Hackers Target Dropbox, Exposing Risk of Consumer Sync and Share

Anonymous hackers claim they stole Dropbox login information. Although Dropbox is denying these claims, here are a few precautionary tips you can take.


16 October 2014

Hackers

Anonymous hackers claim they stole 7 million usernames and passwords of Dropbox accounts, according to news reports. As evidence, the hackers posted hundreds of records on a third-party website. Dropbox is denying it was compromised, and some are saying this is just a hoax aimed to extort cash.

In the meantime, some security experts advised users to immediately change their login credentials. This is sound advice, but is it enough? Sure, we hear plenty about stolen passwords and user IDs these days, and the danger they pose to our privacy and data.

But in reality, the password protection model has always been subject to security vulnerabilities — largely because it relies on human beings to do their part to implement it.

Passwords Potential Weak Security Link

Simple passwords (while they play a part in protection) aren’t reliable as a sole defense mechanism. Complex passwords (or even passphrases) are naturally a more secure tool. However, many organizations have implemented extremely complex password policies — demanding eight-plus characters, a capital letter, a symbol, etc.

These requirements are often so cumbersome that many users are just taking shortcuts and reusing the same password across multiple applications. More and more people utilize the same passwords at work and at home. Over time, this practice has created major vulnerabilities, not only to individuals, but to the enterprise.

The Power of Two-Factor Authentication

To address this threat, businesses need to incorporate increasing layers of security that minimize the risk profile. Two-factor authentication (2FA) is one layer of protection, as it requires users to present two distinct forms of identification, drawn from three security vectors.

These vectors include something:

  1. You know (a password or personal identification number)
  2. You have (bank card or work ID badge)
  3. You are (involving biometrics or fingerprints)

A common 2FA example: The withdrawal of money from a bank ATM machine, where we present a physical card and a memorized PIN number. Memorizing multiple passwords can be a challenge, addressed with single sign-on (SSO) technology. This allows us to use one password to access multiple sites simultaneously.

A combination of single sign-on, with 2FA, allows users to enjoy a combined security solution that includes complex passwords, and a streamlined login process that doesn’t require the memorization of multiple passwords.

Taking the Next Security Step

Another measure we can employ is to use a bank-quality risk-based authentication system — one that detects anomalous end user activity. Banks successfully leverage these systems to identify the fraudulent use of stolen credit cards.

For instance, such a system will notice if a United Kingdom-based user tries to log in from China. The system then challenges this China-based user for a second authentication factor — which provides an additional level of protection.

And as a further step, consider password vault technology. This allows you to store your passwords safely — and each time you access the site or application, the system will generate a new encryption key for the password. Such a measure adds another layer of security to passwords to significantly reduce the chances of being hacked.

All software-as-a-service (SaaS) providers can learn from regulated industries, such as banking. For a long time, these businesses have successfully faced multiple security threats. There is even a phrase for this: “bank hardened security.” This approach has evolved over the years to protect customers — and it will remain in place into the future to counter threats as they appear.

So, when considering password protection, also think about combining it with other measures, such as single sign on, two-factor authentication, and other bank-hardened security measures.



Daren Glenister

Daren Glenister

Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.