In 2016, the founders of Enzoic came up with an idea to help organizations better protect their workforce and customer accounts from threats from password reuse through simple API and Active Directory solutions. They observed the many data breaches and leaks that were taking place across industries, were impacting completely un-related organizations. These breaches allowed hackers to collect lists of exposed usernames and passwords from various sites and then build tools to use them to access accounts on other sites. This is possible because hackers know that most people reuse passwords across different websites. For example, a breach of a retail store’s data could yield usernames and passwords that could be used to access bank accounts or health records.
After speaking with numerous organizations, the Enzoic team realized that these industries needed solutions that combine cloud security expertise and innovative, easy-to-deploy tools that could be layered in with other security measures. To fulfill this need, they developed solutions to detect compromised credentials and alerts that could be customized to the needs of the organization. Formerly known by the very product specific name ‘PasswordPing’, the company changed its name to Enzoic to better highlight its expansion into comprehensive data solutions and model-deep human and automated threat research.
How it Works
Enzoic provides a low-friction solutions for strong authentication against compromised credential attacks affecting the workforce and customers. The innovative APIs check in real-time against billions of exposed username and password combinations, which then alert against compromised credentials. It allows the user to securely compare user credentials against a continuously updated database of compromised credentials.
The key to Enzoic’s business is automated and manual research collect the billions of compromised credentials on the internet and dark web sources. Enzoic has billions of records in the database with millions coming in daily. With API access and the Active Directory plugin, Enzoic clients are able to detect compromised credentials in real time and detect subsequent compromise. This was a dramatic evolution static blacklist. The continuously updated cloud database of exposed login credentials is also compiled by the threat research team and accessed by API Services, where the set of secure, RESTful web services provide flexible integration options for customer-facing websites, among other uses.
From the client perspective, these tools work by checking a partial hash of username and password at login, password reset and set up. They also can allow comparisons with salted and hashed passwords, without password cracking or exchanging information in clear text, which keeps clients safer.
Designed for massive scalability, the platform has extremely low latency of ~5ms with AWS VPC peering. The cloud-based infrastructure is hosted by Amazon Web Services, on an architecture built to meet the requirements of the most security-sensitive organizations.
“Due to high-profile data breaches taking place each year and the billions of compromised user credentials circulated on the public Internet and Dark Web, compromised credential screening is an important way businesses and organizations can protect their consumers and workforce from the risk of their accounts being hijacked,” -Josh Horwitz, COO, Enzoic.
The company has multiple product lines but primarily focuses on two core products:
- Compromised Credential Screening for Account Takeover (ATO) and Fraud Protection, which is used primarily on consumer sites or by companies with an online account model or e-commerce platform.
- Enzoic for Active Directory with Continuous Password Protection, which is a plugin for an organization’s Active Directory system, helps ensure employee security because it prevents employees from using compromised credentials.
Account Takeover (ATO) and Fraud Protection
Fraudulent account access to customer accounts has always been a concern for financial services, but these days, ATO attacks can affect any organization with a customer-facing login. ATO targets are across a variety of industries include gaming, technology, retail, restaurants, online travel, and loyalty/reward programs where a criminal tries to obtain products and services. For other types of ATO attacks, the cybercriminal’s goal is to collect personally identifying information to be used for fraud and identity theft. These types of attacks often target financial services, healthcare, public sector, and even higher education institutions.
Losses from ATO and fraud can cost organizations across all industries billions of dollars. According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020. These types of attacks also lead to the harm to brand reputation and erosion of customer trust.
Unlike other cyberattacks on an organization, ATO takes advantage of the weaknesses created by customers, which are more difficult to close. The security hurdles that can be imposed to protect employee accounts are can lead to abandonment if they are required of customers. Unfortunately, even when the customer may be to blame for unauthorized access to their account, the organization is still legally responsible and is responsible in the eyes of the customer and the media.
Because ATO attacks rely heavily on the reuse of credentials exposed in 3rd party data breaches, an effective defense involves detecting logins using previously compromised credentials. Enzoic offers a their ATO & fraud solution to screen logins in order to prevent credential stuffing and account takeover. This addresses the growing problem of credential attacks through which customer accounts can be hijacked using credentials breached or leaked on other sites. This approach works well with any existing authentication system and it works with all devices, browsers and MFA environments.
Continuous Password Protection and Active Directory
With cracking dictionaries and user credentials exposed in data breaches, it is easy for hackers to launch brute force attacks against corporate directories. Because of this, industry experts are changing their password guidance. Microsoft recently came out with new Active Directory password best practices and the NIST 800-63b password guidelines are prompting Active Directory and IT Engineers to review their password policies.
Some of these guidelines include, eliminating the requirement of a forced password reset on a periodic basis, which negatively impacts all users. When you force users to change their passwords on a regular basis, studies show they often choose less secure passwords. These guidelines also recommend screening passwords against a list of commonly used passwords, passwords in cracking dictionaries, or compromised passwords. Most users have no idea that their favorite password has been exposed or is unsafe, so organizations should screen those passwords at password creation and on a daily basis within Active Directory. Since new passwords are compromised every day in data breaches and leaks, organizations also need to have real-time password blacklists. A static list is only a partial solution because a password that was safe yesterday may not be today due to a new breach or leak.
The Enzoic for Active Directory solution secures employee and privileged accounts with an Active Directory plug-in. The easy-to-implement plugin complies with NIST password guidelines which recommends comparing employee passwords against cracking dictionaries, exposed, and commonly-used passwords. It reinforces the directory against offline cracking by eliminating the effectiveness of rainbow table lookups, preventing login with username and password found in data breaches.
Moreover, Enzoic for Active Directory also eliminates the need for periodic, forced password resets. All of this is accomplished without any passwords or hashes even leaving the secure AD environment. This plugin can enhance the existing Active Directory password policies within your organization.
How Companies Use Enzoic
Organizations across most industries can use Enzoic and it is rapidly becoming a preferred security solution because rather than making access painful for all users, it only impacts users who are using compromised passwords.
Our customers tell us regularly that compromised credential screening is a must-have rather than a nice-to-have for their customer applications and corporate systems. The delicate balance between security and user experience is critical for them. Compromised credential screening makes it easier on their IT and Security teams, while also making it easier on users. It is a win-win for everyone. -Michael Greene CEO, Enzoic.
Any organization that uses Active Directory can benefit from continuous password monitoring as employee and privileged accounts are constantly under attack. For companies or organizations with customer-facing accounts with user name and password logins, that struggle with account takeover or fraud, Enzoic is an easy solution to deploy that doesn’t impact the user experience. Enzoic has customers across industries including ecommerce, retail, banking, insurance, universities, gaming, technology, etc. With such robust data and security policies, Enzoic solutions are even trusted by numerous security organizations, such as LastPass, and identity theft protection products, like IDShield.
