Security experts have commented on the current rash of loyalty program breaches in response to news that over the last few days, a large number of British Airways customers have found that their Avios frequent flyer reward points accounts had been breached. This follows a hack of the Hilton Honors program earlier this month.
John Gunn, VP, VASCO Data Security (www.vasco.com):
“We are rapidly approaching the day when consumers are collectively inconvenienced enough by repeated hacking incidents that they will start selecting merchants and business partners based on the level of security they offer. It will become an insurmountable obstacle to success for merchants who do not offer two-factor authentication to their customers.
It’s difficult to see how Hackers really gain much from these types of hacks. Unlike a stolen credit card account, you cannot quickly convert Avios points into cash by purchasing merchandise under a false identity. If thieves were to use Avios points for travel, they would either have to get past airport security with a fake ID or run the risk of having their true identity tracked down.
TK Keanini, CTO, Lancope (www.lancope.com):
“Our lives grow more digitally connected and so do businesses. Companies must perform threat modeling on their partners and ask the question: if this partner was breached, what exposure do I have and what exposure do we share? These are questions to ask as you are provisioning this relationship because that is the right time to have this conversation. While you are at it, ask yourself: if you were compromised, how many of your partners would be at risk?”
Ken Westin, senior security analyst, Tripwire (www.tripwire.com):
“There have been an increasing number of loyalty programs successfully compromised. These programs have become easy targets because they lack many of the security controls you would see guarding traditional forms of currency such as credit card transactions. This paired with the fact that criminals have identified methods to monetize these points and miles and convert them to currency, gives them means, motive and opportunity. Many of these systems have been victim to brute force attacks and generally lack additional security controls that can be enabled to block such activity such as two-factor authentication, or timeouts after so many failed login attempts.
The third party data that was compromised from another source, could very well be one of the other loyalty programs that have been hit in the past few months, with the attackers well aware that passwords and logins will be shared by users across these systems. In addition to weak controls to block brute force attacks, many of these systems do not enforce good password policies as well, making it that much easier for attackers to get into these accounts.”
Tim Erlin, director of product management and security and IT risk strategist, Tripwire (www.tripwire.com):
“The increasingly partner-driven economy present on the Internet expands the ways in which programs like British Airways Executive Club can be attacked. They must cultivate a large, interconnected network of partners to survive, but that business model also creates opportunity for data leakage, and subsequent attack and compromise.
One silver lining for British Airways in this incident is that it’s a sign of success for their program. Avios, the ‘currency’ of the Executive Club, are clearly valuable enough to be worth stealing.”
Igor Baikalov, Chief Scientist, Securonix (www.securonix.com) and former Senior VP of Global Information Security at Bank of America, explains:
“Considering the staggering number of breaches, re-use of credentials hijacked from one online service to another is to be expected on a large scale. We cannot really blame the customers for poor security practices (although service providers are often doing just that): how can one possibly maintain separate identities for each website, when even my local newspaper requires a login? Our online interactions grow exponentially, and juggling scores of different passwords is just not practical. Password managers help somewhat, but putting all eggs in one basket is not for the faint of heart – the risk of malware infection with subsequent keyloggers stealing your master password is still there, as well as the risk of losing all those complex passwords in a system crash or theft. Two-factor authentication in itself is a strong deterrent, but is not widely popular with consumers, even in the financial sector because it’s still considered to be too inconvenient.
There’s an approach that works reasonably well for both sides: monitoring and profiling of user interaction with the service to allow simple password login in most cases, and requesting additional verification of identity (step-up authentication) in rare cases where user behavior deviates from normal. Such profiles might include user geo-location, device used for access, typical times of access and navigation patterns, and even biometric characteristics of user interaction. It significantly reduces the risk of account hijacking with a minimal impact on user experience. Step-up authentication can range from silly challenge questions to a verification token sent to your phone (although with proliferation of mobile devices to access the web the latter became much less secure – two factors collapsed into one, with web browsing and text messages being on the same device). This technology existed for years, and you most likely experienced some of its flavors, at least in online banking. Why doesn’t my newspaper implement it? Cost and lack of motivation. We need a consumer protection initiative to do what FFIEC Guidance of 2005 did for financial services: any online service that requires customer authentication has to implement a security Framework to prevent misuse of customer credentials and to protect customer data.”
About vasco
About Lancope
Lancope, Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTsand DDoS to zero-day Malware and insider threats. Through pervasive insight across distributed networks, including mobile, identity and application awareness, Lancope accelerates incident response, improves forensic investigations and reduces enterprise risk. Lancope’s security capabilities are continuously enhanced with threat intelligence from the StealthWatch Labs research team.For more information, visit www.lancope.com.
About Tripwire
Tripwire, Inc., a global provider of risk-based security and compliance management solutions, today announced Tripwire® Enterprise™ version 8.3 featuring a new, stand-alone Policy Manager™. Tripwire Policy Manager provides the detailed visibility into system configurations critical to minimizing security risks and ensuring compliance.
About Securonix
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.