Following the news in the US that millions of Verizon customer records have been exposed in a security lapse. IT security experts commented below.
Jeff Nolan, CMO at SecureAuth:
“With millions of exposed names, phone numbers and account PINs, the fallout from Verizon’s latest Amazon S3 leak will be felt for a long time to come. When an attacker has enough information about their target – gathered either through social engineering or from data breaches– they will contact the phone carrier and have the phone SIM card swapped to a new device. Once this is complete, all texts and phone calls will be sent to this device. Typically, the bad actor ports the number to some sort of virtual number, but there have been cases where the number is ported to a burner phone.
“This attack is a major wakeup call for organisations to move beyond two-factor authentication which is simply no longer enough to safeguard against today’s attacks. Between SIM card fraud, Signal System 7 (SS7) network intercepts, and NIST’s recent cautions of SMS-based 2FA, there is no question that organisations need to re-evaluate traditional authentication methods. Smart organisations are already moving to adaptive access control techniques, such as with phone number fraud prevention and identity based detection. This works invisibly to the user but protects, detects, and ultimately remediates attacks essentially rendering stolen credentials useless.”
Ermis Sfakiyanudis, Cybersecurity Expert and CEO at Trivalent:
“The Verizon data breach comes just days after the Hard Rock Hotels & Casinos and Loews Hotels breaches. Each of these highlight the critical need for better data protection within industries that utilize personally identifiable information (PII) data. In this case, the threat came from an insider at a third-party vendor Verizon relies on for back-office and call center operations. The insider logged Verizon customer data, including names, addresses, phone numbers and PIN codes via an Amazon Web Service S3 data store. Not only does this breach serve as an example of the dangers third party companies can pose to enterprise data that is not properly protected, it also opens up an important discussion around traditional encryption. With the consistent revelation of high profile breaches in 2017, encryption alone has proven it is no longer enough to protect sensitive information, especially against next level attackers. Every time a consumer engages with an organization, they are trusting that company to keep their data safe. The only way organizations can get ahead of data breaches is to address them as a likely probability—not an impossibility. Only then will enterprises be empowered with next generation protection that secures data at the file level, rendering it useless to unauthorized users—even if a breach occurs.”
Ryan Wilk, Vice President, Customer Satisfaction at NuData Security:
“This is the fourth exposure of sensitive user PII data on an unsecured server in less than a month. This mishandling of trusted data proves that just about anyone can obtain personally identifiable data to create fraudulent identities for account takeovers, opening lines of credit, or fraudulently buying products and services. Hackers use this information to form profiles of individuals that can be sold on the Dark Web and re-used across many sites at scale.
It’s important to note that these exposures are open vulnerabilities that almost anyone can access. It doesn’t take sophisticated hacking skills to access an unsecuredserver – fraudsters just need to know where to look. Companies that handle personal data need to up their game, not only by being vigilant about server security but also by incorporating the latest technologies to protect their consumer accounts. Advanced techniques like passive biometrics and behavioral analytics identify users by their personal behaviors, which can’t be mimicked by bad actors – even if these leaked but legitimate credentials are presented. The true value lies in the fact that even if consumer information is stolen, it worthless to anyone but the authentic user.”