3rd Party Credentials

Storing login credentials within 3rd party apps can introduce significant security risks. I recently tested an application to determine its usefulness and fitness for purpose. As with several other applications experimented with over the years, this one included the option to integrate directly with other systems; in this case, one of the social media platforms. In the settings, a configuration option was available to add the user name and password so that the application could connect to access data directly. A couple of examples include:

  • Banking applications which allow connections to several bank accounts where data is collected from multiple sources to create a financial dashboard
  • Apps that connect to file storage systems, such as to catalogue songs and create playlists

These tools offer useful functionality, but there are security implications with this concept. Firstly, let’s not confuse this with single-sign-on (SSO) capability. Many websites and applications integrate with Facebook and Google for login purposes, but when signing in with Facebook or Google, the apps don’t have direct access to the login credentials. The quantity of data shared through this process has been controversial and has drawn vast media attention.  However, the focus here is on cases where applications ask for login credentials to be entered and stored for subsequent use, and where the application has direct access to the credentials. Essentially, this is permitting the application to access other systems and by extension, consequently, potentially giving human access to those systems.

How do you know what these applications are going to do with your login credentials? The logon credentials could be stored securely, but could just as easily find themselves held in plain text in a database with little or no security. Applications can easily be custom made to offer something useful to the target audience, with the hidden agenda of capturing user credentials given willingly by their users.

Banking organisations and social media platforms invent significant resources to improve security. It doesn’t make sense to use them with apps that may have been developed by a small business or one person with minimal resources and information security capability.

Here are some options to reduce the risks:

  • Don’t give 3rd party user credentials to apps, websites or other services
  • Exercise vendor and application due diligence before adding 3rd party user credentials
  • If 3rd party application integration is essential, consider creating a dedicated account to use. Depending on the purpose, this may or may not be a viable option.

It is best practice never to share your username and password with anyone. Sharing your usernames and passwords with 3rd party applications can have the same or worse consequences.

Thoughts on Risk Analysis

There are several ways in which risks can be dealt with, depending on the circumstances and individual or corporate risk appetite.

  • Severity – the consequences of an event taking place
  • Probability – the likelihood of an event taking place
  • Risk = severity x probability – high probability and high severity equate to a high-risk

It is also important to note the difference between Perceived Risk and Actual Risk:

  • Actual risk – quantifiable and based on objective data, for example, according to the Department of Transport, there were 1784 deaths, 25,511 serious injuries and 160,597 casualties of all severities from road traffic accidents in the United Kingdom in 2018. Media coverage was low.
  • Perceived risk – determined by individual perception and influenced by other factors such as news headlines, for example, Dutch aviation consulting firm To70 reported on 534 deaths in 2018 from passenger airline crashes. Almost every aeroplane crash becomes headline news, even in cases where there are no fatalities.

The perceived risk is that it is more dangerous to travel by passenger jet than to travel by car. However, the reverse is true when considering the actual risk. Statistically, it is far more dangerous to travel by car. A similar analysis shows that parachuting is statistically safer than crossing the road, whereas individual perception of the idea of jumping from a plane tells a different story.

The distinction is essential when it comes to managing risk to ensure that actions and investment are proportionate to the risk. Individuals and organisations often need to prioritise risks due to availability of resources, and consequently, investment in a perceived risk over dealing with an actual risk can be catastrophic. The reverse is also true. In cases where perceived risk influences a consumer’s decision to buy, a company can suffer substantial financial losses even if the actual risk is minuscule.

  • Risk Avoidance
  • Risk Mitigation
  • Risk Acceptance
  • Risk Transfer

Risk Avoidance

Risk avoidance is about implementing alternative plans and solutions to circumnavigate the events which carry risk. With no possibility of an event taking place, it doesn’t matter how severe the consequences are because, in the ‘Severity x Probability’ formula, the risk becomes ZERO. It is, of course, possible that implementing alternatives may introduce different risks which need assessment, but that is another story.

Risk Acceptance

Risk acceptance is about accepting that the event will, at some point, take place, and accepting responsibility for the consequences when it does take place. The ‘Severity x Probability’ will help determine the appropriateness of accepting the risk. It is also necessary to consider:

  • The legality of accepting the risk
  • Does the person accepting the risk have the authority to do so?
  • Is the cost of risk mitigation proportionate to risk?
  • Is it sensible to accept the risk?

