Last month the consumer mobile app Timehop announced a security breach stemming from last December. A hacker gained access to their infrastructure and stole details on its users that included usernames, emails, telephone numbers and–worst of all–access keys for all 21 million users.
As Timehop explained, “these access keys link the Timehop account to various social media accounts from where Timehop pulls older social media posts and images.”
The company de-authenticated the accounts to render the access keys useless, thereby, protecting user social media accounts and data.
SEE: Password management policy (Tech Pro Research)
Travis Smith, principal security researcher at Tripwire, provided the following comments:
“With breaches happening every day, it’s nice to see an organization take steps, which will help post-breach beyond the free year of credit card monitoring that has become the norm. Timehop took the time to understand the scope of the breach and what was impacted. This allowed them to deactivate the access keys, which the attacker appeared to have been after. Additionally they enabled multi-factor authentication on all accounts to help prevent any further damage to individual user accounts.”
In this day and age, companies not using multi-factor (also known as two-factor) authentication place themselves and their clients at a huge risk. What once seemed the realm of highly secure environments such as government institutions or financial organizations is now commonplace–and necessary.
Multi-factor authentication defined
Multi-factor authentication can be thought of as “something you know” plus “something you have.” Typical examples involve a password, passphrase, or PIN, which are combined with the numeric output of a hardware token such as those provided by RSA. Since a thief or hacker isn’t likely to obtain both the password and the token, user authentication becomes more secure and less susceptible to hijacking or guessing. It can also involve access codes transmitted to the user via a specific email address or mobile number, or simpler methods I’ll discuss below.
Security company Tripwire provides some ways to set up two-factor authentication for major apps and services such as Facebook, Google and LinkedIn. They recommend checking Have I Been Pwned to see if your email address is linked to a compromised account, suggesting that users “enable two-factor (or multi-factor) authentication on the accounts that you use on a regular basis.
Adding a second form of authentication (typically in the fashion of a code generated by or sent to a device you own) can ensure that no one accesses your accounts even if they have your passwords.”
SEE: Identity theft protection policy (Tech Pro Research)
Smith stated that when deploying multi-factor authentication (MFA) it’s best to make sure it applies to all authentication mechanisms. If the front end of a website supports MFA, but a mechanism to allow API calls into the service uses the same credentials and does not support MFA, then an attacker will use the avenue of least resistance.
Similarly, using out-of-bands communication for the multi-factor authentication is ideal. “Having two passwords, for example, is not actually multi-factor authentication,” Smith said. “There are public two-factor authentication apps, which a web service can easily integrate into. Using emailed or text message codes is better than none, but there are cases where dedicated attackers can intercept these messages, or a user loses access to their email or phone number and can thus lose access to their account.”
Smith recommended using very tight controls to allow users back into their account when they lose access to their MFA device to avoid social engineers from taking over accounts.
“Services like Timehop allow you to authenticate once to a specific service and re-use that authentication mechanism for future uses. This makes a more seamless user experience where the end user doesn’t have to keep entering usernames and passwords every time they want to use their app. In this specific case, two-factor authentication can help secure the initial connection to the integrated service, such as Facebook,” Smith said.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
Convenience doesn’t mean security
This is similar to how some banking websites operate, whereby you have to register a system or device using a one-time code sent to your phone or email address, and then the device is trusted for future use.
It goes without saying that using a trusted device to handle MFA adds to user convenience. But remember, if the device is stolen or compromised then an attacker has the same access the user has, especially if the user saved account and password information in the browser.
It’s important, therefore, to utilize strong passwords/biometric protection, safeguard devices from theft, track lost devices using Find My iPhone or Google’s Find my Device, and configure devices to erase contents after a certain number of failed access attempts.
Technology isn’t everything when it comes to security. Companies need to keep policies and procedures in mind. “Having an incident response plan in place for events such as these will help CISO’s keep a cool head,” Smith said. “Going through an occasional table-top exercise is a great way to keep your incident response chops sharp. So, when you read about breaches such as this one, think to yourself, what would I do if this happened to my data?”
As with all things security, we must find a balance between securing a device and providing an acceptable user experience. If you lean too far to either side, you will create an imbalance, which can cripple your service.