Texting can be a tricky form of communication for something so sensitive (particularly from a large, impersonal corporation). Lesson 3: Improve Communication with Customers After a Data BreachĪlthough T-Mobile did attempt to notify customers whose accounts might have been compromised a few days after they discovered the incident, many of these recipients were put off - thinking the text message itself was a form of phishing. While none of these solutions are foolproof, a second method of authentication has been found to prevent breaches in 80%of the cases. In addition to requiring users to type in a password, 2FA can also request a TOTP (a time-based one-time password algorithm) that it sends to the user's cell phone or other hardware device.ĢFA can also require the second form of identification to be a biometric, such as a thumbprint or Face ID. ![]() Two-factor authentication or 2FA is an alternative verification method. This makes it more resistant to brute-force search attacks. Over time, users can increase bcrypt's iteration count to slow the process. bcrypt uses a salt, an additional layer safeguard for passwords in storage. To prevent the risk of password hacking, many providers are using bcrypt instead - a more resistant algorithm. "A 2017 Verizon report found that 81% of hacking-related breaches were due to stolen and/or weak passwords."Īlthough originally MD5 hashes were designed to prevent anyone from working backwards from the hash to determine the real password, it's now possible to rapidly generate MD5 hashes to eventually find a matching password.Įvidence points to T-Mobile password hashes being MD5, which suggests the company may have been using outdated password practices. While for years teams relied on the MD5 (message-digest) algorithm to hash passwords (create mathematical representations of plain text), today it's not considered the safest method. Lesson 2: Update Your Password PracticesĪ 2017 Verizon report found that 81% of hacking-related breaches were due to stolen and/or weak passwords. You can use a standardized protocol for both authentication and authorization. With APIs, it's also important to remember to authenticate your apps in addition to authorizing users. With this powerful web interface, they can add or remove users, modify their profiles, and identify any root-cause login issues. Many choose to outsource their identity management since the field is increasingly complex and time-intensive - a challenge for in-house teams to manage with the rest of their workload.Īuth0's user management dashboard, for example, lets administrators grant permissions for certain users to access sensitive customer information. You can build one in-house or outsource it. To be sure you know who is working within your system at any one time, implement a strong user management system. Since APIs run on web servers, they are available to all internet users. In the T-Mobile data breach, the thief was able to access the system through a hole in an API. That means they're not necessarily going to try to waltz in the front door. In all cases, hackers look for the simplest vulnerability they can possibly use to compromise your system. Mobile attacks (attacks specifically designed for mobile software).USB traps (a hardware device that contains a HID spoof).Phishing (emails that trick recipients into giving away sensitive data or downloading a file that installs spyware).Malware infiltration (placement of malicious software, including ransomware and spyware).There are four common ways that hackers access systems: Understanding how hackers get in is the first step. ![]() What can business leaders learn from this incident to protect their teams and their customers going forward? Lesson 1: Hackers Go for Weak Points, So Protect Yours Dashlane estimates the average dollar cost at $7.35 million in the U.S., 60% of which is customer (revenue) loss. While it's still too early to determine the financial consequences T-Mobile will face from the incident, a recent study from UNC found that data breaches can cost companies as much as 3% of their market value. ![]() Over 2 million of its 77 million customers were exposed.Īlthough T-Mobile quickly reported the incident to authorities, it's apparent that the cybercriminal is aiming to sell the data, including names, ZIP codes, phone numbers, email addresses, and payment information. ![]() On August 20, T-Mobile discovered that a hacker had gained personal information from unauthorized access to its system.
0 Comments
Leave a Reply. |