Back

The Marriott Hack, One of the Biggest Data Breaches in History - Monthly Mobile Identity Roundup for December

January 14, 2019
6 minutes read
Category: Mobile Identity
Author: IPification Team

Woah, it’s already been a month?! Well, you know what that means - it’s time for another installment of roundup, our second monthly review of the biggest news stories in the mobile identity sphere.

Although the last month of the year, it was nonetheless filled with many news stories covering different unfortunate hacking incidents. But we head into 2019 with high aspirations!

In the December monthly roundup, we’ll cover the unbelievable breach of Marriott guest data that left more than 500 million people exposed (even including the passports of some of them), how the lawmakers are starting to regulate mobile security, the advancement of machine learning that is now able to spoof fingerprints, and the biggest 2FA breaches that happened.

The Marriott Hacking Exposed Data of 380 Million People, and Passport Numbers of Over 5 Million People

At the end of the November, Marriott revealed that its guest data on the Starwood reservation system had been affected with a massive breach that has compromised the data of 380 million people dating back to 2014.

Marriott said in a statement that the upper limit for the total number of guest records involved in this incident was roughly 383 million records. Of those, a staggering number of about 5.25 million guests’ unencrypted password numbers were exposed! In addition, 20.3 million encrypted passport numbers, and about 8.6 million encrypted credit or debit cards were also exposed.

Affected in the hack were those that stayed at the Marriott’s Starwood brand hotels since 2014 including  the W Hotels, the St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, and Starwood-branded timeshares, according to the company.

EU Ruling to Demand Online Shoppers Have Strong Signal to Complete Their Purchase

In the light of holidays this December, a new EU ruling demanded online shoppers have strong mobile network signals to successfully complete their purchases.

The directive calls for a second authorization for transactions over a certain amount that would be completed over text messages or push notifications via one time passwords.

It is being debated whether this was unfair since it could discriminate against people living in areas with poor coverage or those who choose not to have mobile phones.

Under the regulation which has already been adopted in the UK, called the Payment Services Directive 2 (PSD2), if online shoppers spend more than €30, additional authentication is requested. Banks will allow some exemptions if they determine that purchase risks are low.

While this decision is certain to heighten the security, as we’ve had the chance to learn time and time over, the SMS 2FA technology is not up to par anymore.

EU Wants to Manage Your Digital Identity on the Blockchain

Blockchain promises us privacy and liberty, and as such, we were looking forward to it even as a meaning of authentication boosting the security for users around the world.

However, in the latest EU Blockchain Forum it is stated that for blockchain to be able to fulfill its potential within government institutions, they need to focus on using the technology to create digital identity systems as well as digital versions of national currencies.

Before the blockchain technology can be implemented within government institutions, the report states that digital identities should be developed.

Moreover, they say that the government would be a better custodian of our digital identities than bodies like Google or Facebooks considering all the breaches and hacks that have happened.

However, who is to guarantee that these identities also couldn’t be hacked?

While this report still states that these identity systems would be “user-controlled” and “self-sovereign”, they would still be a part of this government system and could be used to track you online.

Considering the reasons why this technology was even developed, we have to agree that this new EUBF report makes blockchain sound more like 1984 than ever before.

New York’s Attorney General Settled with 5 Tech and Financial Giants to Implement Basic Security on Their Mobile Apps

The attorney general in New York has settled with five tech and financial giants calling on them to implement basic security on their mobile apps.

The companies in questions - Credit Sesame, Equifax, Priceline, Spark Networks,  and Western Union - will have to make sure that the data exchanged between the app and their servers are encrypted so as to avoid simple eavesdropping or interceptions.

All of their mobile apps hadn’t properly implemented the HTTPS certificates, one of the simplest security staples of today.

HTTPS protocols encrypt the exchanged data to ensure that no one intercepts your sensitive data, such as credit card numbers or passwords, while it travels over the internet.

Considering that these certificates are completely free and that most browsers will tell you that a website is “not secure”, it’s strange that these giants haven’t implemented the technology already.

Machine Learning Produces “Master Fingerprint” That Successfully Fools Scanners 20% of the Time

Fingerprint authentication systems are used more than ever before. As a matter of fact, you probably use one on your phone every day! Still, a new study from New York and Michigan Universities has revealed a high level of vulnerability in fingerprint authentication systems.

They used a neural network to create fake human fingerprints and developed one that could potentially fool fingerprint sensor systems 20% of the time! To create these “Deep Master Prints” they use artificial intelligence to match many prints from fingerprint databases to unlock many devices.

They coined the term “Master Print” to explain how using strategically created fake fingerprints could fool partial fingerprint authentication systems which are the systems typically used on a variety of devices around the world.

After installing several different angles of your fingerprint, a match with any partial fingerprint is usually enough to authenticate your identity.

Phishers Bypass Yahoo & Gmail 2FA Targeting Government Officials

This past month, news broke of an Iranian phishing campaign that targeted US government officials, activists, and journalists. Although their Yahoo and Gmail accounts were protected with 2FA, the phishers managed to trick their victims and bypassed the protection - once again proving this method is inefficient in today’s time.

Prior to the hacking itself, the attackers gathered detailed information on their targets which they then used to create phishing emails tailored to their targets’ level of operational security.

The emails contained a hidden image that would alert the hackers in real time whenever an email was read. The targets would then be sent to fake Gmail and Yahoo pages where they would input their credentials. At the same time, the hackers would put this information into real login pages. If an account was protected by 2FA, the hacker would redirect the targets to a new page that asked for their one-time password so they were able to bypass this step as well.

However, while the hackers were definitely able to bypass SMS-based 2FA, it wasn’t confirmed if they successfully accessed the targets’ accounts if they used one-time password authentication via apps such as the Google Authenticator.

In theory, their technique has most likely worked against these apps as well. Once redirected to the fake authentication page, the target would either open the 2FA app as instructed or receive a push notification from it. So far as the target would respond within a certain amount of time, which is usually 30 second, the hackers would gain access to their accounts.

Another Yahoo & Gmail 2FA Attack Targeting Human Rights Defenders in the Middle East and Africa

Not even a whole week later, another phishing attack happened. Two campaigns targeting about 1,000 human rights defenders in and around the Middle East and Africa were exposed.

This attack also targeted Yahoo and Gmail accounts by sending fake account alert emails.

They’ve used the same techniques to bypass 2FA, but with an interesting addition - when they gained access to an account, they would set up a third-party app password as a secret backdoor into the account in case the target had realized they were hacked and regained access to their account.

Another technique used was connecting the hacked accounts to email migration services such as Shuttlecloud to be able to monitor the targets’ activity in a clone account.

It’s intriguing that these attacks also targeted specialized email services which are marketed as more secure such as ProtonMail and Tutanota.

The extent to which they were successful is unknown, but it’s certain that it’s time to move on from 2FA to something actually secure.

***

As we go into the new year, we can only hope that the overall state of mobile identity and security improves, but we have to say that with current authentication methods - the opposite is more likely.

This year, biometric authentication is set to peak in its popularity, but its issues with data storing and the severe consequences if the system was to get hacked are all pointing to the conclusion that biometrics are not the answer.

Ready to take the market, IPification is a seamless authentication solution that relies on the technology capabilities of mobile network operators without compromising between user experience and security.

Technology of tomorrow? Yes, only... it is available today.