Hackers recently leaked 400 Dropbox account account passwords and usernames, claiming that an additional 6.9 million credentials would be released unless they received ransom money in Bitcoins. Here to comment on this breach are a number of information security experts. Intercede, Kaspersky Lab, and Infobip are represented.
Richard Parris, CEO, Intercede:
“The news of yet another high-profile online security breach further illustrates how the inherent limitations of the username/password system, combined with lax security habits, are endangering consumers’ valuable digital assets. In Intercede’s recent study The Rise of the Identity Centric Economy, these poor habits were painfully illustrated, with 60% of UK consumers confirming they only used passwords they could ‘remember’. This implies these passwords are weak and likely to be used as credentials to access a number of websites and online accounts.
“Just as concerning was the number of people who admitted to knowing other people’s log-in details, with almost 30% of consumers admitting to knowing a friend, relative, partner or work colleague’s passwords. There is clearly a need for increased consumer education and a wide-scale use of more robust security solutions.
“Every high profile breach is another nail in the coffin for the humble username and password system, as public awareness grows that passwords are simply not up to the task of securing people’s digital assets in the modern world.”
Sergey Lozhkin, Security Expert, Kaspersky Lab:
“Users often underestimate the degree of interest hackers can have in their personal data, and they commonly treat their choices of passwords with a certain indifference. However, using identical or very similar passwords to access various online services means that if just one password somehow falls into the hands of cybercriminals, users risk losing control over all their accounts. Cybercriminals use special malicious programs to gain access to financial services or simply steal information – through phishing websites, Wi-Fi traffic data interceptions, or attacks on company servers holding confidential user data. These are just a few of the many prevailing techniques used by cybercriminals today. Naturally, the threat is much higher if just a single ‘universal’ password is used for all online accounts.
“How to better protect yourself from a leak:
1. Use two-factor authentication, if it’s available. Increasingly, online providers help you secure your account by requiring you to enter a one-time code as well as your normal password (e.g. a code sent via SMS to your mobile device).
2. Change your passwords regularly. This greatly reduces the chances that an active password from your account will be found in a leaked database. Recent reports show that these databases often contain outdated passwords, or passwords to long-forgotten accounts.
3. Use unique, complex passwords. This means passwords that combine letters, numbers and special characters; that are at least eight characters – ideally 15; and that don’t use personal information (such as a spouse or pet’s name, etc.) or words – any word at all – that can be found in a dictionary. It’s crucially important not to use the same password for multiple accounts. If a company suffers a data breach and your login and password is compromised, the attackers can use the same credentials to compromise the other online accounts you have. If you find it hard to remember lots of complex passwords, consider installing a password manager that can remember them all for you – you just need to remember a single master password. Alternatively, you could write your passwords down, perhaps in ‘code’ form. But don’t keep them where someone else could find them, or in the same place as your laptop, tablet or smartphone; if they’re lost or stolen together someone else could get access to everything they’d need to steal your online identities.
4. Keep a close eye on your different accounts for any suspicious activity, and contact the providers immediately if you see anything at all amiss.”
Silvio Kutic, CEO, Infobip:
“As the latest household name to experience a password breach, it’s understandable that Dropbox is touting the fact it now supports two-factor authentication. But this event is far more significant than those in recent weeks, as it demonstrates the importance for all online services to offer two-factor authentication. Now, not only is it essential to protect users from data breaches that happen on company servers, it’s also necessary to protect them from their own habits and behaviours.
“Most of us use the same password for all our accounts, from social networking to banking. If a hacker can get hold of a username and password for one website, and the affected user hasn’t protected their other accounts with two-factor authentication, then it is likely those same details will work in a number of other places, too.
“Even though most cloud storage providers like Dropbox, retailers, and social networks offer two-factor authentication for this reason, most users are unaware of it. There is no doubt that two-factor authentication ticks all the right boxes for a consumer-friendly answer to the security challenges faced by today’s online players, but incorrectly implementing 2FA or providing consumers with an overly complicated authentication process will not have the desired effect. The extra layer of security simply won’t be used.
“In this respect SMS-based 2FA is the best approach. Rather than relying on an authenticator app or additional hardware like a key fob, SMS-based 2FA can turn any mobile phone into an extra layer of security.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.