Timehop breach 'offers a teachable moment' says FIDO Alliance
07 August 2018 11:59 GMT

Timehop, the nostalgic social media tool, has reported a significant breach affecting the usernames, email addresses and telephone numbers of millions of users. 

Timehop blamed the breach on an access credential to its cloud computing environment being compromised. While that cloud computing account had not been protected by multifactor authentication, the organisation has now taken steps that include multi-factor authentication to secure its authorisation and access controls on all accounts.

The Fast IDentity Online (FIDO) Alliance is a global non-profit trade association developing technical standards and certification programmes for simpler, stronger authentication. Brett McDowell, executive director of FIDO Alliance, has made the following comments:

“This offers a teachable moment for the rest of the online services industry, especially in light of new GDPR and PSD2 requirements. What caught my eye here was Timehop’s emphasis that their users’ social media posts and photos were not breached while they clarify the data lost included ‘names, email addresses, and some phone numbers’. If you have personal information on file from European citizens, you are already held to a higher standard for data protection through GDPR.  That means what once may have been considered less important than social media posts, personal photos, or even financial data, is now critically important if you cannot demonstrate to regulators you have taken risk-appropriate measures ahead of any data breach incident.

 

“There are some important takeaways from this incident. First, organisations should not wait to be breached before investing in multi-factor authentication (MFA).  Industry data makes the situation very clear, not only did we see a 45 percent year-over-year increase in data breaches, we also know over 80 percent of those incidents were the result of password compromise.  Therefore, any access credential that can be compromised by inexpensive remote attack, such as password phishing, are ever increasingly likely to be compromised.  The risk is increasing every day, and investment in MFA should be all but inevitable. The only way to for organisations to lower the cost is to make that investment before they get breached, not after.

 

“Organisations shouldn’t waste budget investing in yesterday’s MFA when the industry has just delivered a future-proof open standard for precisely this purpose. Too many professionals still assume MFA means a password and a SMS delivered one-time-passcode. But both of those solutions are ‘shared secrets’ which are inherently vulnerable to inexpensive phishing style attacks - which we know to be on the rise and highly effective. With FIDO, businesses looking to invest in MFA capabilities have only one choice that delivers the highest level of protection from the commercial and regulatory costs of data breaches, is standards-based and therefore vendor agnostic and future-proof, and compatible with best-of-breed user experiences that replaces the burden on users to type passcodes with nothing more than a touch a sensor or even just a glance at a sensor.  This is why leading service providers like Google, Facebook, Microsoft, PayPal, eBay, T-Mobile, ING, MasterCard, Intuit and many more have invested in FIDO Authentication to protect their businesses from the increasing costs of data breach.”

Industry Events



Smart Security Week 24-26 Sep 18


BIOSIG 2018 26-28 Sep 18
ADAS 2018 Event supported by Planet Biometrics 26-28 Sep 18