![]() The Wiseasy hack underscores the importance of adhering to long established security best practices such as requiring multifactor authentication and using dedicated management workstations for privileged operations. Sure cuts a lot hack how to#Moving Forward: How to protect your own network from a similar hack Ideally, Wiseasy would be monitoring their own network for a potential breach and shut it down immediately when it's first noticed. 4 - Stay on top of your own securityįinally, the biggest mistake made in the Wiseasy hack was that the company seemingly (based on the Tech Crunch article) did not know that its accounts had been compromised until they were contacted by Buguard.īuguard is a security company specializing in pen testing and dark web monitoring. Additionally, privileged accounts should ideally be used only on designated management systems that have been hardened and are not used for any other tasks. The Tech Crunch article does not say that the admin's computer had been infected with malware, but since malware was used to gain access to the dashboard and the screen capture shows an admin logged into the dashboard, it is entirely possible that an admin's machine was compromised.Īs a best practice, privileged accounts should only be used when required for a particular task (with standard accounts being used at other times). Tech Crunch reported seeing screen captures of the Wiseasy dashboard in which an admin user had remote access to payment terminals. 3 - Devices should be triple checkedĪ possible third mistake might have been that of Wiseasy employees accessing sensitive resources from a non-hardened device. In any case, Wiseasy did not use multifactor authentication, there was nothing stopping hackers from logging in using stolen credentials. Sure cuts a lot hack code#Often this means providing a code that was sent to the user's smartphone by SMS text message, but there are many other forms of multifactor authentication. Multifactor authentication requires users to use an additional mechanism to prove their identity prior to accessing sensitive resources. This meant that anyone with access to a valid username and password could log in, even if the credentials were stolen (as was the case in the Wiseasy hack). In the past, most systems were protected solely by authentication credentials. 2 - Credentials alone won't cut itĪ second mistake that likely helped the hack to succeed was that Wiseasy did not require multifactor authentication to be used when accessing the dashboard. Sure cuts a lot hack verification#The open display of customer information, without a secondary verification of the end-user, also goes against a zero-trust policy. In a standard security environment, interface should never be designed to display passwords. Although the case could be made that such information is necessary for Wiseasy to manage terminals on their customers' behalf, Tech Crunch goes on to say that a dashboard view revealed the Wi-Fi name and plain text password for the network that the payment terminal was connected to. According to Tech Crunch, the dashboard "allowed anyone to view names, phone numbers, email addresses, and access permissions". While it is easy to simply dismiss the Wiseasy hack as stemming from an unavoidable malware infection, the truth is that Wiseasy made several mistakes (according to the Tech Crunch article) that allowed the hack to succeed.įor example, the dashboard itself likely exposed more information than it should have. 1 - Transparency isn't always the best policy ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |