CyberWire staff | thecyberwire.com »
Visible, the mobile virtual network operator owned by Verizon, has confirmed that hackers have taken over multiple user accounts, 9to5Mac reports. According to users’ posts on Reddit and Twitter, the attackers are locking the user out then purchasing phones on the user’s tab. The company claims there has been no breach of their internal systems, but that the intruder obtained account login credentials through a credential stuffing operation. However, according to Android Police, some victims say their login info was unique to their Visible accounts, making credential stuffing an unlikely explanation. FierceWireless notes that at least one user says Visible does not offer two-step authentication, which could have made the accounts more difficult to crack.
Saryu Nayyar, CEO of Gurucul, thinks companies undergoing incidents like this should come clean as soon as they responsibly can: “Customer transparency into attacks is really the only honest way a company can respond to its users. It’s not clear yet whether user accounts have been hacked, but Verizon has to take customers’ claims seriously. This means that Verizon has to investigate whether accounts were changed and get back to affected customers immediately on remediation efforts, as well as cancelling any orders or reimbursing customers for fraudulent orders.”
Bill Lawrence, CISO of SecurityGate, observes that utilities (and cell service can be usefully thought of in this way) often require payment methods to be associated with customers’ accounts.
“This scenario sounds like the attackers could change account access and treat themselves to new iPhones with the victim’s credit. When setting up these types of accounts, first and foremost, look for multi-factor authentication options and enable them. Also, be wary of linking bank accounts directly, and if you’re using a card, credit cards have better fraud protection than debit cards. Never click the box shopping websites have to offer to save credit card information to “make the next purchase easier”. That puts your information out there to be lost in each company’s future breach. Use a password manager or your browser instead. And regularly keep an eye out for other fraudulent activity in your accounts.”
External Link: Hackers get to Visible accounts.