News broke this week that the TeenSafe app allowing parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), and more was compromised. Although around 10,200 accounts from the past three months were compromised, the data did not include photos, messages, or location data. However, the TeenSafe app does require two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. IT security experts commented below.
Katie Carty Tierney, Sr. Director, Sales Engineering at WhiteHat Security:
“Data security is the first line of defense for our digital lives, but it’s often the last thing on the minds of parents trying to protect their children. Let’s face it, when you’re trying to protect your children, you’re not thinking about building a non-hackable password and using two-factor authentication – you’re thinking only of your children and their safety. That’s why parents were willing to turn off these additional protections, to track their kids’ mobile devices with the TeenSafe App. Unfortunately, in doing so, they have been opened up to danger. The information leaked from this app, which included Apple account user names and unencrypted passwords, could allow scammers, hackers, and potential abusers to access iCloud accounts and get access to photos, locations of the kids, daily schedules, and more.
Anyone with a digital identity needs to be aware and encouraged to implement a high threshold for access to their accounts, starting with strong passwords and two-factor authentication. If you’re ever asked to turn off an important security feature like two-factor authentication, even by an app that claims to be protecting your kids, you need to stop and educate yourself on the potential pitfalls. As we see with TeenSafe, protecting your kids isn’t as simple as installing an app on their phone – it requires awareness, education, and a whole lot of love.”
Mike Schuricht, VP Product Management at Bitglass:
“Identifying specific attack vectors like misconfigured databases is now a simple act for nefarious individuals. Where data is publicly accessible because of accidental upload or misconfiguration to a database, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. This misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks. Ultimately, it should be a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.