Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/9/2018
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Breaches at Timehop, Macy's Highlight Need for Multi-Factor Authentication

Names, email addresses, and some phone numbers belonging to 21 million people exposed in Timehop intrusion; Macy's incident impacts 'small number' of customers.

Two new data breaches revealed this week — one at Timehop and the other at Macy's — have once again focused attention on the continuing failure by many enterprises to implement strong authentication for controlling access to critical accounts.

Timehop, a service that helps users of Facebook and other social media platforms share nostalgic moments from old posts, on Sunday said someone using an access credential to its cloud account had illegally accessed names and email addresses belonging to some 21 million users. Phone numbers belonging to about 22%, or 4.7 million of them, were also compromised in the network intrusion the company said.

Timehop blamed the breach on its failure to use strong authentication to protect the cloud administrator account that was beached.

Meanwhile, the intrusion at Macy's appears to have resulted from a similar authentication weakness. In an emailed statement, the company described the incident as impacting a "small number" of customers who shopped online at macys.com and bloomingdales.com. Macy's said it had implemented additional security measures and contacted all impacted customers but offered no other details about the incident.

However, MediaPost, the first to report on the breach, said Macy's had blamed an unnamed third-party for accessing the data from an external location using valid login credentials.

The two breaches are similar to many in recent years involving the use of legitimate credentials to access and steal enterprise data. Often, the threat actors behind the attacks have first stolen the credentials or obtained them via social engineering, and then used them to access the target network.

A May 2018 report by cloud security vendor RedLock found that 27% of organizations in fact have experienced potential account compromises. Over the last year alone, several major enterprises including Uber, Tesla, Gemalto, and Aviva have experienced incidents where access credentials have been leaked or stolen, RedLock noted. Security experts have said that such breaches heighten the need for organizations to use strong authentication for controlling access to critical assets.

"Multi-factor authentication solutions have been around for over a decade. Yet many critical systems remain unprotected," says Dana Tamir, vice president of market strategy at Silverfort. Many organizations have continued to drag their heels on implementing the measure for a variety of reasons.

Tokens Taken, Too

According to Timehop, in addition to the data on 21 million users, the attackers also managed to steal the unique tokens provided by social media companies to Timehop so it can read other people's old social media posts. The tokens would have allowed the attacker to view the social media posts of the impacted users, without their permission. However, there is no evidence that the attacker actually used the tokens to illegally access user accounts or any of their data.

Timehop discovered the intrusion while it was in progress and managed to lock out the attackers slightly more than two hours later. Since then the company has implemented multifactor authentication to secure authorization and access controls across all of its internal accounts. Timehop has also deactivated all the compromised access tokens so they can no longer be misused.  

As a result of these changes, users will have to log in and re-authenticate to Timehop's service for each social media account, the company said.

"Strong MFA can prevent account takeovers, such as the ones seen in the Macy's and TimeHop breaches," says Will LaSala, security evangelist at OneSpan.

Just about every IT administrator already knows this, but often there are factors at play that make it hard for organizations to deploy MFA easily, he says. "When breaches like these occur, it is easy to point out that the IT professional missed the obvious security concern. But it is less easy to see why those concerns were overlooked in the first place," LaSala says.

One challenge is that most multi-factor authentication products require organizations to deploy software on both the server and user endpoints, says Tamir. Modern IT infrastructures are also becoming increasingly dynamic, and new servers are often spun up and down in these environments in just a few minutes.

"This makes it difficult to ensure authentication software is installed and configured for each server," she notes. Requiring software on various user endpoint platforms similarly is problematic due to BYOD trends and the dynamic nature of mobile device use.

Sometimes, organizations might have to implement MFA products from multiple vendors due to the nature of their technology infrastructure — increasing costs and complexity in the process. And in some environments, as with critical servers on industrial OT networks and SCADA environments or certain financial systems, it isn't possible to deploy any MFA software at all, she says.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
7/10/2018 | 9:09:41 AM
Re: Culture > MFA
I agree but I would also note that even with valid credentials some MFA solutions that require both a mobile token and answering a revolving question from a pool of pre-configuered questions could still stop such intrusions.  Additionally, while still young, risk-based authentication (RBA) on top of that could also help weed out bad actors with valid credentials. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/9/2018 | 8:10:20 PM
Culture > MFA
While MFA could certainly have prevented or mitigated the damage from these breaches or breaches like these, in my experience these types of breaches tend to have a more fundamental cause beyond a lack of MFA: a lack of a good security culture that led to exploitable weaknesses to begin with.

Case in point here: securitynow.com/author.asp?section_id=613&doc_id=734774
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/9/2018 | 7:13:05 PM
Improvements in MFA Could Help
Since I don't design solutions, I haven't put too much deep thought into this yet, but over the last year I documented the following statistics and I can see why end users are getting MFA over MFA.  While we are well aware of the need for MFA and similar forms of security, our end users are simply seeing numbers like this and resisting.  Some have the smarts to bypass some MFA (though these days the majority of solutions are too smart to bypass) or simply STOP using some sites as often as they need to or should because of numbers like this.  Call me lazy but even for me, a seasoned techie, this seems like a lot of robot calls answered, lots of texts and browser codes entered.

MFA Contacts over 12 Months

MFA Cell Phone Calls:   2,803

MFA Cell Phone Texts: 1,741

MFA Browser-Delivered Codes: 972

But, let's assume the end user complaints have nothing to do with a company choosing to implement MFA (let's be honest, how many orgs really listen to their end-users anyway). The article notes one reason many companies might be skipping the MFA step in their security plan, which is the need for software on both the server and user endpoints. I was involved in an MFA implementation and it became quite complicated. A software install on the server, followed by embedded web code, and then an end-user desktop install on top of a mobile token app.

Again, not a solutions designer but some improvements in MFA could help get organizations to 100% implementation (despite end-user complaints).

 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...