Employees have no qualms in selling corporate passwords

Plenty of people are careless with their own personal passwords -- using the same one for multiple sites, and/or making them so simple that they are comically easy to crack -- but hardly anyone would intentionally sell them for a few bucks to someone they know would use them to do them harm.

Apparently, however, some of them don't have those qualms about selling corporate passwords. A recent global survey of 1,000 employees at large (more than 3,000 workers) organizations, commissioned by vendor SailPoint, found that one in seven would sell their password to an outsider for as little as $150.

This is not a new problem, however. And $150 is, relatively speaking, big bucks. A 2012 survey conducted in the UK found that almost half of the respondents would sell their corporate passwords for less than 5 pounds, while 30% would sell them for just 1 pound.

It also doesn't surprise people like Christopher Frenz, a faculty member at New York City College of Technology, who said, "other research groups were able to get people to reveal their passwords for something as small as a chocolate bar."

But, Frenz added that it is important to know how rigorous such research is. "These surveys tend to interview people who self-select themselves for participation, so they're not a representative cross section," he said. "They (the surveys) often lack proper controls, and do not typically try to verify if the user is actually revealing a real password. It makes you wonder how many people just make up a password on the spot for the free chocolate or the few dollars?"

Still, even if the actual percentage is smaller than the surveys found, it is enough to blow a major hole in any company's data security.

"Human beings are fallible, and this sort of issue is a real problem," said Muddu Sudhakar, CEO of Caspida, recalling headlines in January about a Morgan Stanley financial adviser who was fired after he allegedly stole account information from about 350,000 wealth management clients and posted the information of 900 online.

In that case, the leaked information reportedly included names and account numbers but not passwords. But it clearly illustrates that insiders offering sensitive corporate information for sale can indeed be "a real problem."

One obvious question is why even a minority of workers would risk losing their jobs, and therefore not just their immediate livelihood but also their entire career, for just a few bucks?

Joseph Loomis, founder and CEO of CyberSponse, said employee loyalty should not be assumed. "How many employees do you know who truly care about the organization where they work?" he said. "Excluding some of the top organizations in the marketplace, employee morale or care is always a concern for triggering insider threats."

Sudhakar said he suspects workers know that if their personal passwords were compromised, the consequences would be certain and severe, while they might view a corporate password as, "someone else's problem or think there might not be a consequence to misusing it."

Frenz said some workers might not realize how important their corporate passwords are. "This is particularly true if the data they handle at work would not normally be considered sensitive," he said, "as they likely fail to grasp that their account may provide a doorway that can be used a staging ground to gain access to more sensitive data via privilege escalation and like methods."

Sudhakar agreed. A compromised password is just the first step, he said. "Bad guys establish a foothold within the enterprise, escalate privileges, move laterally to get at the data, maintain their presence until they can get at sensitive data and ex-filtrate the goodies," he said.

Some argue that selling passwords is not as big a problem as weak passwords, because they are so easy to hack. Indeed, any password of fewer than 10 characters that is an actual word, even in reverse with a few upper-case letters thrown in, is like an unlocked door to hackers with even minimal skills and the right software. That, they say, makes for a sale price of next to nothing.

Loomis doesn't buy that entirely. He said offering passwords for sale does make it easier for criminals, since it eliminates them having to try even two or three times to gain access -- an anomaly that security countermeasures could pick it up as suspicious.

Whatever their value on the market, a relatively new group -- the FIDO (Fast Identity Online) Alliance -- says it is one more reason to eliminate passwords entirely.

FIDO Vice President Ramesh Kesanupalli, also founder of Nok Nok Labs, said in a statement that, "enterprise users selling passwords demonstrates yet another example of how flawed and risky password-centric authentication is."

FIDO, a nonprofit formed in 2012, has developed a two-factor authentication system that, "exchanges cryptographic data with FIDO servers -- not vulnerable personal information of any kind," Kesanupalli said.

Still, even with authentication credentials much more secure than passwords, if people are willing to sell them, the problem remains, or perhaps could be even worse, since those credentials would likely be more valuable.

That, experts say, means the need for better security awareness training is essential. Frenz said it is important to let employees know that it is not just corporate data that is at risk. "Reminding people that work not only stores customer data but a lot of their personal data in the form of HR and payroll records can often help to put things in perspective," he said.

And the website Malicious Link, in a recent post, argued that enterprises need to understand the psychology of employees and to provide incentives for them not to be tempted to sell their credentials.

If security professionals become, "familiar with the emerging studies under the banner of cognitive psychology/behavioral economics," they will be able to understand "irrationalities" in human judgment, and, "design better incentive systems and security control schemes," the post said.

The good news, according to Sudhakar, is that even if people willingly sell or compromise their credentials, technology has gotten better at spotting the inevitable breach that follows.

"Innovations in data science and machine learning are improving early breach detection from compromised credentials or insiders gone bad," he said.

That, combined with better training and an awareness of disgruntled employees, may be the best defense. As Frenz notes, passwords do have a major advantage over other, more secure, forms of authentication like biometrics.

"They are very easy to change once compromised," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags password securitysecuritydata breachSailPoint

More about indeedMorganMorgan StanleyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place