Attacks/Breaches

7/9/2018
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Breaches at Timehop, Macy's Highlight Need for Multi-Factor Authentication

Names, email addresses, and some phone numbers belonging to 21 million people exposed in Timehop intrusion; Macy's incident impacts 'small number' of customers.

Two new data breaches revealed this week — one at Timehop and the other at Macy's — have once again focused attention on the continuing failure by many enterprises to implement strong authentication for controlling access to critical accounts.

Timehop, a service that helps users of Facebook and other social media platforms share nostalgic moments from old posts, on Sunday said someone using an access credential to its cloud account had illegally accessed names and email addresses belonging to some 21 million users. Phone numbers belonging to about 22%, or 4.7 million of them, were also compromised in the network intrusion the company said.

Timehop blamed the breach on its failure to use strong authentication to protect the cloud administrator account that was beached.

Meanwhile, the intrusion at Macy's appears to have resulted from a similar authentication weakness. In an emailed statement, the company described the incident as impacting a "small number" of customers who shopped online at macys.com and bloomingdales.com. Macy's said it had implemented additional security measures and contacted all impacted customers but offered no other details about the incident.

However, MediaPost, the first to report on the breach, said Macy's had blamed an unnamed third-party for accessing the data from an external location using valid login credentials.

The two breaches are similar to many in recent years involving the use of legitimate credentials to access and steal enterprise data. Often, the threat actors behind the attacks have first stolen the credentials or obtained them via social engineering, and then used them to access the target network.

A May 2018 report by cloud security vendor RedLock found that 27% of organizations in fact have experienced potential account compromises. Over the last year alone, several major enterprises including Uber, Tesla, Gemalto, and Aviva have experienced incidents where access credentials have been leaked or stolen, RedLock noted. Security experts have said that such breaches heighten the need for organizations to use strong authentication for controlling access to critical assets.

"Multi-factor authentication solutions have been around for over a decade. Yet many critical systems remain unprotected," says Dana Tamir, vice president of market strategy at Silverfort. Many organizations have continued to drag their heels on implementing the measure for a variety of reasons.

Tokens Taken, Too

According to Timehop, in addition to the data on 21 million users, the attackers also managed to steal the unique tokens provided by social media companies to Timehop so it can read other people's old social media posts. The tokens would have allowed the attacker to view the social media posts of the impacted users, without their permission. However, there is no evidence that the attacker actually used the tokens to illegally access user accounts or any of their data.

Timehop discovered the intrusion while it was in progress and managed to lock out the attackers slightly more than two hours later. Since then the company has implemented multifactor authentication to secure authorization and access controls across all of its internal accounts. Timehop has also deactivated all the compromised access tokens so they can no longer be misused.  

As a result of these changes, users will have to log in and re-authenticate to Timehop's service for each social media account, the company said.

"Strong MFA can prevent account takeovers, such as the ones seen in the Macy's and TimeHop breaches," says Will LaSala, security evangelist at OneSpan.

Just about every IT administrator already knows this, but often there are factors at play that make it hard for organizations to deploy MFA easily, he says. "When breaches like these occur, it is easy to point out that the IT professional missed the obvious security concern. But it is less easy to see why those concerns were overlooked in the first place," LaSala says.

One challenge is that most multi-factor authentication products require organizations to deploy software on both the server and user endpoints, says Tamir. Modern IT infrastructures are also becoming increasingly dynamic, and new servers are often spun up and down in these environments in just a few minutes.

"This makes it difficult to ensure authentication software is installed and configured for each server," she notes. Requiring software on various user endpoint platforms similarly is problematic due to BYOD trends and the dynamic nature of mobile device use.

Sometimes, organizations might have to implement MFA products from multiple vendors due to the nature of their technology infrastructure — increasing costs and complexity in the process. And in some environments, as with critical servers on industrial OT networks and SCADA environments or certain financial systems, it isn't possible to deploy any MFA software at all, she says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
100%
0%
No SOPA,
User Rank: Ninja
7/10/2018 | 9:09:41 AM
Re: Culture > MFA
I agree but I would also note that even with valid credentials some MFA solutions that require both a mobile token and answering a revolving question from a pool of pre-configuered questions could still stop such intrusions.  Additionally, while still young, risk-based authentication (RBA) on top of that could also help weed out bad actors with valid credentials. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/9/2018 | 8:10:20 PM
Culture > MFA
While MFA could certainly have prevented or mitigated the damage from these breaches or breaches like these, in my experience these types of breaches tend to have a more fundamental cause beyond a lack of MFA: a lack of a good security culture that led to exploitable weaknesses to begin with.

Case in point here: securitynow.com/author.asp?section_id=613&doc_id=734774
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/9/2018 | 7:13:05 PM
Improvements in MFA Could Help
Since I don't design solutions, I haven't put too much deep thought into this yet, but over the last year I documented the following statistics and I can see why end users are getting MFA over MFA.  While we are well aware of the need for MFA and similar forms of security, our end users are simply seeing numbers like this and resisting.  Some have the smarts to bypass some MFA (though these days the majority of solutions are too smart to bypass) or simply STOP using some sites as often as they need to or should because of numbers like this.  Call me lazy but even for me, a seasoned techie, this seems like a lot of robot calls answered, lots of texts and browser codes entered.

MFA Contacts over 12 Months

MFA Cell Phone Calls:   2,803

MFA Cell Phone Texts: 1,741

MFA Browser-Delivered Codes: 972

But, let's assume the end user complaints have nothing to do with a company choosing to implement MFA (let's be honest, how many orgs really listen to their end-users anyway). The article notes one reason many companies might be skipping the MFA step in their security plan, which is the need for software on both the server and user endpoints. I was involved in an MFA implementation and it became quite complicated. A software install on the server, followed by embedded web code, and then an end-user desktop install on top of a mobile token app.

Again, not a solutions designer but some improvements in MFA could help get organizations to 100% implementation (despite end-user complaints).

 
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...