Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Widespread Account-Sharing Threatens Corporate Security, Revenues

Many users break security defenses by simply handing over their credentials to colleagues, friends, experts say

You've just set up an end user with a new system account. Quick quiz: How will you know if the user is sharing that account with other users?

Account sharing -- the act of giving one's account information to others to save time or money or to bypass security processes -- is pervasive behavior in most organizations and online services, experts say. The problem: Most organizations don't know when it occurs or how widespread the practice is.

In a data leakage study released Wednesday by Cisco Systems, researchers reported that 44 percent of end users have allowed others to use their company-issued computers without supervision. Most of the respondents said they gave access to co-workers, but a significant portion also gave access to friends or family, and 5 percent admitted to giving out their passwords to individuals outside the company.

Recently, AdmitOne, a company that offers biometric authentication by "learning" the specific keystroke patterns of each individual user, has begun using its technology to monitor the actual behavior of account users. Using keystroke analysis, AdmitOne can go beyond simple analysis of IP addresses and tell how many users are accessing a specific account and where they're coming from.

"What we've found from doing assessments at a number of companies is that account sharing is a lot more widespread than most [IT] administrators think," says Matt Shanahan, senior vice president at AdmitOne. "Some IT people are overconfident; they think that there isn't much account sharing going on, or that the risk of the behavior is not that great. Others don't really want to know how much of it is going on because they don't want to have to remediate the problem. But it's happening, whether they want to deal with it or not."

AdmitOne recently did a keystroke analysis assessment at a major automotive exchange that allows buyers, suppliers, and other members of the supply chain to share information by subscribing to a common network. "What we found was that about 33 percent of the accounts on the network were being shared, and that there were 57 percent more users on the network than there were subscribed accounts," Shanahan says. In another assessment, AdmitOne analyzed the use of the multiple listing services (MLS) that realtors use to collect and store data on the sale and purchase of homes and property. In that case, the company found about 12 percent of the licensed MLS accounts were being shared, and there were approximately 15 percent more users in the system than there were licensed accounts.

"We found out, in the course of the assessment, that some realtors were actually selling their [MLS] credentials to other people," Shananan recalls. "It turns out that the information on who buys or sells a house is pretty valuable to other companies, such as moving companies, who are willing to buy their way [into the system]."

The problem with account sharing, Shanahan explains, is that there's really no good way to track it. "You can use IP addresses, which can help you identify problems, but there are a lot of users who use proxies or who move around a lot, so it doesn't really tell you everything you need to know. A lot of organizations don't see it as a problem, partly because they don't really know when it's happening."

For most companies, account sharing is perceived as a back-end security problem. But for companies that rely on online subscriptions as a primary revenue stream, account sharing can mean lost income. "If you're running The Wall Street Journal or World of Warcraft, and you've got multiple people sharing a single subscription, you're losing customers," Shanahan observes. In one assessment, AdmitOne estimated the losses associated with account sharing at more than $8 million, he says.

What can IT people do to mitigate the occurrence of account sharing? The first thing you need is a policy, Shanahan says. "There are situations where account sharing makes sense," he notes. "The key is that you want to define who should have access to the account, whether it's one person or several."

The next step, Shanahan adds, is to add an enforcement mechanism. "Multifactor authentication is a good first step," he says. "Make sure you have a method for ensuring that only the people who are authorized to use the account can use it." Analysis of IP addresses and user locations can help establish logon patterns and identify anomalies, he observes.

Over time, more companies may look to forms of user identification -- such as keystroke authentication -- to establish who's using their accounts, says Shanahan, who clearly has a dog in that fight. "Companies are going to need a way to establish who's using their systems, and who's accessing the data," he says. "In the past, companies have used keystroke authentication primarily for controlling access, but we think it has a lot of potential as a means of monitoring the way accounts are being used."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
PUBLISHED: 2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
PUBLISHED: 2019-07-16
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
PUBLISHED: 2019-07-16
Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
PUBLISHED: 2019-07-16
UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.