Telecoms provider Vodafone has reported that nearly 2,000 of its customers have had their details accessed. According to Vodafone, the incident happened between Wednesday and Thursday last week.
Reportedly, 1,827 customers have had their accounts accessed, with criminals potentially accessing customers’ names, their mobile phone numbers, bank sort codes and the last four digits of their bank account numbers. The BBC reported that the details criminals used to try and access Vodafone accounts were allegedly bought on the ‘dark web’.
Brian Spector, CEO of Certivox the Cryptography company explains :
- Insight into what happened?
“There is limited information currently available. We have collectively become used to Password breaches in the 10’s or even 100’s of thousands. Vodafone’s report of 2000 customer accounts having been breached is a relatively low number.
It is quite possible, that as the criminals allegedly “bought these account details on the dark web”, that user name and password pairs that have been breached elsewhere at a different online service, are being re-purposed by the criminals. This is only possible if customers re-use the same username (typically their email) and the same password for different services. Once one service is compromised, the criminal can simply try these combinations with other services.”
- Do you think Vodafone have handled this well?
“Vodafone having recognised the fraudulent activity quite quickly, seem to be monitoring their services very well and are able to quickly take mitigating steps to avoid more damage.”
- Any advice for customers?
“The advice that has for many years now been repeatedly given to online services customer is to use complex passwords, which is useful of course. Perhaps more importantly users should avoid using the same password for multiple sites. The human aspect of memorising all these different passwords is not to be underestimated: it’s simply too hard. Customers should activate 2 factor authentication wherever available and insist on 2 factor authentication where it’s not.”
- Any advice for Vodafone? What could other companies learn from this?
“The industry needs to get over passwords. They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks. 2-Factor-Authentication for protection works, but it’s hardly user friendly.
There are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers. These protocols remove all the threats we have become so accustomed to reading about every week. Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space. Your customers are rightly demanding to be protected when they submit their valuable personal information to you and online services should seriously consider taking that seriously.”[su_box title=”About Brian Spector” style=”noise” box_color=”#0e0d0d”]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.