In an age of BYOD, far, far removed from the big and clunky mobile phones of the days of yore, some 5-billion of us trust our most intimate, personal information to our devices and the apps we use on them. We live, play, eat, work, learn and sleep with our phones, tablets and laptops by our side. We download new apps without much thought – anything that will make our lives easier, keep us entertained, allow us to live on-the-go… But how much consideration do we actually give to their security?
The Under Armour Attack
At the end of last month, Under Armour announced the breach of 150 million user accounts on its My Fitness Pal application. Information stolen included usernames, email addresses and hashed passwords. And though the company is being lauded for notifying effected users within 4 days of breach discovery, and they followed good practice and segmented data so that payment information was stored on a separate server and thus not accessed, there are still questions regarding the security that was in place when the breach occurred.
According to Under Armour, most of the hacked passwords were hashed using the becrypt function, regarded by most security professionals to be the preferable and strongest method for securing passwords. But some were using the SHA-1 hash function, which due to the ease with which it can be breached, has been banned for use in US federal agencies since 2010, and banned for use by digital certificate issuing authorities since 2016.
Regardless of the reason behind Under Armour’s security slip-up, most people living connected lives know that no device or app is completely safe. Many apps take an ‘opt-in’ approach to privacy, their default settings giving permissions to track user locations, access device cameras and pictures, send messages and other items that are not related to the application’s true needs. The onus falls on the user to opt-out of these permissions, granting only what is actually needed to use the application.
JP Morgan, Pacemakers, Uber…
Remember the J.P. Morgan hack of 2014? Eighty-four-million accounts were compromised the websites Chase.com and JPMorganOnline, together with the Chase and JPMorgan mobile applications. Even healthcare apps, created to manage functionality of medical devices, could fall prey to an enterprising hacker. Think ransomware was scary? What if an attacker could control a pacemaker? In 2017, the US FDA recalled nearly a half-million pacemakers for a firmware update, out of fear attackers could hi-jack them and threaten patients.
But for the sake of this post, let’s stay within the realms of the day-to-day – the apps people count on to check the weather, budget their finances, or even order a cab (can anyone say Uber hack?). Yes, Google is continually upping its efforts to ensure consumers get clean apps, utilizing machine learning to flag bad applications (in 2017, they took 700,000 ‘bad’ apps offline) – but even this is not enough.
The Weakest Link
As humans, whether we are using apps on BYOD devices, or building their security, we are the weakest link in the chain. Even the most highly cyber conscious of users can fall guilty to using the same password over multiple accounts, using easy to guess passwords, only implementing single factor authentication, connecting on unsecured wifi (cause after all, you are just happy to get a signal) and so on. In a BYOD world, where the line between personal and business on devices is frequently obscured, it is more important than ever that we not only implement comprehensive, enterprise-grade security across all our endpoints, but that we also invest significant resources in educating employees regarding best practices.