UK National Lottery password reuse attacks: what are the chances?

It has been widely reported today that the UK’s National lottery accounts have been hacked. The National Lottery has confirmed that it became aware of the problem on Sunday 27 November, and it has identified fewer than 50 accounts exhibiting suspicious activity. The UK Information Commissioner’s Office (ICO) is investigating the matter. It is believed that the National Lottery systems were not directly compromised.

So, if the National Lottery’s systems were not compromised then what happened? In this case, like many other recently, credentials were stolen from somewhere else and the attackers then tried these credentials on other systems to see if the same set of credentials had been used on multiple systems. In the case of the National Lottery, you only need a username or email address and a password to log in.

A password reuse attack typically consists of the following steps:

  1. Retrieve a list of credentials.
  2. Crack the hashes if the passwords are not stored in plaintext.
  3. Try the credentials against other systems to see if a user has reused the password.

What can be done to make systems more secure?

  1. Use virtual multifactor authentication using tools such as Google Authenticator. There are many similar tools from Microsoft, AWS and other vendors.
  2. Encourage strong passwords and use a different password per system. A method of doing this could be to use a common password and then to append a few characters that are unique to each site.
  3. Use a second ‘secret’ like some bank sites where, after supplying credentials, the user then has to enter characters from another secret. The system requests a number of the characters at random – e.g. the first and the sixth character – in order to prove the user’s identity.
  4. Use salt values appended to passwords before hashing. Use hash algorithms that are secure and generate long message digests and repeat the hashing operations thousands of times. Consider using a non-standard value – a lot of system routines used to hash credentials use a standard value for repeating the hashing 5000 times, so using a value of 5001 or 4999 can defeat brute forcing, rainbow attacks and dictionary attacks if the value is not known. Hashing multiple times increases the work factor to break a hash.
  5. Improve the monitoring of logins to detect a password reuse attack. Look at the number of failed attempts by both unknown users and by failed passwords over a period of time, and monitor the IPs these attempts are coming from and signatures of the browsers. HTTP/HTTPS requests contain details of browsers being used and other details of the client machines, and this information can be used to create a signature. Attempts to log in from systems with a different signature could be used to trigger additional authentication steps, such as CAPTCHAs, or to verify the browser or generate alerts within an intrusion detection/prevention system. Sudden changes from baselines can indicate an attack.

Companies that store credentials need to ensure all their systems are secure (and tested regularly to confirm this) so that none of the systems can be used to access the internal infrastructure, and that credentials are not stored in plaintext.

A combination of strong passwords and preventing credentials being stolen would reduce these attacks.