It has been reported that American telecommunications provider Sprint has suffered a data breach, telling customers that hackers broke into their accounts through a Samsung website. The number of customer accounts breached isn’t yet known. The hack occurred June 22, Sprint told its customers in a letter, and included details like first and last name, billing address, phone number, subscriber ID, account number, device type, device ID, monthly charges, account creation date, upgrade eligibility and any add-on services. It occurred via the Samsung “add a line” website.
- The company said it re-secured all compromised accounts by resetting PIN codes, three days later, on June 25
- The Sprint account breach notification lacks a few important details, such as the number of breached accounts, the date when hackers first started accessing Sprint accounts via the Samsung.com website, and if hackers modified any customer account details
- This is the second account breach notification letter Sprint is sending this year. The company also suffered another breach via Boost Mobile, a virtual mobile network and Sprint subsidiary
Hackers used #Samsung website to access #Sprint's customer data
More: https://t.co/yih9FjIf5X#Security #Hacking #Breach #Telco
— Hackread.com (@HackRead) July 16, 2019
Experts Comments:
Felix Rosbach, Product Manager at comforte AG:
“To stay on top of the game and to offer a best-in-class customer experience, some organizations allow third parties access to sensitive customer data. Missing control over the infrastructure of third parties combined with the lack of cybersecurity talent available on the market makes it near impossible to prevent attackers from getting access to such a complex network.
Protecting data is more important than just preventing breaches. The best thing organizations can do is to focus on a data-centric security strategy to make sure that data is protected and access to it is restricted all the time.”
Boris Cipot, Senior Security Engineer at Synopsys:
“Every breach has to be taken seriously, and impacted users should be on the lookout for possible misuse of their data. The good thing here is that credit card information and social security numbers were not affected due to the encryption.
In addition to changing PIN numbers, as recommended by Sprint, I would also advise users to change their account credentials for the Sprint portal. As we know, many people use the same username and password for many different accounts, so it would be advisable to change those also. In any case, it would be advisable for everyone to change their password every now and then and not use the same credentials for different services.”
Saryu Nayyar, CEO at Gurucul:
“While details of this breach are scant, the reality is that a volume of accounts were compromised via a third party site. The spike in activity of “add a line” transactions or visits to the “add a line” website should have triggered alarm. That type of activity is both anomalous and risky. It should have set off alarms to be investigated by the Sprint security team. Once again, defending breaches after-the-fact is ineffective.
When attackers manage to hijack legitimate access rights, they can remain undetected for extended periods of time. Many organisations don’t have the ability to identify subtle behavioral anomalies that are indicators of cyber threats. But with advanced machine learning algorithms it’s possible to spot behaviors that are outside the range of normal activities and intervene before the damage is done.”
Javvad Malik, Security Awareness Advocate at KnowBe4:
“The Sprint breach highlights, once again, the importance of third party assurance and how access given to third parties needs to be carefully considered, secured and monitored. When security is built in at an early stage, the architecture can be designed in a more secure manner so that external, or even internal departments which don’t need access to functions cannot make any unauthorised changes.
It’s unfortunate that Sprint didn’t provide more details around the number of accounts breached and whether attackers had modified any account details. It could be possible that Sprint is still collating the information, but transparency and clarity of impact is vitally important for companies in the aftermath of an incident. Delays to sharing information can undermine customer confidence.”
Jonathan Bensen, CISO at Balbix:
“Sprint’s breach could not come at a worse time for the company as it recently reached a $26.5 billion merger agreement with T-Mobile which would allow the United States’ third and fourth mobile carriers to prove more formidable opponents to Verizon and AT&T. If the two enterprises do merge, it is critical that the pair implement security solutions that scan and monitor all T-Mobile and Sprint-owned and managed assets as well as all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put them at risk, such as the Samsung.com threat that lead to this breach, is the only way to stay ahead of future breaches and avoid litigation, fines under data privacy laws, retain brand image, increase the organizations’ market share and beyond.
This breach adds to a growing list of recent, unfortunate events suffered by Sprint. The company announced that it lost 189,000 customers and admitted a loss of four cents per share in its fiscal fourth quarter. Sprint’s subsidiary, Boost Mobile, also suffered a breach in May after hackers obtained unauthorized access via a brute force credential stuffing attack.
It would not be surprising if T-Mobile reconsiders its merger with Sprint after this latest breach. Companies must remain ever vigilant during merger and acquisition (M&A) activity to avoid suffering the same fate as Marriott that was fined $123 million last week under GDPR for its 2018 data breach.”
Ben Goodman, CISSP and SVP at ForgeRock:
“Even though the exact amount of Sprint customers affected is unknown, the company claimed 54.5 million customers in Q1 2019. For security and privacy reasons, every user should assume that his or her information may have been compromised in this breach. The information exposed in this latest breach of Sprint’s customers can be combined with previously stolen data to create effective credential stuffing lists for brute force attacks on other accounts or even highly targeted phishing attacks. All of Sprint’s customers should take precautionary measures to protect other accounts by enabling multi-factor authentication (MFA) and changing login credentials.
