It has been reported that a British man has been charged in New York with unauthorized computer intrusion, securities fraud, wire fraud and other crimes, causing more than $5m of losses.
According to a 10-count complaint made public yesterday, Idris Dayo Mustapha, 32, a UK citizen, and others used phishing and other means to obtain user credentials from January 2011 to March 2018.
This is yet another example of how stolen credentials have been used to gain access to critical accounts and earn criminals millions in malicious funds. Attackers can easily gain access to stolen credentials on the dark web or through phishing and once they have one valid set, they can increase their gains by testing them on other sites, knowing how frequently people use the same passwords across multiple accounts. Evidence of the earnings hackers can make through these attacks can be seen in this case against Idris Dayo Mustapha.
The best defence against these types of attacks is to target the root cause of the problem – passwords. This means to fight back, we need to focus on improving the security of user credentials and passwords, so they can’t be stolen or socially engineered out of victims in the first place.
Of course, promoting better password hygiene is one way to reduce risk, but the strategy has limits. To prevent criminals from utilising weak passwords or phishing for passwords, one of the safest approaches is to transition your enterprise to passwordless authentication. After all, if a user doesn’t know their passwords, how can they be stolen or phished for them?