resident on disks: The ability of a third-party application to encrypt database files determines whether or not an attacker will successfully obtain account information in the event that they exfiltrate this file. It is therefore important that an encryption mechanism is properly implemented for database files
Even though sufficient measures are taken to prevent the recovery of master passwords and secrets, most of the password managers available today don’t do a very good job when it comes to scrapping previously-used passwords from memory, and this may allow attackers to build tools that can gather these passwords from memory.
How do you ensure your accounts are safe?
Third-party applications will retain some functionality on your devices. Most of them perform the locking (encryption) and unlocking (decryption) mechanism locally on your device. Due to this, you should make sure your device is secure. Having a good password on a vulnerable machine is as bad as not having a suitable security measure in the first place, so you would want to:
- Patch your system: Ensuring that your devices have the latest operating system patches protects you from attacks that might lead to the compromise of your entire device. We have seen above that once attackers have access to your system, they can dump certain sensitive password information from memory and use that information to compromise your accounts
- Enforce two-factor authentication: Two-factor authentication on both your devices and accounts will prevent any unauthorized account access, further inhibiting attacks targeting your accounts
- Have an updated antivirus: An updated antivirus will be able to detect worms and viruses that attempt to leverage any unpatched vulnerabilities. These malware attacks may attempt to dump areas in memory where sensitive data is known to be found or points within your operating system which may allow unauthorized remote access
- Ensure proper cyberhygiene: The most common cybersecurity attacks today involve one or more aspects of social engineering. Malicious files and payloads are usually sent via this attack vector, leveraging the fact that unsuspecting victims will often click on exciting links. This is something that can only be fixed through proper awareness, as no patch will work here. Train yourself and staff to avoid downloading unknown attachments. Avoid clicking on any and every link when online
- You should also ensure you are using a third-party solution that offers security. Ensure the product regularly receives patches and updates and that the company offering it actively supports it
How do you choose third-party solutions for credential management?
Before you choose a third-party solution to manage your credentials with, there are a couple of things you must consider. Bear in mind that not all password managers will provide the following features, and you may not find some of them to be as important.
- Multi-factor authentication: Good password managers should allow you to implement multi-factor authentication for added security
- Secure password generation: As we have seen above, it is possible for attackers to perform some form of attacks against certain password managers. You need to make sure you choose a solution that, depending on your needs, will securely generate, store and retrieve your passwords
- Automated password updates: One solution we never discussed above is Avast Passwords. This solution has the ability to automatically generate new passwords once it detects that your accounts have been compromised. You can also manually check here whether any of your accounts have been hacked
- Integration: You want to consider having a password manager that integrates with your browser through plugins and extensions to autofill login forms whenever you are logging in online, and that you can access it across various platforms (Android, iOS, Linux and Windows). Your password should also sync automatically across your multiple platforms
If you can avoid using third-party solutions for your account management and still adhere to good password best practice, then you should be good to go. Most people cannot manage to do this; the pace of work requires certain potential insecure practices to provide extra convenience at the expense of security.
If this is your situation, make sure that the solution you’re resorting to provides proper security, is up-to-date and is actively supported by the provider. Most importantly, ensure you observe healthy cyberhygiene, as attacks against the “human element” have no patches.
- Is Mint Safe? What to Know About the Budgeting App in 2019, TheStreet
- Should You Trust Mint.com?, The New York Times
- Ask HN: Why would people trust their banking credentials to a service like Mint?, Hacker News
- Why banks want you to drop Mint, other ‘aggregators’, Reuters
- How Safe is Mint.com?, Smart Money Nation
- Password Managers: Under the Hood of Secrets Management, Security Evaluators