The Identity Bandits

Christmas might have been and gone. But what did we risk in the pursuit of those last-minute gifts and January sales bargains? The festive period often leads us into a false sense of security due to our increased desire to purchase and track gift purchases online. We’re often too busy (or merry!) to consider the implications of having our personal data everywhere.  Without much thought we input our details into websites, carry around more monetary resources than usual, and save more personal data on mobiles and other devices. Leaving us unknowingly vulnerable to malicious parties.

Take your mobile phone for example. Most of us have our phones password-protected and think this will secure all the data within it, right? Wrong. A security company called Insinia Security took to the Twittersphere to prove the weaknesses of mobile devices as reported by the BBC and Independent.

During the Christmas period, Insinia Security “ethically hacked” several celebrity twitter accounts, including those of Louis Theroux, Eamonn Holmes and Saira Khan. Using the celebrities’ mobile numbers, they analysed Twitter’s interaction with the user’s smartphone when their tweets were created and spoofed an authentication method to gain access to their profiles. The security company then posted takeover messages to the celebrities’ accounts to prove the mobile authentication method used by Twitter was flawed.

We might not necessarily consider social media as a top priority when we think about data security. But this successful hack proves Twitter’s poor lack of commitment to securing their users data, leading to the question “what other data can be hacked remotely using a mobile phone?”

Well, by using a user’s social media account a hacker can socially engineer an even greater hack. By using well-recognised social media accounts, hackers can send followers direct messages which contain links that could automatically install malware and enable the hacker to remotely gain access over their mobile devices or infect entire networks. As irresponsible and annoying as it might be to ethically hack without a user’s consent, Insinia Security’s method exposed a serious vulnerability when using a mobile phone as an authentication method.

Consumer hacks like this may seem harmless from a business perspective. But considering how easily these accounts were compromised, it should be a priority to identify if and how an external hacker could access your company’s data and what the costs of this hack would be.
So how do you go about identifying hacker risks?

The answer is Penetration Testing – a crucial activity for any business wanting to protect their data.

Penetration Testing involves authorising an external “ethical hacker” to mimic the techniques that might be carried out by a malicious hacker on your IT systems in an attempt to gain access to your company data. Penetration Testing maps your system’s vulnerabilities enabling you to put the necessary security in place to prevent a real hack attempt.

Not convinced? Here are the figures…

1,370,710,977 sensitive data records were breached between 1st Jan 2018 –and 7th Jan 2019 [1]

15 hours is the average time it takes for a hacker to identify your critical data and use it to engineer a cyber-attack [2]

191 is the average number of days it takes a company to identify their data has been infiltrated [3]

You may still be thinking “but can’t I just install more tech?” However, technology alone is not sufficient to secure all your company data especially when you consider that hackers evolve their skills, tactics and techniques constantly. It’s often your internal misconfigurations that leave an easy pathway for a hacker to breach your data. If you are not testing your systems, how do you know they work?

By understanding where your risks lie you can better secure your company’s data by eliminating blind spots to prevent any hack attempt on your business and potential financial damage.

To learn more about penetration testing, please get in touch.

[1] www., Chronology of Data Breaches
[2] www., The Black Report 2018
[3], Cost Of Data Breach Study