Underwriters can better price cyber insurance if they have a clear understanding of that user’s real risk of being breached. To do that, it’s essential to understand when a user’s email and password combination has been exposed in a previous data breach.
Real-time application program interfaces (APIs) on the market can examine, for example, all of a company’s domains to see which employees have had their credentials exposed, says Chris LaConte, chief strategy officer with Texas-based account takeover prevention company SpyCloud.
“We can tell them if those people are in combination lists,” LaConte told Canadian Underwriter in an interview last week. “That means those [usernames and passwords] are actively getting tried.”
Combination, or combo, lists include usernames and passwords exposed in a combination of multiple breaches, sometimes with millions or even billions of credentials. They can then be used to “credential stuff,” or take that username/password combination to take over somebody’s account.
“So, if you’re underwriting, you can put in that domain and get back the high-level results on here’s how many records have been exposed and here’s how recently they were exposed,” LaConte said of an API solution. “You can get all of this data you can use as part of your underwriting process.”
For example, the API could identify if one particular type of company or sector has a lot of credentials or plain text passwords breached. “And then you can ask the question during the underwriting process: ‘What do you do to mitigate compromised credentials?’ So, you are able to assess that risk in a much better fashion, but you need to have the data behind it instead of just asking the questions and looking for the checkbox.”
According to recent data breach reports from Verizon, the number one hacking tactic that causes a breach is compromised credentials.
Account takeover is easier than you think. Bad actors can take open-source credential stuffing tools that can be easily downloaded off the internet and use information from a combo list to breach an account. “It’s an easy thing for even less sophisticated actors to do,” LaConte said.
“They’ll take those combo lists, they’ll put them into these programs and these programs are super intelligent,” LaConte said. “They can actually go and bad actors can say, ‘Hey, I’ve compromised accounts on this site and I know what it does to try and sniff out credential stuffing. I know after five login attempts from the same IP, it’ll lock that IP.’ So that software can literally change now every four logins; it’ll try a different IP address to avoid it.”
A report from Akamai, a secure digital platform creator, released in April found that Canada is the third most targeted country in the world for credential stuffing attacks, with nearly 1.5 billion accounts in 2018.