What do data breaches, phishing, and two-factor authentication have in common?

img_2014-06-26_PayPalNEWS | SECURITY

In the past month, there have been three separate security-related developments related to PayPal. These may all be unrelated, but as a thought experiment let's take a look and see how criminals could use these exploits in aggregate to attack businesses and consumers. These same tactics could be used against any high-value app, not just PayPal.

Breach of 145 million eBay users and passwords

In mid-May, eBay announced that their database of 145 million registered users had been compromised. Given the close relationship with PayPal (a subsidiary of eBay and the preferred payment processor for billions of transactions), the first question many asked was, “What about PayPal passwords?” Although PayPal passwords were not included in the breach, users were urged to change their eBay passwords immediately, in addition to any other apps where that same password had been used.

Reports of a very sophisticated new phishing email

But armed with a treasure trove of information, criminals could have refined their tactics to deploy a very convincing phishing email to obtain the missing PayPal passwords. With the newly phished credentials, criminals can now log into PayPal and transfer funds at will. Even more dangerous is the overwhelming tendency of users to recycle their passwords. If their eBay or PayPal password is the same as their email password, then a whole new world of costly possibilities is opened, as described by Brian Krebs.

Two-factor authorization (2FA) on the mobile app is vulnerable

But for those users who were careful enough to activate 2FA on their accounts, hackers would then need to take advantage of the vulnerability in the mobile app. PayPal has already disabled access to 2FA-enabled accounts via the mobile app, but for an unknown period of time, thieves could have completely bypassed the extra security controls using the mobile app API.

Because of the ease at which criminals can purchase stolen databases on the black market, even minor breaches can have severe consequences for businesses. An employee’s Sony Playstation password could be used for their corporate salesforce.com account, or the shared Twitter password could be purchased for pennies online. So the recipe for any criminal organization could be:

  1. Steal or buy large databases of user credentials
  2. Use stolen credentials on a variety of high-value web apps (e.g. banking, ERP, CRM)
  3. Target remaining victims with phishing emails
  4. Use phished credentials on high-value web apps

It’s important that businesses stay informed about data breaches because they have have a direct effect on the bottom line. If we have thought of this, so have the bad guys.