Telecoms provider Vodafone has reported that nearly 2,000 of its customers have had their details accessed. According to Vodafone, the incident happened between Wednesday and Thursday last week.
Reportedly, 1,827 customers have had their accounts accessed, with criminals potentially accessing customers’ names, their mobile phone numbers, bank sort codes and the last four digits of their bank account numbers. The BBC reported that the details criminals used to try and access Vodafone accounts were allegedly bought on the ‘dark web’.
Brian Spector, CEO of Certivox the Cryptography company explains :
- Insight into what happened?
“There is limited information currently available. We have collectively become used to Password breaches in the 10’s or even 100’s of thousands. Vodafone’s report of 2000 customer accounts having been breached is a relatively low number.
It is quite possible, that as the criminals allegedly “bought these account details on the dark web”, that user name and password pairs that have been breached elsewhere at a different online service, are being re-purposed by the criminals. This is only possible if customers re-use the same username (typically their email) and the same password for different services. Once one service is compromised, the criminal can simply try these combinations with other services.”
- Do you think Vodafone have handled this well?
“Vodafone having recognised the fraudulent activity quite quickly, seem to be monitoring their services very well and are able to quickly take mitigating steps to avoid more damage.”
- Any advice for customers?
“The advice that has for many years now been repeatedly given to online services customer is to use complex passwords, which is useful of course. Perhaps more importantly users should avoid using the same password for multiple sites. The human aspect of memorising all these different passwords is not to be underestimated: it’s simply too hard. Customers should activate 2 factor authentication wherever available and insist on 2 factor authentication where it’s not.”
- Any advice for Vodafone? What could other companies learn from this?
“The industry needs to get over passwords. They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks. 2-Factor-Authentication for protection works, but it’s hardly user friendly.
There are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers. These protocols remove all the threats we have become so accustomed to reading about every week. Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space. Your customers are rightly demanding to be protected when they submit their valuable personal information to you and online services should seriously consider taking that seriously.”[su_box title=”About Brian Spector” style=”noise” box_color=”#0e0d0d”]Brian is co-founder of CertiVox and brings more than 20 years of experience in the information security industry. Brian began his career in cryptographic development at Silicon Valley’s first full disk encryption software company, which later became Guardian Edge and was acquired by Symantec. Brian joined McAfee, where he began his sales career in the anti-virus solutions group. He then moved to RSA Data Security, Inc., successfully forming several major strategic partnerships in the intellectual property licensing division, which included the BSAFE line of cryptographic SDKs that was responsible for the development of several standards.[/su_box]