When Stolen Credentials are $7,100 a Set, You Need Behavioral Biometrics

The Register reports that stolen credentials are a booming business post-COVID, selling for $7,100 a set and more. Much of that illicit credential use could be stopped in its tracks with technology that exists today.

The Register recently reported  that initial access brokers are doing a brisk business following the work-from-home push of 2020. Among the items that they note are:

  • Stolen credentials going for an average of $7,100

  • Stolen credentials with RDP access going for an average of $9,800

These prices may be surprising to some, but they represent the reality in today's digital world—the fact that a set of valid credentials is the on-ramp to a privileged system. Get the credentials, get access to the system.

The Missing Human Check

This state of affairs is made possible by the fact that login credentials are, in essence, a kludge.

They were invented not because system administrators badly wanted to know that jsmith's favorite phrase was "3CatsInJello" but rather because they didn't have a way to enable systems to recognize jsmith himself and exclude everyone else.

The illicit credentials trade is stronger than ever in the work-from-home era. Maybe it’s time to find a new technology to unlock digital doors. © Fedecandoniphoto / Dreamstime

Arm jsmith with a secret phrase that only he knows and voila, only jsmith has access… until, as we all now know, jsmith's credentials end up for sale online for $7,100 to whomever would like to have his access to corporate systems.

What's missing from all of this is the answer to that original need:

  • A way to enable jsmith to use a system

  • while at the same time preventing anyone who isn’t jsmith from using it

It's Not 1988 Anymore

Given all of this, it stands to reason that the best way to put this cottage stolen-access industry out of business is to return to the original need and meet it in a better way.

What we need is a way to recognize jsmith himself, in other words, and not just a random phrase that jsmith (or, as we've seen, frankly anyone else) can use to get past login security.

Happily, an appropriate technology has been available for well over a decade now. Unhappily, many still don't know about it (as is evidenced by all of the credentials for sale when The Register goes poking about for them).

The technology in question is behavioral biometrics, and here's how it works:

  • System(s) are shown the unique ways in which jsmith moves, for example when typing or pointing with a mouse

  • Whenever anyone tries to log in or use a system, the system checks the would-be user’s typing or pointing behavior, to see they match the fingerprint-unique movement patterns of the intended user

  • If they do, login is allowed; if they don’t, login is prevented

Just as importantly, this technology works with all of the commodity computing hardware already deployed in the world—with entirely standard keyboards and pointing devices.

No revolution in corporate IT assets is required to make use of it.

Stolen Credentials, Zero Value

With behavioral biometrics on an authentication stack (or indeed, running in the background of a work session for real-time authentication—including on RDP sessions), those stolen credentials aren't useful any longer.

Even if an intruder enters good credentials at login, the system knows that the person attempting to log in isn't jsmith, meaning that all that phishing and all that cumbersome password rotation fade into limited relevance together.

So if this Register story—or our discussion of it above—resonates with you and your organization in any way, you should be talking to a behavioral biometrics provider like Plurilock.

Because nobody can steal the way that a user types—much less sell it for $7,100 on the dark web. ■