Insider threats have been a major concern among IT security professionals for decades. Password theft and password sharing have been, and continue to be, among the most harmful of these. Fortunately, with the advent of context-based authentication, organizations now have a powerful mechanism to help prevent insider password theft and abuse.

Cybercrime by Insiders Is the Most Damaging Type

Some of the most damaging cybercrimes of all time have been committed by insiders. U.S. intelligence agencies will probably never fully recover from the fallout caused by insider Edward Snowden, who used passwords he obtained from coworkers to access and divulge classified material. The U.S. Office of Personnel Management suffered a massive data breach in 2015, when 4.2 million employee accounts were compromised through a government contracting agency.

Of course, not all organizations are as big, or stand to lose as much, as Target or the CIA. But even small enterprises with a modest amount of sensitive data, or firms using single sign-on systems where one password provides access to multiple applications, can suffer significant losses at the hands of a corrupt insider. The 2015 Data Breach study by the Ponemon Institute found the average cost of a breach to be $3.8 million dollars, with the average compromised record costing $154 dollars.

Passwords Are Often the Weakest Link

In light of these tremendous losses, it’s only natural to ask, “How are these inside crimes being committed?” Sadly, the answer has not changed in many years. Numerous studies have shown that passwords are often the weakest link in the security chain, with password theft being responsible for most significant breaches and attacks. Verizon Data Breach Investigations Reports in the past also confirmed this unfortunate reality, indicating that stolen passwords, now the cause of two out of three breaches, continue to be the most common way that sensitive information is obtained.

Password Theft By Insiders Is Common

Password abuse or theft by insiders is more common than one might think. Insiders obtain their coworkers’ login credentials through countless methods, and while some violators are criminally motivated from the start, others acquire passwords, initially at least, for simple convenience or just out of curiosity. Unfortunately, the mere possession of powerful passwords can entice one to use them inappropriately, and to share or sell them.

Password Theft by Insiders

Is a significant problem for organizations today. In most cases, users share passwords as a matter of convenience, even though they know it’s against company policy. It’s common for users to forget a new password and ask a colleague for theirs in order to continue working. Sometimes passwords are shared to work around complicated password policies. Occasionally users are late, or unable to get to their computers to perform a needed task, so they provide passwords to a coworker who logs in for them. InsightExpress, a research firm commissioned by Cisco Systems, studied 2,000 IT professionals in 10 countries and found that 18 percent of employees had recently shared their passwords with coworkers, even though this practice was forbidden. The percentage jumped to 25 percent in some countries. Sadly, in all too many of these cases, despite a benign initial intent, the stolen passwords ended up being used inappropriately.

Sticky Notes

Attached to computer monitors, inside drawers, and cubicle walls often contain IDs and passwords. Intended as an aid for the legitimate user, these little stickers also tell the night janitor or anyone else in the area everything they need to know to access the system. It’s alarming to discover how often a quick search of employees’ work areas will reveal their login credentials.

WiFi and Network Sniffing

Are easy. It doesn’t take a lot of skill to capture user IDs and passwords traversing the corporate wired or WiFi networks. Hundreds of Internet articles and YouTube videos show how to capture passwords from wireless networks and Ethernet LANs. Furthermore, the necessary software utilities are freely available and easy to find. While many protocols encrypt login credentials, a significant number don’t, and a moderately skilled person can easily see coworkers’ passwords flowing over the network.

Password Cracking

Has been proven time and again to be a relatively simple procedure. Since insiders can generally get their coworkers’ IDs, all a thief needs to do is crack the associated passwords in order to gain unauthorized access. Individually encrypted passwords can often be captured by anyone on the network. Even worse, administrators can access the entire password database. Using freely-available “cracking” utilities, most of these passwords can be decrypted within minutes, if not seconds—even so called “strong passwords”.

Shoulder Surfing

Is another easy way to obtain a password. Many employees work in close proximity. Some actually work together, at least occasionally, at the same desk or system. Stealing a password is as easy as watching a coworker log in. Because it’s embarrassing to ask friends or supposedly trusted onlookers to turn away, most people will go ahead and type their passwords in full view of others who may be watching.

Retrieving Passwords

From a browser is also a relatively simple procedure. Most users enjoy the fact that their browsers can capture and replay their ID and passwords for virtually every site or application they connect to, thus automating authentication to those sites. Few realize that it’s a relatively simple procedure for anyone who has access to their browser’s files to extract and decrypt all of those login credentials. At the time of this writing, all of the major browsers are vulnerable to this attack (although some are significantly more secure than others). Several articles available to anyone via the Internet show how a moderately skilled technical person can recover passwords from browser files.


Can often be easily introduced by a coworker, either intentionally or accidentally. Password theft is a common objective of modern malware. With malware kits readily available, a semi-skilled insider can easily craft malicious code to grab passwords as users enter them.

