Yet again, after years of warnings, articles and industry analyses, another major company has suffered a high profile hack due to weak authentication practices.
The social network giant Reddit reported earlier this month that hackers had succeeded in breaching the company’s databases, exposing both account names and passwords of thousands of users.
Although cybercriminals were not able to alter any of Reddit’s information or source code, the companies Chief Technology Officer Christopher Slowe, admitted in a Reddit security update that the hack was a serious one. According to company executives, in addition to login credentials, the unknown perpetrators also managed to gain temporary access to some of its systems that contained extremely essential information, including backup data, source code, and internal logs.
Only the latest in the trend
The Reddit incident is just one of many in a recent trend of high-profile data breaches targeting large businesses. In June, the British mobile phone retailer Carphone Warehouse was hacked, affecting some 10 million customers. Later that same month, Ticketmaster also suffered a similar breach that affected tens of thousands of its clients. Even more recently, the telecommunications giant T-Mobile announced it had been the victim of a major hack that exposed personal details of 2 millions clients.
What makes these breaches so surprising is that many of the victims were enterprises that specialise in information technology. One would have thought they would take security practices a bit more seriously then to allow unauthorised access to their networks.
This is especially true when it comes to Reddit, a company that has recruited so many infosec specialists to its ranks over the years.
Shortly after the news of Reddit’s breach came out, tech researchers began railing against the company for deploying weak authentication practices that allowed hackers to impersonate authorised identities. According to Reddit’s own admission, the company had been utilising two-factor authentication via SMS messaging, the solution requiring a user to submit a random code delivered to their phone via text message. Reddit told its users in the security update announcing the breach that “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
The problem is, the world of IT has known for years that SMS is a weak system. SMS is vulnerable to a range of attack such as SIM card Hijacking a social engineering scheme in which attackers convince a cell carrier to divert data to a new address, or SS7 hacking which exploits flaws in the global infrastructure that supports SMS in order to intercept data in transit.
Reddit had in place a system in which high-privilege accounts, permitting access to millions of users, were being secured by extremely vulnerable protections. It was only a matter of time before hackers looking to hit such a prime target, capitalised on the these weaknesses.
A culture of passivity
The lesson to learn from the Reddit hack is not the deficiencies of one authentication system or another.
No, the takeaway is much broader than that.
Unfortunately, the pattern the industry is witnessing in regards to digital authentication is one of passivity. Like so many other areas of corporate management, when it comes to safely managing identities, executives usually start looking for a solution only after a problem manifests. As recent events are showing, clearly this “it won’t happen to us” approach isn’t working.
The road ahead
The more company executives know about the strong, user friendly alternatives out there, the faster IT departments will be able to push their companies to stepping up to the authentication challenges facing enterprises today. With any luck, the industry can reverse this trend of identity compromise that has been wreaking so much havoc on our information security.
So how can IT departments hope to break this pattern?
For information security personnel and their managers, there are three things typically standing in the way of change for the better.
First is cost.
Most programs and online tools today come preset with one form of authentication or another, most commonly based on simple passwords. Companies then set up their networks and IT departments to support these methods of identity management. To revamp their systems, companies often have to put in substantial investments in man hours and device and other hardware acquisition. Security tokens for instance require procuring a device for each individual user. Incorporating biometric technology also usually demands acquiring additional machinery that can cost a business thousands of dollars a pop.
Second is the time factor. Even if a business can spend the capital necessary to upgrade an outdated authentication platform, the time it takes to put a new solution into place can cost the organisation big time in lost operations.
Beyond the financial obstacle, is the issue of user experience, or UX.
Network users and administrators alike are simply used to the the platforms already in place. Introducing a whole new form of authentication identities is more often than not, met with resistance.
Any initiative to make a real change to company security standards will have to address the problem from the perspective of these three obstacles.
Here, we can actually take a lesson from Reddit’s response following their breach. The company announced instead of SMS authentication, company employees would instead use two-factor authenticator apps. While not susceptible to many of the weaknesses of SMS, these programs function almost identically to text message-based tools. Additionally, the cost of deploying these application is usually minimal.
Another method that seems a promising sell to managers is push-based authentication. This password-free mobile-based system, usually in the form of downloadable apps, does the authentication automatically, only requiring the user to respond to a secured push notification. Additionally, push harnesses the user’s mobile phone as an authenticator, meaning that no secondary devices need to be purchased.
Amit Rahav, VP Marketing and Business Development, Secret Double Octopus
Image Credit: Screenshot