In 2008, to much fanfare, Facebook introduced a new online platform called Facebook Connect, which was proclaimed as “the” scalable SSO (single sign on) or digital hall pass for the Internet. It has been pitched to companies with a simple proposition: connect to the Facebook platform, and we’ll make it faster and easier for people to use your apps because users are more apt to sign up for new mobile apps and websites if doing so was easier. In one simple click, a Facebook user can log in to any mobile app and website implementing Facebook Connect with their password. It also brought an added measure of security, since users wouldn’t need to create and remember new passwords every time they signed up for a new app. Awesome, where do I sign for this perfect solution right? A technology platform that provides immense convenience and streamlined user experience to your customers and can easily be implemented into your technology stack whether you’re part of a SME or a large enterprise. This “perfect” solution has been adopted by thousands of companies across the global, ranging from SME marketing companies to large enterprises like Airbnb and Uber.
It’s taken 10 years since its inception, but Facebook Connect doesn’t seem so “perfect” after all and perception has changed from an Internet wide single sign on solution to a global single security nightmare.
Over the past few weeks, Facebook announced that first 50 million, then 30 million account entry keys, created via Facebook Connect, had been stolen in the largest hack in the company’s fourteen year history. Since the announcement, companies large and small have been scrambling to determine the possible effects on their customers and networks.
On the surface, 30 million users are barely 3% of Facebook’s total userbase; however, the impact of this hack is exponentially bigger because those stolen entry keys can be used to gain access to so many interconnected mobile apps and websites. Stop for a second and think about how many mobile apps and websites use your Facebook account. If you’ve used all ten digits on your hands, hopefully you get the point. If you don’t have a Facebook account, I applaud you. Stats sayyou’re over 45 years old, you keep a 2018 equivalent of a Motorola flip phone in your back pocket, but you’re still susceptible to the third party risk thanks to your Facebook loving friends who have your email address, phone number and if they are really organized your home & work address in your contact. Let’s not get into email correspondence, chats, essentially any digital communication between you and your Facebook loving friends. This hack and its fallout underscore the lengths to which Facebook has cemented itself as the identity of the internet, and what happens when the security systems of one company — trusted by so many — fail.
Buried within Facebook's recent admission was a surprising revelation for its business customers: Facebook Workplace, used by 30,000 businesses as of a year ago, customers are impacted. If you’re a small/medium enterprise that initially adopted Slack to improve workplace collaboration and efficiency and migrated to Facebook Workplace, then congratulations your company may be exposed to serious third party risk thanks to Facebook. Let’s try to determine whether this particular nugget of the Facebook hack poses any third party risk your company. Back in 2015, Facebook announced that the Royal Bank of Scotland had signed up to use Workplace beta with the intention to roll it out to 100,000 employees. And when Facebook launched the Workplace product in 2016, it said it already had about 1,000 customers using it. During 2015-16, Facebook Workplace allowed employees to link their Workplace account with their personal Facebook account and a stolen account entry key lets you read the files and posts in a Workplace community, which is the equivalent of reading work email.
Below are some easy ways to determine your SME’s risk exposure:
Yes, that’s Facebook fix to its debacle: force users to log out to invalidate the account entry key/token. Simple enough, an inconvenience to Facebook users, but an even easier “fix”. Let’s review Facebook public timeline of this hack and dig a little deeper:
Based on the sophistication of this particular Facebook hack, it’s easy to surmise that the malicious actors were using this exploit long before September 16th and collecting Facebook Connect access tokens. Here’s what really happened:
Facebook has stated that it can’t pinpoint exactly when the malicious actors established the attack chain to exploit 3 separate vulnerabilities, but the vulnerabilities had existed since July 2017. Yikes…
There’s an obvious problem with instructing Facebook Connect users to simply force a log out to “mitigate” this hack. The reality is that Facebook with all its resources has few to no solutions for its Facebook Connect users despite a soon to be released tool that will help SME, and large enterprises alike, identify which accounts may have been tampered with through Facebook Connect. Facebook's handling of user data has been under scrutiny for the better part of this year so this hack couldn’t have come at a worse time for Facebook. Still reeling from a series of scandals that unfolded in the wake of the 2016 US presidential election, a widespread Russian disinformation campaign leveraged the platform unnoticed, followed by revelations that third-party companies like Cambridge Analytica had collected user data without their knowledge. Facebook already faces multiple federal investigations into its privacy and data-sharing practices, including one probe by the Federal Trade Commission and another conducted by the Securities and Exchange Commission. This hack will ramp up efforts to regulate Facebook and other technology companies through financial penalties, legislative efforts or both. In Europe, Facebook could face a fine totaling as much as $1.63 billion if it's found in violation of General Data Protection Regulation (GDPR), the European Union's sweeping consumer privacy law. GDPR contains a provision that companies can be fined 4% of their annual revenue if they violate the law, which encompasses rules on protecting data and a requirement that regulators must be notified within 72 hours of a breach. Ireland's Data Protection Commission, which oversees Facebook under GDPR, is heading up an investigation into the breach.
Facebook’s platform relies on trust: users trust that their pictures will be seen only by those in their networks, their private messages will be read only by the people to whom they were sent. Facebook may look like a juggernaut now, but social networks have fallen before, and surely this is just another data privacy issue just this year. This particular hack destroys trust, the very ingredient that attracts its users, we’ll know quickly about the damage done to Facebook’s brand and its users desire to continue using the social platform or take its “business” elsewhere.
