There have presumably been some heated discussions between Verizon executives and their counterparts at Yahoo since confirmation of one of the largest ever data breaches. But it’s not just the offer price impact, congressional scrutiny, and reputational damage that Verizon needs to worry about. This kind of data breach and the corresponding slow disclosure pose enormous risks to companies that offer online portals to their customers’ accounts (which, by now, is pretty much any major company).
And it’s because of a relatively easy hacking technique known as credential stuffing. The criminals get hold of a trove of usernames and/or passwords by breaching a company with weak security. From there, they go to online portals for the likes of banks and, yes, wireless carriers. Most banks now have two-factor authentication, but that can’t be said for mobile providers.
But that sounds laborious right? Not really. Hackers can buy up millions of login credentials from old hacks, available for sale on the dark web for short money. They then use an automated program, which they can download easily, to stuff as many credentials as possible into online portals. Even if they only get access to a few accounts, that can be enough to glean highly valuable personal information to combine with the credentials they already have, like names and addresses, not to mention highly private information relating to call records in the case of mobile operators and even social security numbers with some hacks. They either use the information they glean directly to commit identity theft and fraud, or they use it in social engineering scams targeted at you or, for example, your elderly, vulnerable grandparents.
Why should wireless providers sweat about it?
The connection to Yahoo may seem tangential to mobile carrier executives, but recent events from across the pond should be more sobering. In July, the United Kingdom’s second largest mobile carrier O2 confirmed that hackers had used credential stuffing to target O2 users’ accounts and that the info was freely available on the dark web. The company faced a barrage of questions from customers and the media and a tempestuous period followed.
Carriers, including those in the United States, are particularly vulnerable because the online customer service options/portals are so popular and heavily pushed by the companies themselves. The problem carriers face is that this goes beyond their IT security sphere of influence in many ways, given that all that’s needed is to “guess” somebody’s password based on their usage with other sites – unfortunately one third of Americans use the same password everywhere.
In the O2 case, the passwords used were stolen from a gaming website hack over three years ago. Right now, millions upon millions of U.S.-based login credentials stolen from old MySpace, LinkedIn, and (of course) Yahoo hacks are up for sale on the dark web.
What can carriers do to protect customers?
Firstly, carriers need to advise their customers strongly to change their passwords and use different passwords for different sites. Companies should learn a cardinal rule that Yahoo apparently flouted – security oftentimes is sacrificed in favor of convenience. Yahoo did not want to inconvenience its users by requiring password changes on a regular basis and look how things ended up. Carriers ought to insist upon regular password changes and, at the very least, provide regular reminders to their customers. They should also strongly urge customers to use a new and different password when setting up access to their online password.
Secondly, carriers also need to take stock of how much historical data they store and what needs to be accessed via online portals. Customers want to access their bills and statements, but could they be provided with the option of opting out of seeing their full call log to prevent hackers and malevolent social engineers of getting hold of these? Could older/non-current statements be erased from portals with a second form of authentication needed to gain access?
Carriers should review the information they keep routinely on customers and make available through their online portal with the knowledge that it is a very real possibility that customers are not the only ones reviewing it. As such, they should set clear policies that put security on an equal footing with convenience.
Richard Stiennon is Chief Strategy Officer at Blancco Technology Group, where he leads long-term strategic planning, product positioning, public affairs, analyst relations, joint ventures, and industry partnerships. During his days as Vice President of Research at Gartner Inc., Richard’s insights and questioning of the corporate status quo earned him Gartner’s Thought Leadership Award in 2003. He has also written three books on the alarming state of cyber war and its impact on businesses. His most recent book, There Will Be Cyberwar, was named a Washington Post bestseller in April 2016.