Snippet: As infosec hotshots flew into Las Vegas for Black Hat USA, a certain Alex Holden of Hold Security dropped a bombshell from Milwaukee. Through the New York Times, he made it known that a Russian gang that he called CyberVor had succeeded in “the biggest hack ever:” the theft from about 420,000 web addresses of “1.2 billion username and password combinations” and “more than 500 million email addresses.”

As infosec hotshots flew into Las Vegas for Black Hat USA, a certain Alex Holden of Hold Security dropped a bombshell from Milwaukee. Through the New York Times, he made it known that a Russian gang that he called CyberVor had succeeded in “the biggest hack ever:” the theft from about 420,000 web addresses of “1.2 billion username and password combinations” and “more than 500 million email addresses.” A colleague alerted me to this through a WhatsApp message alarmingly headed, “YOU HAVE BEEN HACKED” – the title of Hold Security’s own CyberVor-related web page

It would cost me if I wanted to confirm this block letter diagnosis. The Wall Street Journal and Forbes each raised an eyebrow at the fact that Hold Security, having created a panic on very little detail, was attempting to capitalize on it by charging a not insignificant yearly subscription to those wanting to find out more.

Questions over Holden’s ethics were followed by others over his background and methodsthe stolen data’s qualitythe economics of using such potentially valuable data primarily to send spam, and why an online security company worth its salt would make the “idiotic” request that subscribers input all their passwords into an online form. Many described the industry’s response to this story as “skepticism,” but it often looked to me more like a backlash.

The limits of control

Whether this story is the revelation it first appeared to be is not what this blog post is about. To me, the exact scale of the threat is beside the point. There will be many more CyberVor-like panics in the coming years. For consumers accustomed to weekly reports of large-scale digital security breaches, this story is just more confirmation that the bad guys are running amok – and not just in some undisclosed city at the edge of the Siberian taiga.

In the comments to many of the stories I linked to above, there’s a strong sense of resignation and, in places, even anger. The most popular comment I saw on the original NYT story is unusually eloquent, so allow me to quote it in full: 

"Given the wearisome self-reverential culture of America’s information technology community, whose members claim to be the avant-garde of IT, you have to wonder how ‘fewer than a dozen men in their 20s’ in south central Russia can pull this off, let alone on a global scale.

I change my passwords often, because of reports like this. It’s a bit of a pain, but it appears to have protected me so far. Or perhaps not.

Again and again, the weakest link in my security effort seems to be the retailers and companies whose websites I visit, and whose resources certainly ought to enable them to maintain cutting-edge security on their customers’ behalf. 

Internet security is achievable, but many big companies see it as a non-revenue-producing endeavor and therefore do not employ sufficient resources, including people as bright and innovative as those dozen-odd lads in Russia, to make themselves and us secure."

Sounds like an insightful kind of guy. Like him, I’ve recently changed passwords in response to one or other bulk data breach. I admit that I took my time doing so, perhaps because, as this commenter implies, changing your passwords whenever heists like these make the news isn’t really going to keep you safe. 

It’s too little, too late. How long has your data potentially circulated in the darker corners of the Web? Weeks, months, even years? Your passwords may be long and complex, unique to every online account, and linked to a range of email addresses – and, if so, well done! – but there’s only so much control individuals have over the situation. 

The truth is your sensitive personal data will continue to leak into the digital ether as long as online service providers themselves fall prey to hackers. 

Go out of band for your customers

Asked by the NYT for comment on CyberVor, Gartner analyst Avivah Litan, said, “Companies that rely on user names and passwords have to develop a sense of urgency about changing this. Until they do, criminals will just keep stockpiling people’s credentials.” 

I’d add that, while it is vital that organizations do more to secure users’ login credentials, it is increasingly more important to protect users in the fairly likely event that those credentials are stolen. Consistent with Gartner’s layered security recommendations, online service providers must build in completely out-of-band user and transaction authentication as the ultimate defense of their customers’ accounts – of their personal information and money. 

Too many banks and retailers have taken an indifferent or unimaginative approach to securing their customers’ accounts, relying on compromised technologies like OTP and SMS. In the USA, in particular, there’s the fear that new technologies like two-factor, out-of-band authentication; bilateral end-to-end encryption and 3-D Secure are too risky: that they will be experienced as inconvenient by consumers. 

On the contrary. When enabled through the mobile phone, two-factor authentication can be as simple as pressing a button. Entersekt’s out-of-band authentication solutions make clumsy one-time passwords redundant. There are no hardware tokens or text messages. Instead, digital certificates authenticate the device, digitally sign transaction verification requests, and encrypt communications to and from the enterprise’s servers. Using our system, our bank and retail clients are guaranteed that they are communicating with a legitimate mobile device; that their customers enjoy peace of mind, confident that messages originate from a trusted source; and that no third party can access or alter communications. 

There will be thousands more scares like CyberVor. Take action today. Go out of band for your customers.

Find out more: download our white paper OTP: Security Past Its Expiration Date.

Subscribe to our blog.


Mark van Dalsen

MARKETING COMMUNICATIONS MANAGER

Mark has been marketing fintech since the last century and remains smitten with the business and the art of building brands.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.