Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Widespread Account-Sharing Threatens Corporate Security, Revenues

Many users break security defenses by simply handing over their credentials to colleagues, friends, experts say

You've just set up an end user with a new system account. Quick quiz: How will you know if the user is sharing that account with other users?

Account sharing -- the act of giving one's account information to others to save time or money or to bypass security processes -- is pervasive behavior in most organizations and online services, experts say. The problem: Most organizations don't know when it occurs or how widespread the practice is.

In a data leakage study released Wednesday by Cisco Systems, researchers reported that 44 percent of end users have allowed others to use their company-issued computers without supervision. Most of the respondents said they gave access to co-workers, but a significant portion also gave access to friends or family, and 5 percent admitted to giving out their passwords to individuals outside the company.

Recently, AdmitOne, a company that offers biometric authentication by "learning" the specific keystroke patterns of each individual user, has begun using its technology to monitor the actual behavior of account users. Using keystroke analysis, AdmitOne can go beyond simple analysis of IP addresses and tell how many users are accessing a specific account and where they're coming from.

"What we've found from doing assessments at a number of companies is that account sharing is a lot more widespread than most [IT] administrators think," says Matt Shanahan, senior vice president at AdmitOne. "Some IT people are overconfident; they think that there isn't much account sharing going on, or that the risk of the behavior is not that great. Others don't really want to know how much of it is going on because they don't want to have to remediate the problem. But it's happening, whether they want to deal with it or not."

AdmitOne recently did a keystroke analysis assessment at a major automotive exchange that allows buyers, suppliers, and other members of the supply chain to share information by subscribing to a common network. "What we found was that about 33 percent of the accounts on the network were being shared, and that there were 57 percent more users on the network than there were subscribed accounts," Shanahan says. In another assessment, AdmitOne analyzed the use of the multiple listing services (MLS) that realtors use to collect and store data on the sale and purchase of homes and property. In that case, the company found about 12 percent of the licensed MLS accounts were being shared, and there were approximately 15 percent more users in the system than there were licensed accounts.

"We found out, in the course of the assessment, that some realtors were actually selling their [MLS] credentials to other people," Shananan recalls. "It turns out that the information on who buys or sells a house is pretty valuable to other companies, such as moving companies, who are willing to buy their way [into the system]."

The problem with account sharing, Shanahan explains, is that there's really no good way to track it. "You can use IP addresses, which can help you identify problems, but there are a lot of users who use proxies or who move around a lot, so it doesn't really tell you everything you need to know. A lot of organizations don't see it as a problem, partly because they don't really know when it's happening."

For most companies, account sharing is perceived as a back-end security problem. But for companies that rely on online subscriptions as a primary revenue stream, account sharing can mean lost income. "If you're running The Wall Street Journal or World of Warcraft, and you've got multiple people sharing a single subscription, you're losing customers," Shanahan observes. In one assessment, AdmitOne estimated the losses associated with account sharing at more than $8 million, he says.

What can IT people do to mitigate the occurrence of account sharing? The first thing you need is a policy, Shanahan says. "There are situations where account sharing makes sense," he notes. "The key is that you want to define who should have access to the account, whether it's one person or several."

The next step, Shanahan adds, is to add an enforcement mechanism. "Multifactor authentication is a good first step," he says. "Make sure you have a method for ensuring that only the people who are authorized to use the account can use it." Analysis of IP addresses and user locations can help establish logon patterns and identify anomalies, he observes.

Over time, more companies may look to forms of user identification -- such as keystroke authentication -- to establish who's using their accounts, says Shanahan, who clearly has a dog in that fight. "Companies are going to need a way to establish who's using their systems, and who's accessing the data," he says. "In the past, companies have used keystroke authentication primarily for controlling access, but we think it has a lot of potential as a means of monitoring the way accounts are being used."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...