Celebrity Photo Hack Points to Solution for Better Login Security

09/03/2014 / 0 Comments

Security experts are debating the possible methods used in a massive celebrity photo and video breach, but a simple solution already exists to prevent the suspected causes.

The story has made headlines around the world and continues to unfold, but several prominent women celebrities were recently victimized by the hacking and online distribution of personal photos and videos, and as many as 100 or more celebrities have been listed among the victims.

The hacker has claimed that Apple’s iCloud service was targeted in the celebrity photo hacks, and Apple is currently investigating the case, though it has not confirmed that its service was breached.

In the wake of the initial reports of this incident, some programmers have pointed to a bug or flaw in Apple’s Find My iPhone service as a possible exploit that the hacker may have used. This flaw may have allowed hackers to launch unlimited brute force attacks to guess a valid ID and password combination for the Find My iPhone service and then use the same credentials to eventually compromise the victims’ iCloud accounts.

But the hacker has reportedly denied using this flaw to compromise the iCloud service, and some security experts are suggesting that phishing or email hacking is the more likely tactic that was used.

All of the methods that experts are citing rely on exploiting user ID and password logins to compromise services like iCloud, and the same methods are used to attack many other sharing services like Google Drive, Dropbox, and Box.

Brute force attacks have been used to target user accounts since the earliest days of the Internet, and hackers often possess powerful computers and tools to enable such attacks. They have access to networks of other computers which can be used to submit millions of ID and password combinations and compromise user accounts within seconds.

Phishing is another preferred tactic, and hackers have had widespread success in duping users to share their ID and password credentials by using fake emails and websites designed to look like they are legitimate communications and portals of financial institutions, utility companies, and major companies like Apple, Google, PayPal and Amazon.

 

Two-factor authentication can prevent hacking and phishing, but tech giants are using a highly vulnerable method.

As usual with stories about major hacking incidents, security experts point to two-factor authentication as the best means for preventing such attacks. Two-factor authentication, which is available as an additional security option for Apple, Google, and Microsoft accounts, among others, requires anyone attempting to sign into an account from a new location or device to enter a one-time verification code which is typically sent via SMS text to the account holder’s mobile device.

Entering this code during the login process is intended to verify the identity of the valid account holder and thus prevent unauthorized access to the account because attackers will presumably not have the user’s mobile device and will be unable to receive the code.

This protection is certainly a step in the right direction, but the SMS protocol used for text messaging was never designed with secure transmission of confidential codes or information in mind. So these transmissions are vulnerable to hacking and interception. Some hackers have already found ways to outsmart two-factor authentication by compromising users’ mobile accounts and adding a second SIM card so they can receive copies of the text messages containing the verification codes.

SIM card cloning has also emerged as another serious threat that allows attackers to potentially receive copies of SMS code transmissions.

Others hackers have simply used “man in the middle” malware or phishing schemes to intercept two-factor authentication codes as they are entered on the user’s computer.

 

One two-factor authentication method makes all hacking impossible and is already available for developers.

To address the problems with existing two-factor authentication methods and ensure that attackers can never compromise user accounts for any service, SecSign Technologies has developed SecSign ID, which is a quick and simple method for mobile two-factor authentication that does not require users to enter or transmit passwords or any other sensitive credentials during the login process. It also does not make use of SMS text codes, thus avoiding all the associated risks of using this protocol and method.

When deployed to protect a cloud sharing service or any other website or application, SecSign ID requires only the entry of a non-confidential user ID during the login process. No password or other sensitive credential is used during the login, and none is stored on a server, so there are no credentials for attackers to steal through hacking, phishing, or malware. Whether they target a server, the application or website, or even individual users, it is physically impossible for them to steal login credentials and use them to access personal content.

Users are also not required to receive and re-enter SMS codes, so there are no codes that attackers can steal through hacking, phishing, malware, or even cloning the SIM card of a user’s mobile device.

As an added benefit, websites and applications that use this mobile authentication method can free themselves from the risks of attacks because the impossibility of stealing login credentials will discourage hackers from targeting the service.

To find out more about SecSign ID’s patented security technology, to test the login process, and to access free plugins and information for developers, visit the SecSign ID product page at SecSign.com.

 

Do NOT follow this link or you will be banned from the site!