13 September 2014
Google confirms ‘five million’ customer data dump but denies breach – IT News from V3.co.uk.
The news about the Google hack this week were somewhat puzzling at a first glance. Five million customer data stolen but no attack on internal systems? It took me some time to understand this.
In my opinion some hackers collected a large number of accounts from lots of companies, including some Google accounts. From my experience with phishing attacks, and the statements in several reports about the lousy data quality, this sounds quite plausible.
Some statements in post ‘Cleaning up after password dumps’ published by Google’s Spam and Abuse Team on 10 September in its Online Security Blog confirmed my impression:
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.
For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.
How could we avoid such data theft in the future?
From a technical point of view only Two or Multiple Factor Authentication (MFA) could prevent such attacks. In post Google denies breach after hackers leak millions of user logins published on 11 September in Computerweekly.com, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, stated, that MFA is the sole means to prevent misuse of stolen credentials.
The last statement in this post was very puzzling:
“Of course this extra security comes with increased investment – but the improved customer protection makes it viable and valuable,” said Chrysanthou.
What increased investment? For usage of Google 2 Step Verification? Or TFA in Apple’s iCloud Services or WordPress.com? There are no additional costs! The only drawback of MFA is loss of comfort for the users of this services. But the gains in security are invaluable. I would be very pleased if Amazon, eBay, and Microsoft would add TFA to their services as soon as possible.
When it comes to implementation of MFA inside of companies we definitely talk about increased investment. Adding MFA to an Active Directory that serves ten thousands of internal users or to a service for external customers will result in an additional investment and higher operation costs. But with TFA the eBay data breach earlier this year would have been prevented. Just as the Code Spaces collapse.
The big question is as always: What is the total loss of turnover created by a data breach compared to the total costs of implementing TFA?
Can Code Spaces tell us?