Protecting against account compromise

In late September 2017, it was announced that one of the four largest auditing and consulting firms, Deloitte, was the victim of a successful cyber attack in which their internal email system was compromised and hackers accessed data from the platform.

Deloitte, a UK based company founded in 1845, provides tax, auditing, legal, financial advisory, risk advisory and management consulting services. This includes cybersecurity advice.

According to The Guardian newspaper, the hack was discovered in March this year but may date back to November or even October last year. Hackers managed to compromise an account with administrator level privileges, which would in theory give them unfettered access to all corners of the email system. Sources indicate that the account was only secured with a single password and did not have multi-factor authentication activated.

The compromised information is believed to contain sensitive design and security details of several of Deloitte’s top clients and was deemed so sensitive that only a few of the most senior partners and lawyers were informed. An external law firm was hired to investigate the breach and follow whatever cyber trail was left by the hackers. They have been evaluating potentially compromised documents since April, before Deloitte finally announced the breach.

Deloitte was quoted by the Guardian as saying:

“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.

We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.”

Multi-factor authentication is a modern security measure that provides additional security to an account. It has been added to several systems operated by Microsoft, Google and others. The scheme consists of some or all of the factors below:

  • Something you have (a physical object that is hard to duplicate): A card, key, token, one-time password list, etc.
  • Something you know: A password or PIN.
  • Some characteristic of the user: A fingerprint, iris scan, voice, typing speed or pattern.

Some authentication schemes resort to sending a one-time PIN via SMS. These can possibly be intercepted due to inefficiencies in the cellular protocol, or if the hacker has insider assistance within the cellular provider. In the latter scenario, they can replace the victim’s sim-card details with one under their control. This is referred to as a “sim swap”. In such a scenario, all communications to the victim’s cellular number will be received by the hacker.

To further improve security, the concept of a physical token (namely a RSA token that has a randomly generated number, synchronized with the server) has been taken a step further. An app can be installed on a mobile phone that simulates the token. Once the phone has been synchronized with the server, a user can enter the presented numbers as an additional factor to a password. This process depends on mobile or wi-fi data, and therefore steers clear of technologies that can be circumvented with a sim swap. Due to the inherent trust between the server and the app that was generated by the synchronization, servers can also push a notification to the app that only requires the user to acknowledge or decline the login.

Many people use simple, easy to guess passwords, or reuse passwords across multiple providers so as to reduce the chance of forgetting them. This makes accounts easier to hack. It is common practice for online systems to use email addresses for usernames, as these are guaranteed to be unique. This makes it highly likely that a password that is discovered is also the same one used on a personal email account – granting hackers access to vast amounts of information.

Using multi-factor authentication (or at least 2 factor) makes gaining access to accounts and services that much more difficult. It stands to reason that this functionality should be enabled wherever possible.

By adopting this approach, the Deloitte hack could have been prevented, saving the organization from any potential damage to their reputation.

It could also prevent individuals from experiencing identity theft.

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)