Are hackers watching you sleep?
Fitbit, a California based company that manufactures wireless enabled, wearable activity trackers, was recently hacked by cybercriminals. These malicious actors used stolen credentials from third-party sites to gain access to the accounts of users of the popular wearable devices.
This is a particularly frightening breach since Fitbit’s technology is designed to track a user’s activity and measure data such as the number of steps walked or climbed, sleep quality, and other personal metrics. This capability to track sleep, activity and location effectively gives the hackers the ability to know where a user is, when they’re awake, when they’re asleep and what their usual routine looks like – a problem that blurs the line between cyber crime and physical security.
Breaches like these are becoming increasingly worrisome for consumers, since it is no longer simply log-in user information that is being compromised. Today’s breaches can expose much more about a person than their Social Security Number or birthdate. Hackers now have the ability to look into their health history, personal lives and daily routines, leaving consumer vulnerable to physical burglary, identity theft, or even worse occurrences.
This particular breach shows why companies like Fitbit “need to get serious about ‘privacy by design’ and provide security that is not so dependent on users,” according to security expert Stephen Cobb of IT security firm ESET.
“It is not acceptable to sell the general public on the idea of a device that harvests highly personal data and then put the burden on the general public to protect the data,” he says. “The data should be secure and private by default, for any user, regardless of their technology skills.”
At the root of the breach of Fitbit was password reuse, which is not uncommon among users. Statistically, the average American has five passwords for their more than 20 online accounts, which means that one password can give a malicious actor access to four disparate online profiles, accounts or services.
Customers reuse passwords for convenience and use-of-use. They also use easy-to-remember passwords for similar reasons. This creates a situation where much of a user’s personal information is available online and protected by a thin layer of easy to penetrate security.
Many consumer focused companies – such as Fitbit and others – want to keep the log-in process simple for customer experience reasons. The behaviors above – using simple to remember credentials and then reusing them across multiple accounts – show that customers prize simplicity. Companies selling to consumers feel they’ll anger or frustrate them if they make their login processes too complicated or difficult by locking them down with strong security solutions.
As a result, they continue to utilize single-factor or two-factor authentication solutions that are in-band. These login procedures can then be easily compromised through brute force hacking, or with the use of certain types of malware and hacks – including key-loggers and man-in-the-middle attacks. And once a set of credentials is compromised, the door is open for malicious actors to gain access to multiple accounts due to password reuse. In the case of Fitbit, these credentials were used to open a door to some truly frightening location and behavioral data.
So, what can companies like Fitbit do to protect themselves and their customers? Here are some steps:
1) Multiply – multi-factor authentication (MFA) is essential for preventing brute-force hacks and keeping malicious actors from simply guessing log-ins and passwords.
2) Get out – embrace out-of-band MFA solutions to truly protect users. Solutions that obfuscate credentials from bad actors by moving the authentication process away from the primary device are essential for preventing certain types of hacks.
3) Stop equating secure with complicated – today’s advanced out-of-band MFA solutions don’t have to be complicated to provide strong security. Look at next generation solutions that utilize smartphones and other devices that make sure authentication is authentic, and that users don’t have to do anything extremely complicated.
Today’s breaches can put more on the line than a user’s PII. Behavioral data, healthcare information and more is now online and available for hackers in today’s online world. It’s important that companies like Fitbit do more to protect their users in this environment, any today’s advanced MFA solutions can give them the ammunition they need.