Spear Phishing

Targets specific individuals, usually administrators or those with powerful privileges, and entices them to log into an imposter site that captures their password. While this attack is frequently executed by outsiders, insiders are known to use the technique as well, often with greater success.

Social Engineering

Can take many forms, but it usually requires knowing something about the victim. Insiders are in a perfect position to rob users of their passwords this way. Some of cybercrime’s most famous and costly attacks have been brought about by simple social engineering techniques.

Context-based authentication from ThreatMetrix protects organizations from the problems associated with traditional password security.


ThreatMetrix™ Context-Based Authentication Protects Organizations

Context-based authentication from ThreatMetrix protects organizations from the problems associated with traditional password security. It transparently detects hackers and imposters, even if they possess stolen but valid user IDs and passwords. Password theft is rendered meaningless, so there’s no incentive to use theft techniques like network sniffing, shoulder surfing, password sharing, browser retrieval, password cracking, or malware.

Context-based authentication works by examining the entire scenario surrounding each login attempt— analyzing much more than just credentials. For example, the user’s device is located geographically, and individually and uniquely identified. The device is also profiled for malware, or other threats and anomalies that indicate fraud or hackers. Specific characteristics and behaviors of both the user and the device are gathered from the world’s largest shared Digital Identity Network. Any association with botnets or crime rings is analyzed. Context-based authentication examines all of these elements, allowing the entire situation to be scrutinized and an appropriate risk score to be generated. This risk score is then used to determine, in real time, whether the user is legitimate or not.

Specific policies, established by the organization for each application, determine the thresholds and risks tolerated for access. An organization may, for example, establish policies requiring users to connect with devices registered specifically to them, and to be located within certain geographic regions. Legitimate users with new devices can register them using out-of-band authentication methods. Hackers, on the other hand, are immediately detected and denied access, even with valid IDs and passwords.

This solution allows the system to 1) develop a comprehensive view of everything pertaining to the attempted connection; 2) intelligently establish the level of risk and trust; and 3) make an informed decision as to whether access should be granted.

Powerful Features Not Found in Traditional Authentication Systems

Utilizing advanced analytics, along with custom policies and rules for each application, context-based authentication provides the following major features:

  • Specific Device ID: Using advanced technology, each PC, laptop, tablet, phone, or other device attempting to connect is profiled and uniquely identified, and devices are associated with specific individuals. Used in conjunction with other features, Specific Device ID is a powerful way to determine accurate levels of risk and trust.
  • Frictionless Two-Factor Authentication: Utilizing both device ID and user login credentials, context-based authentication provides transparent, behind-the-scenes two-factor authentication. There’s no need to install anything on the device in question, issue hardware tokens, or to implement and manage the complex infrastructure required by most two-factor authentication systems.
  • Malware Detection: Context-based authentication’s SaaS approach accurately profiles devices attempting to connect to protected web applications, identifying malware and other threats that can compromise security.
  • Device History—Trust and Crime Associations: ThreatMetrix gathers shared intelligence from organizations all around the globe. Devices that have been compromised by malware and involved in crime or fraud attempts are identified, as are devices which intentionally attempt to penetrate unauthorized systems. Conversely, devices with high levels of trust are also identified.
  • Detection of Suspicious Connection Paths: Devices using TOR networks, VPNs, or other networks that attempt to hide or anonymize their location are identified.
  • Legitimate User Behavior: Context-based authentication establishes normal and legitimate user behaviors, including vital elements like IP addresses and geolocations normally used, language(s) utilized, devices used and their configurations, login times, frequency and speed of login attempts, and more.
  • Instant Recognition of Valid Users: Following initial or step-up authentication, new users and their devices (or existing users’ new devices) can be tagged as “trusted” for future encounters. Going forward, valid users won’t experience needless repeat step-up authentication, and can be granted access with minimal input or friction.

The ThreatMetrix Digital Identity Network

An essential element of context-based authentication is the ThreatMetrix Digital Identity Network. By leveraging the combined experience and intelligence of thousands of organizations around the world, all battling to detect and defeat cybercrime, ThreatMetrix can detect impostors and attacks that would otherwise be unidentifiable.

ThreatMetrix profiles tens of millions of users and their devices daily, and regularly processes hundreds of millions of logins and related transactions. The Digital Identity Network is the repository for this wealth of data. Devices infected with malicious malware, or associated with botnets or crime rings, are identified. In fact, any device involved in cyberattacks or suspicious activities is noted. When any of those devices later connect to your site, ThreatMetrix informs you of its history and risk, intelligently analyzes your custom policies and rules for the specific application, and helps you determine the correct course of action.

The Digital Identity Network detects, not only high-risk situations, but elements of trust as well.

