1 in 8 employees totally cool with selling work credentials You can't trust anyone these days! Get together with seven of your colleagues, and there’s a decent chance one of the eight will say they’ve either sold company login details in the past year or know someone who has, says UK fraud prevention outfit Cifas. That 13 percent figure is shocking. Just as strikingly, Cifas found a …
Leave off that stupid phrase and you may have a sample that can be used meaningfully.
If I have a cohort of say 200 people and 10 said they have actually sold their credentials, that might add 0.05 to the count. It shouldn't be 1.0 since I didn't say I sold my credentials. But there is absolutely no sampling rigidity in this either.
For there to be 13% who know someone who has.
On the other open claw, nobody is going to admit they sold it - even if they did. So the question is probably the best approximation available.
The C-suite figures are both horrifying and as expected, mind. Many of them intend to have moved on to another company before the fecal fan interface occurs.
That's one way pollsters assess prevalence of things which people are reluctant to admit.
They had to do a similar thing with Trump supporters who were too embarrassed to tell a stranger they would actually vote for Donald Trump. The polls which didn't attempt to assess and correct for the embarrassment factor consistently underestimated Trump's final vote totals on election day.
So … some cretinous person sells their login … to who, exactly? For how much? And to what effect? How are they going to gain access, unless they are using MS365 or Google Workspace? And the attacker is going to do what? Mess with the users files? Do their work for them? Can the article author elaborate on that or are they just quoting some report verbatim, which may itself have been hallucinated by some AI bot?
If the C suite figures are anything real, that’s a serious argument for keeping them well clear of any user data. Then again that’s probably best policy anyway.
Finding someone willing to buy your access is left as an exercise for the employee wishing to take risks and commit some crimes. As for what the buyer will do with it, likely they'll try to read email of the employee in order to impersonate the employee in communication to someone with the authority to redirect payments, unless they're lucky to get sold access by such an employee directly. Depending on the security policy of the company, the attacker might be able to do that directly from their machine (especially true for companies that don't have network access policies), might need to authorize a device under a BYOD policy, or might need to buy remote access for a specific machine in addition to the credentials.
If you’ve ever tried getting Accounts Payable to pay someone new … my goodness the hoops to jump through. Makes trying to pay via your own banks app which is seriously covering it’s arse the whole time (flagging any payment as a likely scam to definitely is a scam) look like a walk to the local coffee shop.
Passwords are on a 30 day reset cycle.....
Seriously, I haven't had access to any work credentials that aren't 2 factor anyway. And when you get the VPN connected up, next you have to log in, then there are more internal VPNs and other gateways to traverse, all with 2 factor on. It is an absolute pain to use our network but any damage should be contained within bulkheads.
If you're working for some shitty corporate hellhole like Oracle, Microslop, SailPoint, Andersen Consulting, IBM, Boeing, Sage, Capco, Intel, Nvidia etc. etc. etc. who are MBA driven and actively hate their employees, why wouldn't you sell your work credentials? Why would you have any loyalty at all? The corporation certainly doesn't deserve it. All the above listed companies would literally grind live kittens and puppies into blood meal if they could make a decent profit off it. They would grind YOU into blood meal if they could make a profit off it. So why wouldn't you sell your creds for a good offer? It's what an MBA would do!
> Downvoted for the use of the word "literally".
I MEANT literally. They would /literally/ be throwing live kittens and puppies or toddlers (okay, having underpaid workers do it) into giant grinders if they could figure out a way to make enough money on it. That 'literally' is there to make it clear that they have no ethical or moral limits and would actually do so. Why would you think MBAs would not?
Yes, they do.
Until a couple of years ago I worked for one of the largest semiconductor companies.
As employees, we used to bitch and complain about the pay, the expenses policy, the food in the cafeteria...
But now from the outside, I see that actually the salary package was very, very good.
As Joni Mitchell put it, "Don't it always seem to go, you don't know what you've got till it's gone..."
That said, I certainly would never dream - then, or now in new career - of selling credentials. Prosecution and criminal conviction, and future career prospects ruined? Nope, no way, not even vaguely tempting.
Nobody should have access to more things than absolutely required and logs should be checked for duplicate logins with the same credentials.
