Telco breaches & a wake-up call

Telecoms companies are a huge target for cyber-attacks given that they control and operate critical infrastructure and subsequently store vast amounts of personal data.

Equally, that data is extremely valuable, including financial data, names and addresses and other personal information. Housing all this data, for ALL of their customers, makes them a highly compelling target for cybercriminals and insider threats.

The recent news stories reporting that O2 customer data is being sold by criminals on the dark net, is yet another kick in the teeth for telcos. With the TalkTalk breach of 2015 still lingering, organisations are once again facing the reality of the threat of a major data breach.

The risks can be hugely detrimental both to the company responsible for storing the data, and for its customers who face the threat of phishing attacks, identity theft and extortion and blackmail attempts to steal money, to name just a few.

Personal data has now become the number one target for attackers as they move on from the more traditional target of purely financial data. Where financial data is relatively simple to change, getting a new credit card issued, changing the date of birth or address, etc. are not easily done and can be used for identity theft leading to a wide range of fraud. Of course, this information can be acquired in a variety of ways, be it through lost laptops or USBs, or more frequently, through compromised login details. The recent Verizon data breach report highlights that 63 per cent of confirmed data breaches involve using weak, default or stolen passwords.

In the case of O2 the data was almost certainly obtained by using usernames and passwords originally stolen from a gaming website XSplit three years ago. With users accessing multiple applications on multiple sites, this perpetuates the problem and the tendency for users to reuse user names and passwords. This breach is yet another example that demonstrates the inherent weakness in using the traditional username password approach to protect against advanced security threats.

Here, stolen user names and passwords were utilised by hackers in an approach known as credential stuffing. This entails using software to repeatedly attempt to gain access to customers' accounts by using the login details it has obtained from elsewhere. Through automation, the hackers are able to send the user name and password combination to multiple different sites in the hope that the user has used the same name/password combination across numerous accounts. Fortunately for the hackers, they were able to hack the O2 accounts using the data stolen from XSplit. In the case where users had the same username and password, the hackers were then able to access these accounts. Unfortunately for the victims, this process can be repeated across various systems and accounts, leaving them open to future attacks.

Organisations looking to reduce this particular threat should implement a single sign on (SSO) solution to reduce complexity and provide greater protection for the user. Simple authentication to applications through user name and password is no longer sufficient to protect unauthorised access to data, and a multi factor authentication (MFA) approach to user authentication such as biometrics, is a must-have, not a nice-to-have.

Companies must take a holistic approach to solving these problems and not simply deploy point solutions (which inevitably leave security gaps) and look to protect customer data by identifying security protection that provides SSO and MFA in an integrated solution.

Andy Heather, EMEA VP, Centrify

Image Credit: Pavel Ignatov / Shutterstock