Another Telecom Data Breach? Prevent Hacks with Passwordless Authentication

Telecom companies, which collect and store personal data from millions of customers, are prime targets for hackers. Despite this, most are still relying on traditional authentication methods like usernames, passwords and security questions that cyber criminals love – because they’re easy to steal or bypass. A few recent examples of telecoms caught off guard include Sprint, British telecom EE and T-Mobile.

Sprint’s internal staff portal was recently breached by a white hat security researcher, so no harm was done – but the hack demonstrated that all that was needed for a successful breach was two sets of user credentials. Password-based authentication methods, including two-factor authentication (2FA) and one-time passcodes (OTPs) are no longer effective, thanks to the increasing sophistication of hackers’ methods.

With biometric technologies becoming mainstream on smart personal devices and 67% of consumers saying they are comfortable using them now and 87% in the near future, going passwordless seems like a smart next step for telecoms looking to defeat hackers and more effectively protect customer data.

User credentials are the weak link

In the Sprint situation, TechCrunch reported that the first set of hacked credentials enabled admin rights to access customer data of Sprint Mobile as well as Boost Mobile and Virgin Mobile, subsidiaries of Sprint. Anyone with access to this portal could potentially modify customer plans, swap devices, top up minutes to a customer’s account, view customer account information, and more. The second set of hacked credentials gave the researcher access to individual customer accounts.

Stolen credentials top the list of causes of data breaches Verizon’s 2018 Data Breach Investigations Report

As another example, T-Mobile recently experienced a malicious attack, affecting 2 million customers, whose account information, phone numbers and emails were stolen. These are just two incidents indicating a widespread problem — a survey by Efficient IP found that telecoms face on average four attacks per year, and 30% reported they divulged sensitive customer information as a result.

Two-factor authentication (2FA) isn’t enough

With stolen credentials, a hacker can easily access customers’ mobile phone numbers, which can be used to obtain PIN numbers using brute force, particularly if PIN verification is flawed. . Once a PIN is known, it can be used to transfer ownership of SIM from one person to another and intercept one-time passcodes (OTPs) used in two-factor authentication systems.

In fact, a hacked phone number can lead to any kind of crime being committed, including stealing from linked online bank accounts and cryptocurrency wallets, tampering with social media accounts, and more.

Passwordless strong authentication is secure and user-friendly

User experience has a lot to do with good password hygiene — most users don’t follow best practices because they don’t want to forget passwords and go through an onerous reset process, or they can’t be bothered to set up two-factor authentication (2FA). For example, a recent study by LogMeIn showed that although 72% of users said they are aware of password best practices, 64%  agreed that having a simple password is more important and 58% mostly or always use the same or similar password for multiple accounts. Additionally, Google reported that 90% of Gmail accounts haven’t turned on available 2FA settings.

User experience matters: 90% of Gmail accounts don’t use available two-factor authentication – Google

Making a person’s biometrics — fingerprint or face — the password means it can’t be forgotten or stolen. Passwordless biometric authentication is not only more secure, it is also simpler to use n compared to traditional password systems. Striving to make authentication stronger and simpler for developers and users is the FIDO Alliance, the world’s largest ecosystem for standards-based, interoperable authentication. Biometric solutions that conform to FIDO standards are more secure because authentication takes place on the user’s mobile device itself — meaning biometric data isn’t stored on a server somewhere. Further, FIDO enforces the use of public key encryption protocol to transmit the authentication information over the Internet to the online service.  With public key encryption there is no link between the online service and user account; instead public and private encryption “keys” are used to encrypt and decrypt information..

Passwords get hacked: 81% of data breaches are due to stolen or weak passwords Verizon’s 2017 Data Breach Investigations Report

Telecoms can’t afford to wait to go passwordless

As cyber attacks continue to increase in volume and sophistication, telecoms — and their customers — are increasingly at risk. Traditional user authentication methods, including more complex passwords or 2FA, can no longer be trusted to provide the security needed to protect sensitive data from hackers. The future is passwordless — and it is already here.

Aman Khanna

Co-Founder and VP Products