Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label UpGuard. Show all posts

Customers' Accounts Were Exposed in the Verizon breach

 


There have been a lot of talks lately about telecom companies and consumer data breaches. In the past few years, you are more likely to hear about T-Mobile announced in the headlines. There have been numerous attacks on the self-titled Un-carrier with disastrous results each time it was attacked. 

However, Verizon (and its customers) are not the only ones suffering this year - updated information has revealed that millions of Verizon subscribers have been subjected to data breaches, with their personal information being made publicly available. 

A Verizon contractor has apologized after failing to secure a large batch of customer information previously collected by the telecom company. Due to this vulnerability, over 6 million customer accounts have been exposed. Although it is unclear whether Verizon - the country's largest wireless carrier - will notify users infected, many believe they will. 

In some cases, customers' PIN codes were exposed as well, which are often used in conjunction with their names, addresses, phone numbers, account information, as well as basic information about how to contact customer service teams via phone. Some logs contained information about customer service calls stored in the cloud containing exposed data. 

As part of its commitment to security and privacy, Verizon is committed to protecting the personal information of its customers. 

A researcher with the cyber risk team at security vendor UpGuard, Chris Vickery, discovered that the data was exposed through a breach at the location. 

In a blog post Dan O'Sullivan, a cyber resilience analyst at UpGuard, wrote In a recent post, a cyber resilience analyst at UpGuard wrote that the data was contained in an unsecured Simple Storage Service (S3) bucket. This repository is controlled by NICE Systems, an Israeli company that is part of Verizon's partner network. 

It is also said that Verizon has said in a press statement that their agency supports a wireline self-service call center portal for small businesses and homes, and certain data is required for the project.

The data exposure was discovered by UpGuard on June 13; Verizon notified the company to lock out the bucket by June 22 as soon as it discovered it. It has been characterized as "troubling" from the perspective of UpGuard, and officials from NICE were unable to comment as of right now. 

UpGuard says 14 million customer records may have been exposed due to the breach. 

In an attempt to prove its point, Verizon denied the figure, saying Wednesday that 6 million accounts had been exposed to the vulnerability. 

The Verizon spokesman did not answer a question as to how Verizon came to this conclusion, although an analysis of access logs could have contributed. In response to a question about notification, Samberg declined to comment. 

Error in Redux Configuration

Vickery has made several data exposure discoveries this year, including Verizon. The search engine Shodan is an excellent tool to catalog staggering breaches. An internet-connected device is found by Shodan by searching for it on the internet. Researchers can detect unsecured internet-related systems and cloud instances by plugging specific search terms into Shodan, which helps discover insecure internet-connected systems and cloud instances. 

The configuration error appears to have been made by NICE and was caused by a rule that was set incorrectly in the S3 bucket, similar to the previous episodes of unintentionally exposed data detected by Vickery. 

The data was then available via the internet, which left it accessible to everyone. Having accessed the database and its many terabytes of contents with just the S3 URL was a convenient way to access and download the data, writes UpGuard's O'Sullivan in a post, and the files themselves were also accessible. 

Amazon S3 storage buckets do not have public access enabled by default, which is Amazon's policy. As part of Amazon's identity and access management controls, you can also control who has access to buckets and has enough permission to alter or delete data. It is also possible to block buckets based on HTTP referrers and IP addresses to make them off-limits to certain users. 

It seems unlikely that anyone at NICE would have disabled those security defaults, but it's possible. 

Exposure to Orange Data is Suspected

Aside from the information exposed in the S3 bucket, according to O'Sullivan, the information appears to have also been exposed by at least one other organization, Orange, which is also a partner of NICE. 

The data, he writes, appears less sensitive. However, it is noteworthy to see this type of information being included in a Verizon repository, even though it is internal to Orange. On the European market, Verizon's enterprise division competes directly with Orange's enterprise division. 

Data Security is at Risk

In contrast, Verizon has downplayed the idea that data has been exposed. Even though some personal information was included in the data set, the overwhelming majority of the information did not have any outside value. As Verizon confirmed in a statement, the company said that there were no Social Security numbers or Verizon voice recordings in the cloud storage area. 

Yet some security experts are skeptical about whether this leak will cause damage. In some customer records, the PIN was masked in some cases; however, this only affected a subset of accounts. 

It is believed that UPSGuard believes that unmasked PINs could be used by Verizon to gain access to account information. The PINs required for these accounts are fundamental to verifying callers as legitimate Verizon customers. This is preventing impersonators from accessing and changing Verizon account settings, writes O'Sullivan. 

Verizon says users cannot access online accounts using PINs. Samberg, Verizon's Chief Creative Officer, did not follow up with a question from the media about whether having a PIN alone might be enough for an individual to obtain an additional SIM card, but he did suggest that having a PIN might not be sufficient. 

Scammers are feared to be able to impersonate customers and obtain SIM cards by impersonating them as customers. 

Having the victim's phone number would give them the capability to use it to their advantage. Fraudsters would then receive messages from the victim including their two-factor authentication codes as part of the fraud scheme. To better block unauthorized access, a one-time passcode is now required for many online services, from banks to cloud storage providers. 

According to a report released by the U.S. National Institute of Standards and Technology, it is recommended that out-of-band authentication be avoided by using voice calls and SMS messages. 

A smartphone app, which you can find on your smartphone, is becoming increasingly popular among businesses - even wireless carriers - to enable users to receive a one-time code via the program. This method of sending one-time codes is generally considered to be a safer approach by security experts than sending them via voice or SMS communication.