The Digital Identity Network detects, not only high-risk situations, but elements of trust as well. Imagine that one of your users is visiting her sister’s home, and connects to your enterprise application with her sister’s device. The network will likely reveal that the device may be new to your user, but has been known by the ThreatMetrix community for many months with no suspicious history or threats. In fact, the new device might be “trusted” by numerous organizations, which have associated it with step-up authentication or valid transactions. With this information and associated trust scores from ThreatMetrix, you may elect to grant access without requiring step-up authentication, allowing your user frictionless access without compromising security.

The world’s largest and most comprehensive trust intelligence network, created by ThreatMetrix, makes all this possible.

Answer Critical Questions That Traditional Systems Can’t

Powerful features available only within context-based authentication can answer critical questions— questions traditional authentication systems can’t even begin to respond to. Because the solution understands the entire authentication scenario, questions like the following can be answered:

  • Is the password correct while other factors indicate it was stolen?
  • What is the risk tolerance of the target application? Low? Medium? High?
  • Is the device known to have been used by the legitimate user? Or is it an unseen and potentially untrusted?
  • Has this user passed secondary or out-of-band authentication while using this device? How long ago?
  • Has this remote device been associated with attempts to log into other user accounts on my site? Is that normal?
  • When a user attempts to log in with a new device, has the new device been seen before, either by your organization or by others in the shared Digital Identity Network? Has it already been tagged as trusted? Has it been tagged as non-trusted?
  • Does malware exist on the user’s device? Has the device been compromised?
  • Has the user’s browser been infected and compromised?
  • Is this session protected by a secure browser—one hardened against malware that may exist elsewhere on the user’s device? ?
  • Has the page, data, or information submitted by the user been altered?
  • Is the same device being used throughout the session? Could this session have been hijacked? Is there a man-in-the-middle attack occurring?
  • Is the device associated with suspicious users, botnets or other crime rings?
  • Where is the user or device located? What is the IP address or geolocation? Is this normal for this user? For similar users?
  • Is the user attempting to hide anything? Using an anonymizing network? Manipulating cookies? Using strange or abnormal device configurations?

All of the above questions should be answered before access to sensitive data or critical applications is granted. But since most traditional authentication systems only evaluate user login credentials, they can’t answer any of them.

ThreatMetrix™ Cybercrime Protection Platform

ThreatMetrix provides context-based authentication via its SaaS-based ThreatMetrix Cybercrime Protection Platform. This scalable and cost-effective solution allows enterprises, regardless of size, to implement effective authentication for any device, including mobile devices, without impairing the user experience.

The solution is unique in that it contains all of the advanced analytics and processes necessary for context-based authentication in one platform, including the following:

  • Device Profiling: ThreatMetrix provides the most advanced device identification and profiling available. Every device that accesses your website is positively and uniquely identified, and screened for anomalies that indicate a high-risk login or transaction. This prowling methodology leverages the Digital Identity Network of real-time device, user, and behavior data, as well as sophisticated technologies to detect cookie wiping, hidden VPN/proxy usage, and much more.
  • Malware Detection: When a user accesses your website, cloud-based technologies detect the presence of malware or other threats that can facilitate fraud or jeopardize the security of your applications and data. Man-in-the-browser, Trojan horses, and other malware threats are identified in real time for your protection. Client-based solutions can also be deployed, for applications that require a secure browsing solution.
  • Behavioral and Identity Analytics: ThreatMetrix analysis incorporates comprehensive details about online user identities and behaviors, such as usernames and passwords, email addresses, and more, into a dynamic Persona ID, the foundation for precise risk assessment.


Regardless of an organization’s size, the lion’s share of expensive and damaging cybercrimes have been carried out by, or through, insiders. With stolen passwords being criminals’ most common attack method, it’s crucial that organizations implement mechanisms to protect themselves against password theft and abuse.

It’s crucial that organizations implement mechanisms to protect themselves against password theft and abuse.

While numerous security measures are needed to protect an organization, effective authentication is perhaps the most important, since it is the key to everything else. Encryption is meaningless if an impostor gains access to accounts that are capable of bypassing, disabling or decrypting the data. Audit trails don’t help if they can be modified or erased by cybercriminals who have hacked into privileged accounts. Requiring administrative rights to access sensitive applications or additional security systems is a useless endeavor if fraudsters can become administrators. In short, if the authentication mechanism can be breached, everything else is at risk.

ThreatMetrix’s context-based authentication solution is straightforward to deploy and delivers a cost-effective solution to protect against password theft and abuse, and it does so without altering the experience of legitimate users. In fact, context-based authentication can enhance legitimate user access, providing secure, transparent access to keep users as productive as possible.

Organizations of all sizes should look to context-based authentication solutions as their first line of cyberdefense.

close btn