Sweet 2FA ! If you’ve got it, flaunt it.
This week’s publication of private, personal but more importantly (apparently) NAKED celebrity pictures stolen from accounts in Apple’s Cloud brings a couple of core security principles into sharp focus, as it were.
The first is that somewhat surprisingly even massive outfits like Apple seem to allow their API’s to bypass some of the basic security controls in place for a normal user authentication. In this case an API was used to brute force the accounts of celebrities without causing the accounts to be locked out after 3 failed attempts. Authentication is authentication no matter if you are a user, an API or even a bot (more of this later).
The second is that Username and Password as credentials are not enough in this brute force, password stealing (Zeus and variants) botnet world. It is becoming an imperative that online providers mandate the use of two factor authentication for logins from unknown or new devices. We would go so far to say, if it doesn’t have 2FA, don’t use it.
Why so strict, we hear you cry? Well this week it has come to the attention of the security world that Russian hackers have gained the credentials of some 1.2Billion individuals. They have correlated and assembled the data, so if they have recovered your password for any one system, they will try it against all the others and we all know that a lot of people use the same passwords for many services. All it takes is the compromise of one improperly hashed and salted password list and you are owned.
Activity against individuals is an all time high. We recommend that you do the following:
- Implement two factor authentication (2FA) where you can.
- If 2FA is not available, make sure you use different passwords for each system. Get changing them now.
- Keep an eye out for unusual activity on your online accounts – look at where they were last logged in from
- Be generally vigilant about notifications of account change you receive by email from your online providers
ITC are continuously reviewing the online threat landscapes for large identity theft programmes and can help you if you are a provider with valuable intelligence from the dark web or if you are an enterprise worried that you have been compromised, or even if you are a concerned user.
Please contact us at [email protected] or call 020 7517 3900
