Widespread Account-Sharing Threatens Corporate Security, Revenues

You've just set up an end user with a new system account. Quick quiz: How will you know if the user is sharing that account with other users?

Account sharing -- the act of giving one's account information to others to save time or money or to bypass security processes -- is pervasive behavior in most organizations and online services, experts say. The problem: Most organizations don't know when it occurs or how widespread the practice is.

In a data leakage study released Wednesday by Cisco Systems, researchers reported that 44 percent of end users have allowed others to use their company-issued computers without supervision. Most of the respondents said they gave access to co-workers, but a significant portion also gave access to friends or family, and 5 percent admitted to giving out their passwords to individuals outside the company.

Recently, AdmitOne, a company that offers biometric authentication by "learning" the specific keystroke patterns of each individual user, has begun using its technology to monitor the actual behavior of account users. Using keystroke analysis, AdmitOne can go beyond simple analysis of IP addresses and tell how many users are accessing a specific account and where they're coming from.

"What we've found from doing assessments at a number of companies is that account sharing is a lot more widespread than most [IT] administrators think," says Matt Shanahan, senior vice president at AdmitOne. "Some IT people are overconfident; they think that there isn't much account sharing going on, or that the risk of the behavior is not that great. Others don't really want to know how much of it is going on because they don't want to have to remediate the problem. But it's happening, whether they want to deal with it or not."

AdmitOne recently did a keystroke analysis assessment at a major automotive exchange that allows buyers, suppliers, and other members of the supply chain to share information by subscribing to a common network. "What we found was that about 33 percent of the accounts on the network were being shared, and that there were 57 percent more users on the network than there were subscribed accounts," Shanahan says. In another assessment, AdmitOne analyzed the use of the multiple listing services (MLS) that realtors use to collect and store data on the sale and purchase of homes and property. In that case, the company found about 12 percent of the licensed MLS accounts were being shared, and there were approximately 15 percent more users in the system than there were licensed accounts.

"We found out, in the course of the assessment, that some realtors were actually selling their [MLS] credentials to other people," Shananan recalls. "It turns out that the information on who buys or sells a house is pretty valuable to other companies, such as moving companies, who are willing to buy their way [into the system]."

The problem with account sharing, Shanahan explains, is that there's really no good way to track it. "You can use IP addresses, which can help you identify problems, but there are a lot of users who use proxies or who move around a lot, so it doesn't really tell you everything you need to know. A lot of organizations don't see it as a problem, partly because they don't really know when it's happening."

For most companies, account sharing is perceived as a back-end security problem. But for companies that rely on online subscriptions as a primary revenue stream, account sharing can mean lost income. "If you're running The Wall Street Journal or World of Warcraft, and you've got multiple people sharing a single subscription, you're losing customers," Shanahan observes. In one assessment, AdmitOne estimated the losses associated with account sharing at more than $8 million, he says.

What can IT people do to mitigate the occurrence of account sharing? The first thing you need is a policy, Shanahan says. "There are situations where account sharing makes sense," he notes. "The key is that you want to define who should have access to the account, whether it's one person or several."

The next step, Shanahan adds, is to add an enforcement mechanism. "Multifactor authentication is a good first step," he says. "Make sure you have a method for ensuring that only the people who are authorized to use the account can use it." Analysis of IP addresses and user locations can help establish logon patterns and identify anomalies, he observes.

Over time, more companies may look to forms of user identification -- such as keystroke authentication -- to establish who's using their accounts, says Shanahan, who clearly has a dog in that fight. "Companies are going to need a way to establish who's using their systems, and who's accessing the data," he says. "In the past, companies have used keystroke authentication primarily for controlling access, but we think it has a lot of potential as a means of monitoring the way accounts are being used."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message