By the CyberWire staff | thecyberwire.com »
Commission-free stock trading website Robinhood suffered a data breach that potentially compromised the data of nearly 7 million users. Bleeping Computer reports that an intruder gained unauthorized access to Robinhood’s customer support systems by using social engineering methods against an employee. According to the company’s blog, Robinhood subsequently received a ransom demand from the attacker, though details have not been disclosed: “After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.” The exposed data includes customers’ full names, email addresses, and for some, even dates of birth and zip codes. The company stated that they do not believe Social Security numbers or financial information were impacted. Bob Rudis, chief data scientist at the cybersecurity firm Rapid7, told Bloomberg Law, “Financial services firms are huge targets because there are always new customers coming: a refresh of identities, a refresh of credentials.”
The incident at Robinhood, a new-breed financial services company, heavy on mobile access, light on commissions and minimum deposits, has attracted a great deal of industry attention.
Erich Kron, security awareness advocate at KnowBe4, noted that the incident had its origins in social engineering:
“Social engineering continues to play a significant role in spreading malware and ransomware as well as in breaches such as this one. The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line.
“Unfortunately, technology is not good at stopping these attacks, so the best defense against these attempts is education and training. Employees should be trained to spot and report social engineering and phishing attacks using short, focused training modules and organizations should have a policy telling employees how to report these attacks.”
Purandar Das, Sotero’s Founder and President, wasn’t surprised by the breach, and wonders why it took the company as long as it did to disclose the breach:
“This is really no surprise. Organizations are not really equipped to handle the sophistication, techniques and skills of the hackers. Guess the first question to ask here is ‘Why did this take so long to disclose?’ The obvious answer is that there are no consequences. Companies are well aware that customers don’t have recourse by mandate. They are also aware that the financial consequences are minimal if any. As more consumers start to take matters into their own hands and seek legal remedies companies will start to realize that it is no longer acceptable to keep losing customer information. Also minimizing the loss as it relates name, email etc is still an issue. The bigger issue is that organizations can’t be trusted if they lose any information. Why would they [be] counted on to protect more sensitive information? Organizations have to start paying attention to not just security but also the privacy of their customers. As long as there are no material consequences they will continue to underinvest in security as well downplay their shortcomings. Another interesting question to ask here is if the company even know about the breach till the extortion attempt. If they didn’t, that is an even more concerning signal about the readiness of the security and privacy readiness.”
Rajiv Pimplaskar, CRO of Veridium, noted that financial services organizations can be expected to remain attractive targets:
“Financial services and e-commerce consumer accounts are a magnet for bad actors to exploit as they offer easy access to money as well as PII (Personally Identifiable Information) that can be later misused. Password sharing is often domain specific and an individual is more apt to share passwords between their financial accounts making lateral movement easier and facilitate a larger number of breaches.
“While traditional 2FA (Two Factor Authentication) can mitigate the issue, it still doesn’t solve for the MITM (Man In The Middle) attacks where phished authentication credentials can be introduced into an alternate compromised channel enabling the fraudster to take control.
“BFSI (Banking, Financial Services and Insurance) companies as well as retail industry need to mandate passwordless customer authentication methods leveraging W3C WebAuthN and FIDO alliance standards. These methods establish an unphishable relation between the user and their account, making the environment immune to such data breaches and ransomware incidents. Furthermore, such solutions are easier to use and more cost effective to operate enabling great adoption.”
On the other hand, Chad Anderson, a senior security researcher at DomainTools, sees Robinhood as being quick and transparent in its disclosure:
“This is an unfortunate breach for Robinhood and reads like it could have been prevented with more process. I have to commend their team for being transparent however with the impact of the breach and timeliness of their information release. Responses like that allow defenders to warn users and position themselves well for what will likely be a round of scams targeting the emails of those users exposed.”
Trevor Morgan, product manager with comforte AG was struck by the clarity with which Robinhood acknowledged the social engineering that lay at the root of the breach:
“The stock trading platform Robinhood very directly addressed the ongoing problem of social engineering tactics. Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. Robinhood’s own organization succumbed to this “low-tech” approach to circumventing data protection methods. All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal.
“The question Robinhood’s situation raises is, why are social engineering techniques still successful given the amount of information we all have on them? Most organizations spend ample time and funds trying to educate employees on all these techniques, but quite frankly training doesn’t address the root problem. Most employees work in a hyper-accelerated data environment in which demands for information are coming from all directions. To delay providing or sharing information can halt progress and potentially frustrate the requestor. We have all gotten used to working faster and pushing information out as fast as we can, but this is exactly the vulnerability that social engineering preys upon. Not taking the time to inspect emails, to think through a situation without haste or pressure, or to confirm a request to ensure the legitimacy of the requestor is the fatal flaw.
“Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data. Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised.“
Alicia Townsend, technology evangelist with OneLogin, emphasized the importance of both awareness training and least privilege policies:
“This incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.
“Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year – run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics to teach employees what they might be up against, what they should be on the watch for and how to handle different scenarios. Most people learn best through hands on learning.
