A number of Groupon users have seen hundreds of pounds stolen, as hackers snap up expensive goods using their accounts. The first sign of unapproved activity popped up earlier this month, with Groupon account holders receiving confirmation emails for products they hadn’t purchased. IT security experts from Varonis, Alert Logic, NSFOCUS, Comparitech.com, Lieberman Software and ESET commented below.
Rob Sobers, Director at Varonis:
“Today’s news is the result of billions of compromised user accounts from other breaches now being used to gain legitimate access to Groupon user accounts in order to make high-ticket purchases just in time for the holidays. If hackers can co-opt a consumer’s credentials for Groupon, then data security professionals need to be asking themselves if those same passwords can be used to access their organisation’s data.
“Barely a day goes by without us entering at least one password or pin to prove we are who we are before accessing information or resources. Yet, passwords are also one of the things we consistently get wrong because we make them short, common and the same across our various applications. If consumers are simplifying their password authentication practices across their personal applications, then it stands to reason that they may be doing this with their employee access credentials. A perimeter defence doesn’t matter anymore if someone has the keys to the front door who intends to do the individual user account or the organisation harm.
“Consumers need to take pro-active steps to ensure their own data privacy by first practicing good password hygiene. Troy Hunt, renowned security expert and author of the free data breach service, “Have I been pwned?,” gives the everyday online consumer helpful tips for creating strong and effective passwords in this free online training sponsored by Varonis Systems, Inc.: “Internet Security Basics, 5 Lessons for Protecting Yourself Online.” He suggests that strong passwords need to be at least 8 characters in length of random lower and upper case letters, numbers and non-numeric punctuation. Your dog’s name plus the year is not a random password. Instead a passphrase should be used to create length and randomness. For example, “What’s Roger got for dinner?” can be manipulated with letter substitution and shortened into an acronym. Finally and most importantly to the Groupon example is that a strong password is unique and only used for one application.”
Paul Fletcher, Cyber Security Evangelist at Alert Logic:
“This is the type of secondary impact that can result from security breaches that include personal identifiable information (PII) and specifically, username, passwords and security question information. It’s extremely important to have good “password” hygiene to lessen the impact of breaches on one system from effective another system. Part of good “password hygiene” is to NOT use the same password on multiple websites, rotate (change) passwords on a recurring basis and use different security questions on different systems and, when possible, use two factor authentication.”
Richard Meeus, VP Technology EMEA at NSFOCUS:
“With the massive data breaches announced last week by Yahoo! – remember it was 1 billion accounts – it has never been more important to use different passwords on every site and use 2FA (2 factor authentication) where possible.
Using the same username and password on every site should not be happening anymore. We need to change user apathy towards passwords and maybe also get website owners to be more proactive in supporting their customers by checking their user databases against the lists of breached accounts”
Lee Munson, security researcher at Comparitech.com:
“The issues experienced by Groupon customers show how a data breach can have far-reaching consequences that affect more than just the company that was initially attacked.
“The fact that Groupon account holders have seen accounts compromised, and money lost, also says much about the practice of reusing email addresses and, especially, passwords across many different websites.
“Users need to be aware of the risks of recycling login credentials – which means one breach can undermine ALL their accounts – as well as be informed specifically about this incident so they can at least change their Groupon password right away.
“As for Groupon itself, even though it hasn’t been breached, it appears it could still learn a lesson or two about incident response so that its customers can retain the belief that the company has their best interests and security at heart.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“What we’re seeing with the Groupon security complaints is the triumph of social media noise over common sense. Groupon was not breached – as far as we know. If Groupon users decided to do what every security expert on earth, and likely every other service the user interacts with has told them again and again NOT to do – use the same password for many websites and services – then how can the user expect anything but these terrible results? Does this mean Groupon has awesome security? No. The point is this isn’t about Groupon’s security in any way. This problem comes from users’ not making good choices even when they know the potential consequences. The reason so many security professionals feel like their advice is like “eat right and exercise” is because, just like health advice, people only seem to follow security advice after something terrible shows them bad things can happen to them, too.”
Mark James, IT Security Specialist at ESET:
“Sadly this is often a result of reusing passwords on other sites, when large data breaches happen the hackers or receivers of stolen details will try those details on sites that store or hold your card details. If successful, they may be able to purchase goods using authentication methods already stolen or even in some cases no authentication at all, if the only authentication is the CVC code of your card then it’s only a 1 in 1000 chance to get it right. With so much of our data being stolen these days it’s imperative you keep an eye on your emails and financial statements for any suspect transactions. Be vigilant and try where possible to contact both your bank and the retailer as soon as possible with any discrepancies, keep all correspondence and review your passwords for any sites that can potentially store your credit card information. A password manager can help you use unique complex passwords and 2 factor authentication, if available, will stop others from using your login details.”