The cost of a breach would likely pay for the company to issue devices to their staff and make access require an authorized MAC address.
Most laptops too. Windows and macOS do this by default to all WiFi adapters now.
It's a pain, as a lot of single-seat software still ties the licence to a randomly-selected MAC address. When that's the WiFi, you end up having to move the licence to a "new" machine every single day...
"IT and dev people frequently are logged-in on multiple physical and virtual machines at once."
Would those instances be from London, China and Argentina at the same time?
The key is appropriate requirements for each user. If not a MAC address, a company issued device with some other token that is non-trivial to bypass or spoof. Sure, with enough talent and effort, just about anything can be circumvented, but not doing anything is just asking for problems. How many MBA's in management will be able to pull off a circumvention on their own? Those are likely the people that will need access to the more sensitive business files more than a data entry clerk in AP.
"That the higher you go up the food chain, the less morals you will find was hardly a shock, but it's great to see how power erodes morality so well confirmed."
Banks are good at spotting patterns associated with fraudulent activity. If company networks were always hunting for off-nominal access and bringing that to IT's attention, credential sharing might be spotted. If an exec is out of the country, that can be checked so their accessing the company network from some tropical island is not noteworthy. If the same credentials are access the system from Cuba at the same time, perhaps there is an issue.
If I had a Netflix account and gave my credentials to my mom, who doesn't live nearby, they'd have me nailed to some excess charges in no time.
I really cant understand it at all. If it's a competitor wanting info, then surely you just sell them the info?! Preferably Info that you already have, and dont have to go digging for (potentially leaving a trail). You giving them access, so that they can go searching, is going to be bloody obvious in the logs, as they stumble around various systems they are not familiar with (OK yes that probably looks like standard C-Suite bumbling as well, but the things the Competitor wants are unlikely to match the standard C-suite bumble - which is to see and understand as little as possible!).
Once the login is rumbled, you'll have to come up with some excuse - must have been hacked, etc. - but that's it down and dusted, your accounts are now being watched closely, and so it's not likely you can sell them again... You got a one time pay-off, woopty-doo.
If your selling to the sort of access brokers that will then be selling your data to the malware scum, well do you really think they are not going to be scraping all YOUR data at the same time? And posting it for all the other Malware Scum to make use of. Bank Accounts, addresses, etc. All that is available from HR and will be taken. I'm sure the nice Malware Scum will remove your details frm the list. I'm sure they will.. *wink wink* That seems like a great way to make yourself a prime target for future scams, since your clearly a few sandwiches short of a picnic, and they have the wonderful blackmail material that you have already sold the credentials once, so guess whose going to be asked for them again AND again AND again... Maybe they'll throw you a few coins for your troubles. But I wouldnt bet on it...
I really cannot understand why anyone would sell their credentials - I guess 1 in 8 people being a few sheep short in the top paddock, sounds about right. Probably the figure would be higher, if more people knew willing buyers...
Stop the press Tech Fraud detection company tells us people sell creds so why don't we buy their tech or Uncle Joe's Companies Tech blah blah sales pitch. Spent most of my career reading this BS and not really a trusted story so disappointed in TR for running this as a story rather than an advert. Go munger you fear somewhere else - I remember the InfoSec creds for a choc bar shenanigans how much fun that was an put on 2 pounds
I flat out do not believe this. I've been in and around the security industry for 30+ years and yes credentials do get stolen/sold, but if 1 in 8 people were doing it, I would have earned a LOT more money through the years.
And those who "know somebody who is doing it" are just pathetic losers trying to be a bit edgy while maintaining plausible deniability and without actually committing to knowledge of something that could put their job at risk.
Remember kids: 67% of statistics are made up on the spot.
Given the questionable employment policies and HR direction of contemporary employers I would hazard "fuck 'em" would be favourite for the win but certainly for a place in that arsehole derby.
Shared credentials are still very much a thing even in workplaces where everyone actually knows the stupidity of unauditable priviliges.
Nowadays you can always claim "It's AI what done it, governor" - probably also true.
Seriously!
My rant of WTF was met with "meh" by most of the office when I found that they had given their credentials to several AI systems so that it could trawl their (work) systems on their behalf (and of cause feed all that juicy data, and IP back to its HQ as well)
/Rattus
