One of the most important and yet challenging aspects of defending web applications is the ability to prevent account takeover attacks.
Once taken over, the potential damage can include losing access and control over the account, data breach and even fraudulent transactions. So why is account takeover prevention is so challenging? A recent article discussing the massive data breach of Alibaba Group’s website Taobao, a Chinese e-commerce website for online shopping, may offer a potential answer:
“Taobao, China's largest online marketplace that operates in a similar fashion to eBay and Amazon, has been hit with an attempted cyber-attack as hackers successfully compromised more than 20 million user accounts linked with the service. The hackers, who have already managed to amass a vast database of 99 million usernames and passwords from a number of Chinese websites unrelated to Taobao, eventually discovered that a significant amount of the data matched active user accounts on the popular ecommerce website.”
Using the Taobao data breach as an example, it is clear how hackers continue to breach secure web applications. Visitors to highly-secured web applications create login credentials and then recycle those credentials to access another potentially vulnerable web application. Once hackers breach the vulnerable web application, they have a free pass to the user’s account on the fortified web application.
Here comes the challenging part, even a fortified web application has no control over such a scenario, and many of their security authentication mechanisms are now useless in these cases. Despite the bad security practices of web application users, it ultimately remains the responsibility of the application to fortify its defenses and protect sensitive user data.
Read more about it in http://www.infosecurity-magazine.com/blogs/fighting-account-takeovers-cloud/
No comments:
Post a Comment