[BreachExchange] Telco breaches & a wake-up call

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 6 19:19:37 EDT 2016


http://www.itproportal.com/features/telco-breaches-a-wake-up-call/

Telecoms companies are a huge target for cyber-attacks given that they
control and operate critical infrastructure and subsequently store vast
amounts of personal data.

Equally, that data is extremely valuable, including financial data, names
and addresses and other personal information. Housing all this data, for
ALL of their customers, makes them a highly compelling target for
cybercriminals and insider threats.

The recent news stories reporting that O2 customer data is being sold by
criminals on the dark net, is yet another kick in the teeth for telcos.
With the TalkTalk breach of 2015 still lingering, organisations are once
again facing the reality of the threat of a major data breach.

The risks can be hugely detrimental both to the company responsible for
storing the data, and for its customers who face the threat of phishing
attacks, identity theft and extortion and blackmail attempts to steal
money, to name just a few.

Personal data has now become the number one target for attackers as they
move on from the more traditional target of purely financial data. Where
financial data is relatively simple to change, getting a new credit card
issued, changing the date of birth or address, etc. are not easily done and
can be used for identity theft leading to a wide range of fraud. Of course,
this information can be acquired in a variety of ways, be it through lost
laptops or USBs, or more frequently, through compromised login details. The
recent Verizon data breach report highlights that 63 per cent of confirmed
data breaches involve using weak, default or stolen passwords.

In the case of O2 the data was almost certainly obtained by using usernames
and passwords originally stolen from a gaming website XSplit three years
ago. With users accessing multiple applications on multiple sites, this
perpetuates the problem and the tendency for users to reuse user names and
passwords. This breach is yet another example that demonstrates the
inherent weakness in using the traditional username password approach to
protect against advanced security threats.

Here, stolen user names and passwords were utilised by hackers in an
approach known as credential stuffing. This entails using software to
repeatedly attempt to gain access to customers' accounts by using the login
details it has obtained from elsewhere. Through automation, the hackers are
able to send the user name and password combination to multiple different
sites in the hope that the user has used the same name/password combination
across numerous accounts. Fortunately for the hackers, they were able to
hack the O2 accounts using the data stolen from XSplit. In the case where
users had the same username and password, the hackers were then able to
access these accounts. Unfortunately for the victims, this process can be
repeated across various systems and accounts, leaving them open to future
attacks.

Organisations looking to reduce this particular threat should implement a
single sign on (SSO) solution to reduce complexity and provide greater
protection for the user. Simple authentication to applications through user
name and password is no longer sufficient to protect unauthorised access to
data, and a multi factor authentication (MFA) approach to user
authentication such as biometrics, is a must-have, not a nice-to-have.

Companies must take a holistic approach to solving these problems and not
simply deploy point solutions (which inevitably leave security gaps) and
look to protect customer data by identifying security protection that
provides SSO and MFA in an integrated solution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160906/18f2338e/attachment.html>


More information about the BreachExchange mailing list