Even if Sprint’s website was secure, the intruders gained unauthorized access via Samsung.com. The attack landscape is constantly expanding and organizations must be prepared to secure customer data by implementing security strategies and tools that respect customer privacy and prescribe real-time, contextual and continuous security that detect unusual behavior and prompt further action, such as identity verification via MFA.
Unfortunately, even adhering to best practices still does not guarantee an individual’s account’s safety. Organizations across all industries continue to use knowledge-based answers for account recovery purposes, and this method represent another highly susceptible attack vector for hackers to target to gain access to accounts. Questions such as “where did you go to high school/college” and “what city were you born in” are two commonly asked questions for password resets, and a threat actor can use previously pilfered personally identifiable information (PII) from other breaches to correctly answer them and obtain access. Companies must begin to stray away from this type of account recovery method in order to best secure their customers’ profiles.”
Robert Prigge, President at Jumio:
“This provides yet another wake-up call for any company that still protects their users’ online accounts with a simple username and password. We now live in zero-trust world thanks to the dark web and near daily data breaches. This means that any cybercriminal with limited skills can perpetrate account takeover fraud with ease. This is precisely why online accounts need to be protected with much stronger forms of biometric-based authentication. This is no longer a nice-to-have feature — it’s a must-have. The good news is that users are now ready for simple face-based biometrics (thanks to Apple’s Face ID) and it’s even easier, faster and way more secure than legacy methods of authentication.”
Monique Becenti, Product and Channel Specialist at SiteLock:
“Sprint’s recent breach, where hackers accessed customer accounts through Samsung’s add-a-line website, leaves customers vulnerable and offers key lessons for other businesses. Affected consumers should start by immediately changing usernames and passwords for any connected accounts. If you can implement two-factor authentication, do so. Consumers should also request for a new account number if possible, including new SIM cards for all devices on an affected account. For website owners keen on avoiding a similar fate, enacting security plugins that will monitor your site for suspicious activity, ensuring your website software is always up to date, and utilizing parameterized queries are all key steps to take to keep your data secure. This breach also shows the importance for businesses of evaluating the cybersecurity practices of their partners.”
Mike Bittner, Associate Director of Digital Security and Operations at The Media Trust:
“A poorly secured web app infrastructure likely contributed to this breach. Samsung’s site was probably compromised through a user input field provided by a third-party code supplier who designed their app without security and privacy in mind. Ten years ago, relying on third-parties was cost-effective. But with new data privacy laws like GDPR and regulators eager to flex their new authority, a third-party’s data breach or misuse will hit the company’s top and bottom lines. All businesses must have a firm grasp of all their third parties’ security posture and minimize the impact that a compromised third party might have on customers.”
Sam Bakken, Senior Product Marketing Manager at OneSpan:
“Suggesting this breach does not put users at risk of fraud or identity theft strikes me as either ignorant or disingenuous. Our mobile devices are becoming a more and more significant aspects of our identity. Look at the damage SIM-swap attacks can do. Combining phone number, device type and device ID, an attacker has the building blocks for an account-takeover scheme. This looks to me like yet another example of consumers’ privacy and security being violated likely through no fault of their own, and business should see it as yet more evidence of the importance of multifactor authentication combined with risk analysis to prevent account takeover fraud.”
Craig Young, Principal Security Researcher at Tripwire:
“In recent years, SIM-swapping and other attacks have been increasing in popularity toward the goal of bypassing SMS based 2-factor authentication. Although typically this kind of attack is carried out using social engineering or malware, an attacker with access to a victim’s Sprint account may have been able to directly transfer the phone number to another SIM so that they could receive the login code.
Information systems which connect disparate organizations, run the high risk of inadvertently exposing sensitive data or introducing a backdoor. This is something we have seen in the past including with phone operators. For example, back in 2010, a flaw on the AT&T web site had enabled attackers to dump email addresses of iPad users registered on the network.”
Tim Mackey, Principal Security Strategist at Synopsys:
In the US, mobile users have long enjoyed the freedom to “port”, or move, their existing mobile number to any other carrier as they might wish. In doing so, their phone number becomes an aspect of their digital identity much in the same way an email address or Twitter handle might be. The process of porting a number requires the user provide specific information surrounding their existing account to the new provider. That new provider will then issue a SIM card for their service with the original phone number and the original SIM will be invalidated. As you might expect, this process while benefiting users also provides opportunities for malicious activity. If a malicious actor has access to the appropriate provider information, they can co-opt the users account either through the porting process or by simply obtaining a replacement SIM. These attacks are respectively known as “port-out scams” and “SIM-jacking”. Once ported, the replacement device will receive all cellular messages such as SMS. This can facilitate attacks where SMS is used as part of a two-factor identification strategy.
For Sprint customers, its important that they go in and manually change their PIN rather than relying on the PIN generated by Sprint. The PIN is part of the process Sprint uses to validate the legitimacy of any port requests. Importantly, the replacement PIN shouldn’t be the same as the original!
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.