After a list of Comcast email accounts were offered for sale in an underground store, consisting of customers’ Comcast email addresses and associated passwords, Comcast—one of the largest providers of cable, internet and phone services in the US—forced a password reset on those accounts.
Of the 600,000 accounts offered for sale, 200,000 were found by Comcast to be active, leading them to reset the passwords on all the accounts for safe measure. The forced password reset by Comcast ensures that those passwords are rendered useless to fraudsters, while the email addresses themselves could still be leveraged to deliver all forms of spam (from phishing attacks to 419 scams and malware infection points).
Forced password resets generally consist of a central annulment of current passwords, coupled with an email notice to customers to click a link to reset their passwords, or to login in with a temporary password and then immediately create a new one.
Carrier accounts have been coveted by fraudsters for quite some time now, for the free phone and internet services fraudsters can gain through them, as well as a means to an end when performing online banking fraud. Therefore, the question remains, are password resets enough? Will a password reset protect an account against the next phishing attack? Or against the next generic malware campaign? Not to mention the risk arising from an insider leak or a yet undiscovered database breach.
With passwords known to be vulnerable to so many threats, it may be time for service providers to consider an alternative, such as a simple password-less solution. For example, one-time passcodes sent to a user’s phone or email, which can replace static passwords altogether, or pattern-based authentication.
While implementing strong authentication costs mobile carriers and ISPs only a few dollars a month per account, the ROI can save them the aggravation of making the breach headlines, as well as the $179 expended per breached record, the industry cost according to the Ponemon Institute’s 2015 Cost of Data Breach Study.
So instead of logging into the management console, and issuing password resets to their users, perhaps IT and security managers should consider eliminating passwords altogether, and provision their users with simple strong authentication?
To learn about affordable, flexible, cloud-based authentication, download the SafeNet Authentication Service Product Brief.