“As a second form of defense employees should be limited in what they have access to. Least Privilege Access principles should be applied everywhere, especially when it comes to customer data. This way if an attacker is able to get past the employee and trick them, what they will have access to will be limited.”
Saryu Nayyar, CEO of Gurucul, sees irony in the choice of target–whoever the attackers were, Robin Hoods they ain’t:
“This must be a hacker with a sense of humor, although the actual loss of data is by no means funny. It’s ironic that the trading app Robinhood was hacked, with the possible loss of information on up to seven million users in a ransomware attack. After all, the historical Robin Hood was renowned for robbing from the rich and giving to the poor. We’re guessing that those who did the hack aren’t going to give it to the poor.
“It remains to be seen which group is responsible, and whether or not Robinhood paid the ransom, so this remains a developing story. And while it’s not easy to hack millions of records out of a system, it seems to happen on almost a daily basis these days. Legitimate customers deserve better protection than they seem to be getting these days.”
Ron Bradley, VP at Shared Assessments, as if competing to come up with cultural referents, analogizes the hack to a banana in a tailpipe:
“In the 1984 movie Beverly Hills Cop, a famous Eddie Murphy quote, ‘Look, man, I ain’t fallin’ for no banana in my tailpipe!.’ So what does this have to do with the Robinhood hack? This is a prime example of social engineering which has been around for decades. While technical controls help us to guard against threat actors, there will always be instances where someone will fall for a ruse.
“In this particular case, the type and number of records reportedly compromised aren’t particularly alarming to me. The fact is, anyone reading this column most certainly has had their data compromised in one fashion or another. The good news is, there were no reports of passwords being stolen which would change the equation. Regardless, this is just another reminder of the importance in not reusing credentials across multiple platforms. Particularly those which involve financial transactions.
“There’s no substitute for implementing multi factor authentication, password managers, and good cyber hygiene to reduce the blast radius in the case where personal information is part of a data breach or even a targeted attack.”
Garret Grajek, CEO of YouAttest, observed that attackers commonly conduct extensive reconnaissance before hitting their targets:
“Data breaches are the outcome of the constant scanning, exploring and probing that are being done on all internet resources today. Attackers use automated tools for 24/7 scanning – they then automate mapping to vulnerabilities and map exploitation tools to the discovered vulns. This is why zero-day hacks are, by nature, ahead of the patches: bad actors find the vulnerability before vendors have identified them, let alone patched them. It’s essential to use hardened platforms and adhere to solid security practices like the NIST 800-53, PR.AC-6, the principle of least privilege. We must assume our sites and the credentials themselves will be hacked and ensure that each identity provides the least amount of exposure to the enterprise resources. This is best practiced through identity triggers and reviews which help an enterprise discover over-privileged identities and malicious changes to permissions of compromised identities.”
CRITICALSTART’s CEO Randy Watkins also approved of Robinhood’s acknowledgement of successful social engineering:
“Social Engineering continues to be a key technique for attackers because of its low cost and low risk. In this scenario, attackers took advantage of the employees’ desire to help, gaining access to support systems in the process. Unfortunately, this attack vector has little technical prevention. While some industries require user awareness training, the dry subject nature of the material often creates a “click-and-drool” experience where the end user absorbs nothing. However, some security startups are addressing the problem with more engaging and entertaining user awareness training. I applaud Robinhood for the transparency and disclosure of the data breach.”
Danny Lopez, CEO of Glasswall, drew the perennial lesson about the importance of the human element in security:
“The Robinhood breach is an unfortunate but important educational illustration of the role the human element plays in the world of cybersecurity. In this case, it appears that an external bad actor manipulated a customer service representative to obtain legitimate credentials, enabling them to access key customer support systems and exfiltrate sensitive customer data.
“The solution to preventing incidents like this is two fold: training and technology. Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices. The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers then assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk.
“People should understand that protecting their organisation from the impact of a security breach isn’t just about always applying every element of their training on every single occasion, it’s also about raising the alarm if a breach may have occurred without fear of punishment. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right.
“On the technology side, taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical. It’s also far more efficient and cost-effective than relying solely on your employees.”
And, finally, Neil Jones, cybersecurity evangelist at Egnyte, saw the incident as further evidence of the importance of a holistic security program:
“The cyberattack on Robinhood demonstrates how important it is to have a holistic security program in place. The cyber-criminal was able to trick a customer service representative into providing credentials that were required to perpetrate the attack and access PII that he later used in an attempt to extort Robinhood.
“This illustrates that no matter how thorough your employee training may be, there still needs to be a data-centric security program in place so data can be properly discovered, classified and secured, resulting in a higher level of protection for sensitive data and critical assets. It is also a textbook example of why access to sensitive information needs to be managed based upon a ‘Business Need to Know’ basis. The attacker who was trying to extort Robinhood with stolen information shows the new wave of cyber-crime will be cyber-extortion, and it doesn’t necessarily need to be based on ransomware attacks and file encryption. Rather, it can originate with data-theft attempts and the stolen data may be abused, as well.”
Alleged Ransomware Extortionists
External Link: Robinhood Market Hit with Data Breach