The Potential Dark Side of Synched Accounts

Synched accounts (e.g Apple ID, Google Account, etc.) have been around for several years now and the use of them has grown rapidly with the convenience that they offer in keeping all of your personal information in one place. This includes aspects such as passwords, browsing activities, personal likes and favourites, device tracking, and other data which is all stored in the cloud.

The addition of multi-platform support also makes these kinds of accounts super convenient to manage from any device. And with the integration and embracing of more and more internet-connected digital devices into our daily lives it has become unfathomable that someone would not own a synched account. How about the security implications though?

The Possible Dangers
It is common practice now to save your online credentials and use autofill features, or enable the ‘keep me logged in’ option to eliminate the need to constantly enter your username and password every single time you visit your favourite website or online store. This is a pretty convenient feature, especially in popular operating systems like Apple’s iOS/MacOS and Android, or browsers like Google’s Chrome, Firefox and Safari where users can create and use synched accounts to create a multi-device digital ecosystem. The synchronisation of accounts on these systems allows more than just credential auto fills but it also provide features like backup, activity history (across all devices), device tracking (find my phone) and added security in the form of 2FA (2nd factor authentication), to name a few.

However, there are also downsides to these benefits which need to be highlighted. One needs to bear in mind that these particular downsides are not specific to any one platform but could potentially affect platform under certain conditions. Having your synched account (e.g. Google or Apple ID) accessed by an untrusted party is potentially devastating. Once unauthorised access is gained, any information deemed useful can be stolen and misused.

The following behavioural points need to be considered:

  • When setting up a mobile device or smartphone, an account is required to use certain features and/or the device itself.
  • Modern web browsers ask to register or log into a synched account when they are first installed.
  • Whenever entering user credentials you’ll be prompted to save them to allow autofill or autologin which do not then request confirmation before proceeding.
  • Any device can be used to access a synched account for ease of access.
  • Your synched account is constantly logged into owned devices (pc, laptop, smartphone, tablet, TVs, etc.).

This raises a few questions and concerns, details for which are provided below:

  1. Is the account secure?
  2. Are the synched devices secure?
  3. Who can access the devices/accounts and what level of access would be granted?

1. Is your account secure?
It’s become far more obvious now that account passwords do not provide a high enough level of security as they can be hacked, brute-forced (password guessing), exposed in a data breach or simply stolen through cleverly crafted phishing attacks.

2nd factor authentication (2FA) fills the gap in securing accounts by implementing a second form of identification but is a security feature that relies on the user to activate and/or the company IT admin to enforce it. Most online services will not take responsibility for user accounts which have been compromised since they consider the account and its data’s security the responsibility of the user. The role of most service providers is to make sure the infrastructure and services are always available and secured from a physical security standpoint i.e. locked doors, high fences, 24/7 surveillance and so on. Privacy is also to be considered as one of the roles the service provider is responsible for.

However, privacy* and computer security** are two separate focal points of cyber security and should not be confused. One needs to be aware of the following:

  • Make sure to enable whichever form of 2FA your accounts or devices support and enable login notifications (if available).
  • Log out of any inactive sessions.
  • Make a point of creating unique, secure passwords for each account.

2. Are the synched devices secure?
Securing devices can be done via various techniques, such as using strong passwords and antimalware software (if supported), but utilising encryption wherever possible is likely to be the best solution to this. One needs to remember that access to the synched devices is fairly high risk. The truth be told, encryption is a rather technical and complex topic so we’ll try to keep it as simple as possible.

Encryption is basically the act of protecting data using scrambling and/or obfuscating algorithms to prevent anyone from reading it. The encryption can also have different levels of effectiveness, depending on the techniques used. The encryption technique typically uses a key which allows the owner or trusted party to protect or access the data when entered.

For websites and most online services, encryption is provided by the presence of an SSL certificate. Whenever a website or online service shows https:// or a lock icon in the address bar, encryption is enabled. The advantage of this is that the information shared between the device and the cloud/online service is encrypted and prevents external parties from intercepting the communication traffic. A disadvantage is that the SSL certificate can only be enabled by the site owner, not the user. Sites without SSL can suffer from man-in-the-middle attacks were an attacker is able to monitor traffic and potentially identify user credentials.

For devices like PCs, Macs and smartphones, full device encryption is generally available but it is best to enable it when first initialising the device. This is due to the level of encryption enabled and would need authorisation each time the device is used or logged into. Any persons would need permission from the owner to access the device, trusted or otherwise but the encryption and decryption processes can take some time and does not offer much protection while in the unencrypted state.

For software like standalone password managers that offer their own encryption, the higher the level of encryption, the more secure it is. Standalone password managers rely on a dedicated master password and usually generate specialised QR or unlock codes to allow the master password reset. Good password managers will request authentication every time an autofill entry is detected before filling the user’s data. This is a great alternative to the password managers built into most systems as they offer much more security for storing account information. It makes more sense to use a standalone password manager wherever possible instead of the synched or built-in password management solutions to isolate and encrypt all of the different account credentials.

Encryption drastically increases security in each scenario. This is, however, dependant on the type of encryption used and when it’s used. Make sure to enable it wherever possible. Also be sure to check whether SSL or https (the lock icon) is enabled on any website asking for user credentials or dealing in secure and private data. Integrated password managers which rely on the system password as the master password are vulnerable to various attack techniques. These are also completely useless once an attacker breaches the device’s security, hardware or software.

