Tuesday, July 28, 2020
Reports indicate that hackers exploited Waydev, a Dave.com third-party service provider that had used an insecure encryption method to store user passwords. Investigators claim that Waydev used "bcrypt," a well-known hashing algorithm, to store the passwords, providing hackers with an exploitable cache of names, email addresses and personally identifiable data.
While there is no evidence any users have been victimized, Dave.com implemented advanced security measures and is requiring updated passwords when users log in to the Dave.com app and website.
Timothy Chiu, vice president of marketing at K2 Cyber Security, noted a well-known SQL injection vulnerability gave hackers unauthorized access to Dave.com. This event is the most recent example of a well-known OWASP application security risk, he stated, adding that SQL injection is "number one" on the Top 10 list of vulnerabilities that have led to significant data security breaches.
Chiu went on to say that security analysts have seen these patterns again and again in high-profile breaches, most recently with FBI, Facebook and Quest Diagnostics. He urged organizations to implement best practices across the board and demand the same level of security from service providers by keeping two principles in mind. "First, the security of your third-party partners is just as important as your own security," Chiu said. "Second, SQL injection is a threat that's been around since the inception of the OWASP Top 10 list, so it should be troubling that an estimated 25 percent of breaches last year started with an SQL Injection attack."
Chiu recommended that organizations and participating service providers collaborate to protect themselves against SQL vulnerabilities. This entails implementing better coding practices to prevent SQL injection. It may also necessitate better testing methods to identify SQL injection vulnerabilities before code makes it to production. And finally, organizations need to have advanced protections in place to mitigate against SQL injection attacks during runtime, he stated.
A public statement on Dave.com confirmed that the company is "working around the clock" to protect its customer database. "Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords," company representatives stated. "Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist."
CrowdStrike provides incident response expertise to help affected companies identify how attackers accessed environments, determine how to mitigate access and implement preventive measures to mitigate future attacks. The security service provider received a patent in 2015 for the core functionality of its endpoint security sensor, CrowdStrike Falcon. The Software-as-a-Service solution is designed to detect malware and non-malware-based attacks, while offering critical context and real-time search capability. The cloud-based service can be managed and updated remotely, with no disruption to customer systems, the company stated.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.