The Missing Piece of the Credential Phishing and Account takeovers

Every industry, even those with a limited online presence, are impacted by the interception and spoofing of stolen credentials, and most notably, there is a significant risk to organizations in the finance, healthcare, information services and government sectors.

The attackers either create a phony login page or hijack an existing login page, and more recently with sophisticated automation in real-time proxying, acting as a middle man, attackers are able to intercept and steal user credentials or bypass multi-factor authentication user, eventually lead to fraud and data breach across the enterprises.

The attacks on credential stealing and spoofing are successful due to the bearer-agnostic nature of passwords, one-time passcodes etc. Whoever holds the stolen credentials can impersonate to the authentication system and take over the accounts (for more details on this, see our article “Why your password+SMS+OTP MFA fall short”).

It’s a real risk. Credential compromise accounts for 81% of data breaches in the past years, and in 2018 alone the financial fraud amounted to $12B with three times increase in account take overs.

In part, this issue stems from lack of training and awareness. A recent study showed that 81% of the data breaches in the past years were a result of credential compromise. In Proofpoint’s State of the Phish 2019 Report, users across the globe were asked, “what is phishing?” Of all respondents, 17% of them answered incorrectly and an additional 17% accepted that they did not know.

However, training and user awareness is not the only missing piece to the puzzle to prevent phishing attacks.

Why isn’t training enough?

When we talk about training and awareness to thwart attacks and threats, we’re talking about being able to identify inaccurate URLs and domain names, key identifiers in fake emails (i.e. consistent grammar and spelling errors), and disingenuous attempts to solicit funds or personal identifying information. However, studies have shown that training and awareness in these areas is not enough to stop individuals (including your employees!) from succumbing to phishing attacks.

The sophistication of email attacks broadens the risk to individuals and business. Fraudulent emails are made to appear as if they come from verified sources, whether that is a business or another individual. These types of emails make up 90% of all email attacks And with 86% of these cases being impersonation of a business, there is a significant risk. There are technologies that can thwart these attacks; however, they often are not implement appropriately, leaving businesses open for attacks.

Additionally, even when individuals are aware of the potential risks associated with emails links and, research suggests that curiosity may compel an individual to click on links from unknown sources. In an experiment conducted at Friedrich-Alexander-Universitat, 20% of recipients clicked on the link in an email from an unknown sender. Moreover, when emails used basic personal information, such as an individual’s name, the likeliness to click the link increased to 56%.

Information overload is another factor contributing to issues surrounding account takeovers. The National Institute of Standards and Technology proposes that individuals can easily become overwhelmed with the ever-increasing areas of risk associated with technology. For some, this leads to and individuals begin to overlook potential threats and succumb to the attacks against them.

Wait, what about my SSL padlock?

Padlocks in the SSL/TLS communication have been introduced to ensure users have a visual clue to the end-users with further browser warnings and alerts on potentially harmful websites and ssl communication channel. However, with the misleading elongated urls and the tail-end top-level domain matching with the ssl certificate presented, the attackers are able to play the middle-man, intercepting the victim’s traffic across the Internet (for more information, please take a look at “Anatomy of Multi-factor authentication bypass” ).

Final layer of defense with unspoofable authentication

While layers of defense is a best practice, and are essential in the constantly evolving cyber-threatscape, there is a new bearer-sensitive authentication solution that detects any intercepted and spoofed credentials. This will practically eliminate all the credential phishing and multi-factor authentication bypass without changing any of the current single sign on (SSL) infrastructure.

For more details/demo and whitepaper, please fill-out our form here.

I am not a technical geek; Explain what is iLogSafe that I can understand?

Can you pass on passwords and OTPs to hackers and still feel secure? Obviously “No”. With iLogsafe, even when hackers get your codes, your accounts are secured. Your exclusive iLogSafe codes are useless for hackers, providing a password-less hassle-free secure login.

I use faceId and Voice along with fingerprint and approvals on the app. Am I not secured?

The biometrics have been the mainstream when it comes to authenticating to the gadgets in our possession. But when it comes to online authentication, such authentication schemes fail to secure you from man-in-middle attacks as shown in the “app-based approvals” video.

Disclaimer: *copyrights belong to breakdev.org

I use super strong passwords, OTPs? Why do I need iLogSafe?

Passwords and OTPs were good until yesterday. With real-time interception and hacking (spoofing) your passwords and OTPs are now more vulnerable. Don’t take our word, following reinforce the fact that they are no longer secure.

I use public and private keys; am I not secure?

Yes, public and private key pairs are secure than passwords. However mobility across devices with keychains and webauthn are clunky at best with so many variant offerings. One can always replace public key and replace real user permanently;Read our article for more details HERE

Can you show the details of how my 2FA is vulnerable(contains hacker demo videos)?

The recent attacks as documented by Microsoft on more than 10K enterprises can be easily addressed by iLogSafe and for details please go Here

The following videos help you understand the risks.

Watch this if you currently use mobile app based approval as 2FA

Disclaimer: *copyrights belong to breakdev.org

How does iLogSafe secure my online accounts, money from hackers?

iLogSafe provides a frictionless and easy to use login codes that are locked up to your devices. The patented technology will enable detection of spoofing when someone else intercepts and submits codes. We are an industry standard and meet NIST AAL-3, which means your money and online accounts are hacker-safe.
If you are serious about securing your money and accounts from fraudsters, signup now for great early bird discounts (more than $150 value package)

Do I need to create another set of passwords etc.?

No. We are passwordless.
We don’t use any of your sensitive information such as biometrics nor any private information, including your cell phone details.
Our patented technology is fun to use and intuitive to understand. No teasing of your brain memory nor we ask to solve hair-pulling puzzles.
Your grandma can use this once the account is setup!

I got many more SaaS applications, can you secure them all?

Absolutely!
Below is a starter list. If your SaaS application is not in this list please fill out here
Our product team will work towards securing that app with iLogSafe.

Do I need to create multiple iLogSafe accounts for all the SaaS applications I need to protect?

No. One iLogSafe account can secure everything with our industry standard single-sign on and federation ; completely transparent to you and you just keep using your iLogSafe account.

What is the genesis of iLogSafe? Has this been tested?

iLogSafe is the culmination of years of hacking experience and cyber security management. Patents have been issued as a testimonial of the novelty and the utility of this unique technology pioneered by iLogSafe.

Easy to use and verify its security properties even by non-technical persons, scalable solution designed by a Ph.D. in computer science with CISSP/CISM certification, a regular speaker/presentor at several security conferences and who has successfully run Fortune 500 information security and risk management programs.

At the same time, even with such extensive information security expertise with iLogSafe team, we don’t relax; we are constantly plugged into latest cyber threats and move our program roadmap taking the latest hacks into account.

Our systems are constantly tested by real hacking from our pen-testing team and it goes through multiple checks on OWASP 10, Open API security standards through static and dynamic scans/testing.

The Missing Piece of the Credential Phishing and Account takeovers

Why isn’t training enough?

Wait, what about my SSL padlock? <img decoding="async" src="https://ilogsafe.com/wp-content/uploads/2019/09/https.png" alt="" width="135" height="50">

Final layer of defense with unspoofable authentication

Want to know magic with Anti-[Theft, Phish, Spoof, Bypass]?

Signup for Cybersecurity tips for Lawyers

Wait, what about my SSL padlock?