Instagram, Air Canada & T-Mobile

As developers of top-notch mobile identity, and user authentication & authorization solution, we are always keeping tabs on most important stories that highlight how important this field is.

And we don’t have to work hard to find real world examples where better solution could have prevented a breach.

User accounts are regularly compromised due to lack of proper security, and their data and their finances are under threat of being misused and stolen.

To help you understand the mobile identity and user authentication landscape, from this week onward, we will bring you a weekly roundup of most important stories.

Instagram beefs up authentication

Social media app giant owned by Facebook recently announced that they will enable third-party two-factor authentication in an effort to increase user security. For now, they only offer SMS-based 2FA which has known vulnerabilities.

After the new feature is made available to all users, relying on apps like Authy, Duo or Google Authenticator will improve account access – since all of these options are based on sending one-time codes for login.

But as you can read at Krebs on Security, although this new feature is a big step forward, it still might not be enough since password reset is still based on SMS. And with SIM hijacking on the rise, users are still vulnerable. In case of such attach, Instagram access is the least of the problems.

Air Canada mobile app password reset

Canadian airline operates a mobile app where people can store information pertinent to their travels – including passport number and expiry date, birth date etc. Credit card data is encrypted, but user’s name, email address and telephone number are visible.

Recently they discovered unusual login behaviour which affected about 20,000 of their 1.7 million users. They quickly decided to lock down all users and prompt password reset for everyone. This is a welcome measure, but also a great example of a need for a more reliable and user-friendly solution.

T-Mobile user data breach caught on time

One of the recent attacks happened to a big mobile operator T-Mobile.

Their in-house security team discovered unauthorized access to their users’ data and were quick to shut it down.

Fortunately, no financial data (credit card info) and no sensitive personal data (social security numbers) were compromised, and the attackers are unable to use encrypted passwords they accessed. But just in case, affected users should change their passwords.

In the end, this attack is more of a cautionary tale about the need to be vigilant and rethink how users are authorized to access their account data. To find the best read on this story click here.

Biometrics on the rise

The most used method for online authentication is based on using passwords, and additional information only a user might know. Other methods are on the rise, and biometrics more so than others.

A recent study by Callsign shows that users in the US and UK prefer using passwords (44 and 45 percent), and while biometrics might lag behind they are second with 32 percent in the UK, and 27 percent in the US.

The study suggests we are nearing the tipping where passwords will become the thing of the past, but we have to ask if switching to biometrics is the way to go. With known vulnerabilities to biometric security solutions – we know there is a better solution and are not modest to say that we are developing it.

Clich here to find out more about IPification and get in touch if you need additional information.

More on our blog