I know – you may not actually be responsible for security at a bank – but that doesn’t matter because if you ever handle credentials on any site whatsoever, you’re holding banking credentials. And you’re holding Gmail credentials and Facebook ones and, well, probably the credentials of any conceivable site you can imagine. I know this comes as a shock so let me explain:
I recently started getting a bunch of people reaching out and asking if I knew anything about Baidu spam being sent via Skype. The insinuation was that Skype had suffered some form of a data breach and it was being used either to send people direct to “the Chinese Google” or was using an open redirect on Baidu to then bounce people on to other (assumedly malicious) content. And then today with absolutely no degree of surprise whatsoever, I read that the source of the issue is being attributed to reused credentials across other sites. In fact, that piece singles out the LinkedIn breach from earlier in the year, but of course the same rationale applies to any one of a huge number of breaches that have occurred in recent times.
And it brings me back to the point of this piece: credential reuse means that in any given system, there are valid usernames and passwords used on other systems. We all know people reuse passwords and whilst we may not like to admit it, we’ve all done it ourselves at one time or another too. But the angle that I find most intriguing about all this is how it should change the attitude of those building any system that manages credentials.
Here’s what I’ll often hear: “The data in our system isn’t really important so we don’t need to worry as much about security”, or some variation thereof. It could be, say, a commenting engine on a news site which by most reasonable measures is not particularly sensitive in terms of the nature of the content and by extension, doesn’t deserve the same level of protection as something which was deemed to be more valuable. But flip that thinking around for a moment and consider how the value changes once you acknowledge what else those accounts may unlock.
Now I get it – this is ultimately the users’ fault for reusing their password – but if your site gets popped and that then leads to a compromise of someone’s other online assets, you know where they’re going to point the blame. It’s not a new problem either, I wrote about it many years ago and certainly it was happening well before then too.
Now I’m not saying that every site should be built to bank grade levels of security (which incidentally, isn’t always a good thing anyway), but what I am saying is that we need an attitude adjustment from believing that only the assets we’re charged with protecting are the ones that deserve our attention. We need to realise that ultimately, we’ve become inadvertently responsible for the security of a much broader ecosystem than just our own.