Facebook Connect is a platform that levels the playing field between SME and large enterprises and streamlined offering to customers. Roughly 80% of SMEs use Facebook for marketing which makes the iconic social media platform the most popular tool for small business marketers in the digital world and beyond. With its rise in popularity, Facebook has also become the largest point of third party risk to SMEs and the recent hack is a testament to this. Not only are SMEs now firmly in the crosshairs of malicious actors, they are fast becoming their favored target because they are often woefully unprepared due to a lack of CapEx/OpEx resources, which translates into little or no cyber security measures in place. With issues like this, they are apt to now go to Google + as a social media network. I mean they’re a well known brand and certainly you can trust Google with security and transparency….right?
Cybersecurity SEC Enforcement Action
On 9/26/2018 the Securities and Exchange Commission charged Voya Financial Advisors, Inc. (‘VFA”), with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.
The SEC’s Order states that, over a six-day period in 2016, cyber intruders impersonated VFA contractors by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. VFA failed to terminate the intruders’ access. VFA also failed to apply its procedures to the systems used by its independent contractors, which was comprised largely of VFA’s workforce.
Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.
Although VFA adopted a written Identity Theft Prevention Program, VFA violated the Identity Theft Red Flags Rule because it did not review and update the program in response to changes in risks to its customers. Additionally, VFA did not provide adequate training to its employees and contractors regarding the Identity Theft Prevention Program. Further, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags.
Red Flag Rule
The Identity Theft Red Flags Rule requires certain financial institutions and creditors, including broker-dealers and investment advisers registered or required to be registered with the Commission, to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. An Identity Theft Prevention Program must include reasonable policies and procedures to:
identify relevant red flags for the covered accounts and incorporate them into the Identity Theft Prevention Program; detect the red flags that have been incorporated into the Identity Theft Prevention Program; respond appropriately to any red flags that are detected pursuant to the Identity Theft Prevention Program; and ensure that the Identity Theft Prevention Program is updated periodically to reflect changes in risks to customers from identity theft.
Identifying Red Flags
To identify Red Flags, firms must consider risk factors including but not limited to:
The methods in which the firm opens accounts; The methods in which the firm grants access to accounts; Any previous experiences with identity theft; Alerts, notifications or warnings from a credit reporting agency; Suspicious documents; The social security number, address, or telephone number provided by the applicant or customer is identical to that of another applicant or customer; Suspicious personal identifying information; Any unusual use of, or other suspicious activity related to, a covered account and; and Notification from clients, victims of identity theft, law enforcement authorities or other sources regarding possible identity theft.
Voya was compromised by a well-executed social engineering based attack or, malicious actors exploiting human behavior. While public perception is often that malicious actors start with a highly technical attack vector to gain access to a victim’s network, social engineering is actually the most common attack vector. Typically, after gaining access to a victim’s internal resources through social engineering, malicious actors will move laterally within a victim’s network. Firewalls and other intrusion prevention methods can be ineffective if employees are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Whatever sophisticated protections a company puts in place, it must implement the right security policies and processes, measure their effectiveness and continuously improve. Otherwise, a crafty malicious actor can continue to adapt his/her socially engineering attacks around security measures.
People inherently want to trust and that's exactly what a successful social engineering attack exploits. If someone sends you an e-mail and it says that it's from another co-worker, you will likely trust it if it relates to something common to you and specific. Once that trust is established, you will have less reservations about clicking on links or images in the body of the e-mail. Similarly, if a phone caller has a credible explanation for needing certain information or systems access, then your tendency will be to trust it since most of the time that request will ultimately be legitimate. Most want to be kind and courteous and are trained to be compliant, especially in a work environment. This is heightened by a sense of frustration with a seemingly bureaucratic process or an expression of urgency….who isn’t busy or frustrated by safety bumps that 95% of the time are not necessary?
Malicious actors will often do weeks and months of background recon work to familiarize them with your workplace before stepping foot in your door, phishing your co-workers or making a phone call. Typical preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook. They know time is not on their side and any request will always demand a prompt response. This is the trap that VFA’s contractors fell into…
Regulatory Focus on Ongoing Review and Assessment of Information Security Policies
As it has for the past three years, in 2018, SEC’s Office of Compliance, Inspections and Examinations (OCIE) announced that it would include cybersecurity as an exam priority and allocated staff for this purpose. Firms and their employees have a responsibility to implement their cybersecurity policies and procedures and an obligation for ongoing continued monitoring. Aside from adequate technological systems, firms must provide training to both employees and contractors and stress the importance of security for a strong defense against data breaches and fraud. As noted above, from a security standpoint, independent contractors and other third-party vendors are the firm’s responsibility.
Cybersecurity policies and procedures must be reasonably designed to fit your specific business models. The SEC alleged that VFA violated the Safeguards Rule because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives.
The VFA action is yet another reminder by the SEC for firms to remain vigilant in their information security program, continue to actively assess not only their risk, but their third party provider risk, and implement controls that are appropriately designed to mitigate this risk.
NCS Regulatory Compliance offers comprehensive cybersecurity assessments to evaluate your current compliance status, analyze your level of vulnerability to attack, and provide guidance to mitigate risk, increase cybersecurity controls, and prevent an inevitable breach that could result in regulatory enforcement and fines. To learn more, contact your compliance consultant.
SEC Press Release: https://www.sec.gov/news/press-release/2018-213
SEC Administrative Proceeding: https://www.sec.gov/litigation/admin/2018/34-84288.pdf
SEC Red Flag Rule: https://www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.htm