Seeking to secure its
users from increasingly prevalent credential stuffing cases, privacy protection
company
Surfshark introduced two-factor authentication (2FA) as a new security
measure for password verification. With two-step authentication enabled, any attempt
to log in to a VPN service will be accompanied by a six-digit passcode.
Surfshark is the first VPN provider to offer 2FA as an optional feature, which
decreases the likelihood that the user's password will be guessed using
automatic tools.
"The vast majority of
recent breaches that made headlines are password-related. Every week thousands
of leaked user IDs and passwords enter the dark web. Advanced hackers use
software that can generate as many as 8 million password guesses a second. It
takes up to a few minutes to crack an obscure and complex password that is made
up of several different types of characters," explains Naomi Hodges, a
cybersecurity expert at Surfshark. "Additional security methods such as
2FA help users protect their accounts from this kind of brute-forcing
attacks."
An old attack method - brute-forcing - is still effective and
popular with hackers as it requires little effort to perform. In a standard
attack, a malicious agent chooses a target and runs possible passwords against
that username, often using unabridged dictionaries and augmented words.
"A trend of reusing
the same passwords for different services and adopting poor security habits
points to a broader problem -
having an optimistic mindset that our credentials are not worth hacking.
However, attacks such as credential stuffing take advantage of reused
credentials, thus every password is a valuable asset," says Naomi
Hodges.
According to a Shape
Security report, over 90% of login
traffic comes from credential stuffing. A hacker uses leaked credentials from
one site to gain unauthorized access to user accounts through large-scale
automated login requests. It's even more dangerous than blind brute-forcing,
where hackers try to take over accounts without having such a relatively
precise context.
Cybercriminals find
matches between leaked credentials and accounts 0.1 to 2 percent of the time.
However, once an account is compromised, the attacker can steal all information
or illegally resell access to the platform to other people.
"Last year, we
launched HackLock, which operates as a breach detection mechanism to alert our
users about leaks of their credentials such as email and passwords, prompting
them to take the necessary security measures. Our user security remains one of
the key things that we are working on to keep improving in 2020," says
Naomi Hodges.