Daily Bulletin


The Conversation

  • Written by The Conversation
imageHack attackShutterstock

Apple and Starbucks are two of the world’s most trusted companies, but they both recently fell victim to security hacks. Both set up systems that appear to have allowed hackers to break into customers' accounts by repeatedly trying different passwords, a procedure commonly known as a “brute-force” attack. It has been reported that neither firm employed the simple tactic of automatically locking accounts after several failed attempts to enter a password.

Last week it was reported that these tactics allowed thieves to steal money from users of Starbucks' mobile app. In 2014, an investigation around the publishing of nude photos of celebrities taken from their iCloud storage accounts, identified that intruders could access Apple’s Find My iPhone app by continually trying different login details.

In order to protect against this type of attack, many sites block login after a given number of incorrect attempts. The system can then go into a permanent lock-out mode (where the user must perform a lock-out procedure, such as calling the hosting company to verify their account), or lock out for a given time (known as the hold-down time).

imageBrute force from a stolen accountAuthor Provided

The size of mobile keyboards can make it tricky for users to correctly enter their password on the first try, especially as it is increasingly common for companies to require passwords with non-alphabet characters. To counter this, developers now often support many more incorrect logins than was previously normal. But many just go for an infinite number of incorrect ones without the chance of a lock-out.

In the Starbucks case, and in many others, the hackers reportedly managed to gain stolen IDs and passwords and then try to brute-force the accounts on the Starbucks mobile app, trying hundreds of logins per second.

One tactic of intruders is to try many accounts rather than concentrate on a single one and try lots of passwords for it, which is more likely to trigger security measures. There is a high likelihood that there will be some user accounts that match from the stolen credentials.

imageIntruder trying lots of accountsAuthor Provided

Users will also typically use the same password for multiple accounts, so if the intruder manages to gain the password against one compromised account, they will try the same password against other login systems. Often, the same email address is used as a login for different systems, so that it can be fairly easy for an intruder to try the same ID and password that has been used on another system against a new target.

In the case of both Starbucks and Apple, the companies' authentication systems are said to have failed to provide a locking mechanism for repeated attempts to enter usernames and passwords. This should have included:

  • A lock-out on a certain number of tries
  • A network detection system setup to detect multiple logins
  • A task or question that can’t be completed by automated bots (for example: Captcha)

Stopping attacks at source

The problem in cybersecurity is often as simple as a developer’s desire to quickly produce a solution and get it online, but forgetting to think through the processes that an adversary might take. In this case, it was a novice problem. Most system administrators would advise that a three-try system works best and will quickly knock out an automated agent. This lock can then be identified by the user and often reported by to the host company.

However, companies must also do their own penetration testing and not wait for the general public to find the weaknesses.

Starbucks has made massive advances in getting users to trust mobile payments – and this kind of sloppiness is unlikely to stop this trend. But it is the lack of due process that is the most worrying in such large firms.

These businesses perhaps have a great deal to learn from the finance sector, where companies often employ many network monitors to detect brute-force logins and stop attacks at their source.

We would never trust a bank not to implement an auto-lock-out on incorrect passwords. A simple email reset on three bad attempts seems a balanced approach. Obviously if someone compromises your main email account they can do the reset for you, but it is another hurdle in their path. Also an intruder could trip a whole range of accounts on a network too.

Increasingly, multi-factor authentication is used, often involving location-tracking via a phone’s GPS, to prove a user is who they claim to be. This means the best piece of security you have could actually be the mobile phone that goes everywhere with you (but please make sure to refresh your passwords on a regular basis).

For companies, however, there’s nothing else for it but to employ managed security services with highly trained staff who can pick-off threats as they occur.

Bill Buchanan does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

Authors: The Conversation

Read more http://theconversation.com/apple-and-starbucks-could-have-avoided-being-hacked-if-theyd-taken-this-simple-step-41999

Writers Wanted

Racing 2-year-old horses is lucrative, but is it worth the risks?

arrow_forward

How to Sanitize Cloth Masks Properly

arrow_forward

The Conversation
INTERWEBS DIGITAL AGENCY

Politics

Ray Hadley's interview with Scott Morrison

RAY HADLEY: Prime Minister, good morning.    PRIME MINISTER: G’day Ray.   HADLEY: I was just referring to this story from the Courier Mail, which you’ve probably caught up with today about t...

Ray Hadley & Scott Morrison - avatar Ray Hadley & Scott Morrison

Prime Minister's Remarks to Joint Party Room

PRIME MINISTER: Well, it is great to be back in the party room, the joint party room. It’s great to have everybody back here. It’s great to officially welcome Garth who joins us. Welcome, Garth...

Scott Morrison - avatar Scott Morrison

Prime Minister Interview with Ben Fordham, 2GB

BEN FORDHAM: Scott Morrison, good morning to you.    PRIME MINISTER: Good morning, Ben. How are you?    FORDHAM: Good. How many days have you got to go?   PRIME MINISTER: I've got another we...

Scott Morrison - avatar Scott Morrison

Business News

Tips to find the best plastic manufacturing supplier for your needs

Plastics are very much an important part of all of our lives, but they’re particularly valuable to a wide variety of industries that rely on their production for their operations. The industries, ...

News Co - avatar News Co

7 foolproof tips for bidding successfully at a property auction

Auctions can be beneficial for prospective buyers, as they are transparent and fair. If you reach the limit you are willing to pay, you can simply walk away. Another benefit of an auction is tha...

Dominique Grubisa - avatar Dominique Grubisa

Getting Ready to Code? These Popular and Easy Programming Languages Can Get You Started

According to HOLP (History Encyclopedia of Programing Languages), there are more than 8,000 programming languages, some dating as far back as the 18th century. Although there might be as many pr...

News Co - avatar News Co



News Co Media Group

Content & Technology Connecting Global Audiences

More Information - Less Opinion