60 seconds, 76 employees, and a seemingly innocuous identity platform. Here’s a summary of how two large companies fell victim to a phishing attack.
Last June, two cloud giants revealed that they had been targeted by an almost identical phishing attack. Cloudflare said 76 of its employees received text messages from an alleged IT department within a minute directing them to a fake website, asking them to change their password. In fact, dozens of companies fell victim to the same attack – dubbed 0ktapus, as it targeted cloud service providers who use Okta for employee authentication.
Neither Twilio’s nor Cloudflare’s systems detected the attack, due to its accuracy in replicating the ID platform. Predictably, several employees were caught off guard and shared their credentials. However, unlike Twilio, Cloudflare’s story had a less tragic end: FIDO security keys, bound to users and implementing origin binding, prevented any sharing of credentials.
Even if the consequences were very different for these two companies, the lessons learned remain the same.
Security through obscurity – OK boomer!
An old adage in the IT industry says that security through obscurity is the best way to protect an organization. In theory, not revealing how systems are secured, or how and when they are attacked, provides better protection against a hacker who could use this information.
This approach is outdated, it is not adapted to current cyberattacks, nor to the digital world of today. By leaving the true state of security systems in the dark, we only create a larger attack surface for hackers.
Attacks against businesses of all sizes are increasing every year, with passwords undeniably being the biggest cause of breaches and risks. As the economic climate darkens, we cannot continue to adopt a siled approach to combating cyberattacks, or to introducing password vanishing.
Cybersecurity must become a top priority for all organizations, and only a community approach that advocates transparency and collaboration will overcome the current challenges.
Transparency and cooperation
The benefits of adopting MFA have been the subject of much debate, and while not all MFAs are created equal, they are still preferable to a password alone to protect an account. But several companies are still reluctant to communicate their figures on the introduction of this device.
Last summer, Twitter led the way by revealing the adoption rate of the 2FA system. If the statistics are not very encouraging – only 2.3% of accounts have activated the 2FA system, compared to 80% of them who have used SMS backup, the least secure mode – sharing itself even deserves praise.
This desire for transparency is remarkable and constitutes a powerful point of reference for possible improvements. It makes the industry aware that a lot of work needs to be done to get users on board, and more accounts to be protected.
Transparency and collaboration go hand in hand. Finding an answer to an issue as complex as that of passwords and online security requires the joint efforts of several actors and organizations. Twilio, Twitter and Cloudflare have all three fed this notion of common knowledge, in order to define the contours of the challenge, the way to meet it and the actions to be implemented.
While the creation and implementation of new technologies is an essential part of eliminating passwords, they are not, however, the centerpiece. The industry-wide commitment to creating intuitive and common user journeys, underpinned by architectural best practices, will enable the mindset shift needed to successfully remove passwords from our daily lives.
It’s in every business’ interest to make the web a safer and more user-friendly space. Collaboration and transparency are important ingredients, raising the bar for everyone, including hackers, who will have a harder time executing remote attacks.