3. Who can access devices/accounts and what level of access would be granted?
Other people such as family, friends and colleagues should not have free access to devices that are constantly logged into personal or business-synched accounts for a particular individual because even trusted people can pose a risk to exposing the account to unwanted dangers. One needs to give special consideration to the amount of private or corporate data that is stored within a synched account. Any kind of breach of a synched account could very well hold unrecoverable consequences.

Examples of this include:

  1. Data Breaches
  2. Phishing Attacks
  3. Brute-force attacks

1. Data breaches
Data breaches are a very common and frustrating form of credential exposure. During a data breach, private and personal information is exposed to threat actors and will likely be exfiltrated to unauthorised locations and servers. The exfiltrated data can contain information like email addresses, passwords, usernames, banking details, personal conversations, private addresses, and so on, and will likely be used to threaten or demand ransom from the owner or sold to the highest bidder.

Today’s world relies very much on this data and how much of it you possess. Legitimate companies literally make billions of dollars annually from the collection, use and sale of personal and private information and data. Facebook, for example, has an average of 1.8 billion active users on any given day and they are one of the many organisations that collect data from their users and use some of it to help generate targeted content and marketing campaigns.

Hackers have caught onto this trend and actively target data collecting companies like Facebook, Google, Microsoft, Apple and others, or any vulnerable account to gain a foothold into the system and exfiltrate the data. One person’s data may seem insignificant but when you consider the sheer amount of data points collected, it’s not difficult to conceive how it can be used. Threat actors can and will connect the dots (data points) until they find the information they need and use it maliciously.

You can check for whether an account has been exposed in a data breach regularly by using the following at no charge: F-Secure check for breaches

2. Phishing Attacks
Phishing attacks are the most common form of credential theft but are also the easiest to avoid. The primary attack vector is via an email campaign designed to trick the user into entering their login credentials by spoofing trusted service providers, websites or user email accounts. The forgeries range from those that are very well done and extremely convincing to others that are complete garbage riddled with errors (and clearly fake). The level of complexity depends on the skill of the threat actor.

The scary aspect of phishing attacks is how well some threat actors prepare their campaigns. With the emergence of the Covid-19 Coronavirus pandemic, we have witnessed numerous campaigns targeting people in financial difficulty with fake loans, fake infection maps, fake companies selling non-existent face masks and sanitizers, and so on. Phishing campaigns are especially effective against those in need and whom are the most vulnerability targets.

Phishing attacks are, however, easily distinguishable from the real thing and only require a little attention to detail for users to avoid. For example:

  • Banks and other well-established companies do NOT send account statements as html (website) links.
  • Online retailers and delivery companies will not send unsolicited emails. If no purchases have been made from well-known retailers like Amazon or Ebay, chances are that it’s a trick.
  • Full mailbox and account lockout emails are also very common. Ignore these emails and contact the administrator or service’s support channel to confirm. Never use the embedded links.
  • ‘Win/Won a Prize’ emails: Pay attention to the company apparently giving the prize away. If it cannot be confirmed with the company directly, it’s likely to be fake.
  • Share to claim emails and links. These are pretty much always fake, never share these or you’ll be helping the threat actor distribute their campaign.
  • Pay special attention to links to websites which require a login to view files. Most sharing services will allow viewing and downloading the shared file without asking for login credentials. If it does require credentials, it may be a fake site. Take note of the file being shared and whether or not it’s expected from the sender.

3. Brute-force attacks
Brute-force attacks simply refer to login credential attacks in which a threat actor tries to break into an account or device by guessing the password. The password guessing is done by a computer or server which can run almost indefinitely, processing thousands of credential combinations. The attacker provides the device a set of rules and points it at a service.

Brute-force attacks require the least effort but can also be more complex in the case of a targeted attack. For targeted attacks, the attacker will generally do some background checking and research on the target beforehand. If the user has been exposed in a breach, the attacker may already have a general idea of what the target password is. This is due to the fact that many people use one password for multiple services, at both work and home, and usually use variations thereof. With enough data, threat actors could crack a password using consumer desktop hardware within a few minutes.

Strong and complex passwords are a must with the password containing at least 12 characters with numbers, symbols, upper & lowercase letters. It should also not conform to any known words or phrases. Essentially, the harder it is for a human to remember, the stronger it is. This is where password managers really come in handy to help generate and remember the passwords. But not all password managers are created equal and some are easier to gain access into than others.

Password managers built into browsers are the least secure as anyone who manages to gain access to the device it’s installed on is likely to also gain access to the browser and log directly into the saved services and sites using the history or favourites and autofill. This would allow them to takeover any account saved in the browser – not a fun experience. Ideally one needs to do the following:

  • Use a password manager which supports an encrypted vault (encrypted password storage).
  • Use a tool to generate long and complex passwords, 12 characters or more.
  • Avoid using one or duplicated passwords for multiple services.

Conclusion:
All things considered, the use of synched accounts has been an evolutionary aspect which changed the way devices and the internet has and can be utilised in the future. The revolution of connected homes and offices is now upon us, making it nearly impossible to not own at least one synched account, connecting and managing everything.

However, the implications of that synched account being compromised is not a situation anyone would want to be the victim of as it means all devices, services, passwords, locks and access are affected too. Having an account with this level of access being pwned would have real-life dire consequences at home and work. The following needs to be adhered to in order to reduce such risks:

  • Secure your accounts
  • Use a secure and trustworthy password manager
  • Check for account exposure in data breaches regularly

* Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. When something is private to a person, it usually means that something is inherently special or sensitive to them. Wikipedia

** Computer security, cybersecurity or information technology security is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. Wikipedia