Businesses accept risks for all sorts of reasons, including:

  • Too expensive compared to the benefit
  • Insufficient finance to mitigate the risk
  • Insufficient human resources or skills to mitigate the risk
  • Mitigating the risk is a lower priority than other risks
  • Plans in place to mitigate risks at a later date

Keeping evidence of risk analysis along with conclusions reached and decisions made is essential.

Risk Mitigation

Risk Mitigation is about:

  • Reducing the probability of an event taking place
  • Reducing the severity of an event when it does take place

The cost of mitigation should be proportionate to the risk of not taking action.

Risk Transfer

Risk Transfer is the reduction of risk by transferring it someone else or to another company:

  • An insurance policy – taking out an insurance policy essentially transfers some of the risks to the insurance company; how much depends on the insurance policy terms and conditions
  • Project Contractual Terms – engaging with 3rd parties to deliver projects or run services often includes terms and conditions of business which transfer risk from one party to another.

Only consider the transfer of risk if the party taking on the risk has the opportunity or means to reasonably reduce the risk, either on an ongoing basis or through adequate evaluation ahead of transferring risk.

Risk Transfer is essentially about paying someone else to take the risk, so it is crucial to make sure that the 3rd party can accept the risk, and for the 3rd party to receive sufficient reward to justify acceptance of the risk.

Wipe Before Selling

Before you sell, give away or recycle mobile phones, tablets, desktop computers, laptops or USB drives or other items with data storage such as cameras with memory cards, delete the data. It is, of course, necessary to make sure you have a safe copy of your data or fully operational replacement devices before disposing of your old devices. Consider what is on your device, such as:

  • Browser history
  • Saved passwords
  • Personal financial records
  • Photographs
  • Access to emails and social media accounts
  • Customer data
  • Retained links to licensed software
  • Active logins such as iCloud
  • Links to external storage services such as Dropbox, Google Drive and One Drive

This list is not exhaustive, but what is essential is for you to think about what is on your device. Although gaining access to data on devices depends on the level of security implemented, assume that if someone wants to access it, they will eventually get access; determined by the value of the data and the effort required to gain access. In the wrong hands, the data could be detrimental to personal safety and security. Where devices belong to businesses, the data could compromise the personal safety and security of employees or customers. If you are selling the device, the buyer will expect to be able to use it, so you are unlikely to have any enabled security.

Several years ago, I bought a mobile phone from eBay and found that it still had 100s of personal contacts, numerous text messages that had not been deleted, including some in the outbox waiting to send. My initial thought was that I had purchased a stolen phone, however, upon further investigation and telephone conversations with contacts in the phone, I was able to confirm the sale was genuine, just the seller had not wiped the phone. In this case, the previous owner traded in his phone for a newer model, and I bought the phone from the trader. The eBay listing showed the phone as ‘refurbished’, which didn’t include a factory reset.

Additional steps are often required to delete the data thoroughly. Storage devices work by having an index of files, and the index points to the physical location of where the data is stored. For speed of operations, deleting files often deletes the entry from the index leaving the data intact but no longer visible. If you don’t securely delete the files, someone could recover them.

  • Consider removing the hard disk from desktops and laptops and destroying them rather than attempting to delete the data securely. Industrial shredding services are available that will turn a hard disk into 1000s of small pieces of metal. You could use a hammer to render a hard disk useless. The approach taken should be relative to the value of the data you are trying to destroy.
  • Selling or giving away desktops and laptops without a hard disk is a viable option. New owners can easily purchase replacement drives and have a fully operational system.
  • Restore devices to factory default. For example, Apple iOS has the option in settings to reset the device and remove all data. Windows 10 also has a built-in feature to reset the operating system and destroy all existing data. Reinstalling the operating system from installation media is an available option. These options allow you to sell or give away devices in a state where the new owner can log in as a 1st time user.
  • Utilities such as ‘CCleaner’ have options to securely delete unused space on hard disks and securely delete entries in the index to prevent data from ever being recovered.