Use of Stolen Credentials

Threat Category: Authentication: User or Device to Remote Service

ID: AUT-0

Threat Description: Attackers able to steal authorized credentials could potentially login to sensitive services or devices, and gain unauthorized access to privileged information.

Threat Origin

Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices ¹

Exploit Examples

CBS App & Mobility Website ²

The Fork ³

Star Q8 ⁴

Corriere Della Sera App ⁵

LaTribune ⁶

Card Crypt ⁷

Starbucks Caught Storing Mobile Passwords in Clear Text ⁸

CVE Examples

Not Applicable

Possible Countermeasures

Enterprise

To hinder an authentication attempt with a stolen credential, use anomaly detection based on user activity to detect abnormalities (e.g. authentication from new domains, unusual times, or to rarely-accessed services) and require additional authentication steps before granting access.

To mitigate an attacker’s ability to achieve authentication using a stolen credential, when possible, configure services to use multi-factor authentication. Ideally, the additional factor should be provided by a separate device than the one being used to perform primary authentication (e.g., laptop and mobile app). Further, avoid the use of SMS messages for 2FA codes, as SMS messages can be readily intercepted.

To limit the value of stolen credentials to an attacker, use centralized identity and access management tools that permit simultaneous revocation of stolen authentication credentials across all access control mechanisms and terminate active sessions based on those credentials.

To limit the value of stolen credentials, enforce a policy that limits the maximum age of credentials and limits the use of identical or similar credentials.

To limit the value of stolen credentials, enforce an access policy that restricts the resources a user can access based on location parameters (e.g. domain, IP address, MAC address, geolocation) of the authentication request.

Incorporate the principle of least privilege to limit lateral movement by an attacker with stolen credentials.

To limit the potential for predictive attacks on new passwords, employ authentication mechanisms that utilizes randomly generated one-time passwords or tokens for access from untrusted locations.

To prevent an attacker with a stolen password from locking out the legitimate user or defining new credentials, require 2-factor authentication mechanisms to change authentication credentials or credential recovery processes.

Mobile Device User

References

L. Neely, Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices, SANS Institute, 2016; www.sans.org/reading-room/whitepapers/analyst/mobile-threat-protection-holistic-approach-securing-mobile-data-devices-36715 [accessed 8/25/2016] ↩
CBS App & Mobility Website, Wandera Threat Advisory No. 192, Wandera, 23 Mar. 2016; www.wandera.com/resources/dl/TA_CBS.pdf [accessed 8/24/2016] ↩
The Fork, Wandera Threat Advisory No. 154, Wandera, 14 Jan. 2016; www.wandera.com/resources/dl/TA_The_Fork.pdf [accessed 8/24/2016] ↩
Star Q8, Wandera Threat Advisory No. 152, Wandera, 10 Jan. 2016; www.wandera.com/resources/dl/TA_StarQ8.pdf [accessed 8/24/2016] ↩
Corriere Della Sera App, Wandera Threat Advisory No. 74, Wandera, 29 Aug. 2015; www.wandera.com/resources/dl/TA_CorriereDellaSeraApp.pdf (accessed 24 Aug 2016) ↩
Z.Maldonado, Jailbreak Vulnerability & Mobile Security Updates, Polytechnic University of Puerto Rico, 2018; https://prcrepository.org/xmlui/bitstream/handle/20.500.12475/375/Articulo%20Final_Zedrick%20Maldonado.pdf?sequence=1&isAllowed=y [accessed 7/27/22] ↩
Card Crypt, Wandera Threat Advisory No. 142, Wandera, 9 Dec. 2015; www.wandera.com/resources/dl/TA_CardCrypt.pdf [accessed 8/24/2016] ↩
E. Schuman, “Starbucks Caught Storing Mobile Passwords in Clear Text”, Computerworld, 15 Jan. 2014; www.computerworld.com/article/2487743/security0/evan-schuman–starbucks-caught-storing-mobile-passwords-in-clear-text.html [accessed 8/25/2016] ↩