On 3rd December 2018, Quora published some alarming news. Hackers managed to bypass security measures and obtain information on over 100 million users. They obtained names, email addresses, direct messages, and even account activity details of users. The recent hack is a serious threat to personal safety and information. In the wake of this massive data breach, an introspection needs to be made. How did the hack take place? And was there a way to prevent this?
Why should you be concerned?
The biggest point of concern for users is the linked accounts. Quora gives users the option to enter their Quora account using their Facebook or Gmail account. Hence, this implies that hackers can access a user’s Gmail or Facebook accounts. In addition to linked accounts, there is the issue of social profiles. The questions asked, answers given, and comments upvoted could be easily used to create a social profile on users. In other words, strangers could understand a user’s hobbies, profession, skills, and political ideology without the user knowing about it. Finally, there is the problem of passwords.
Some users might have used the same password for their Quora, social media and perhaps even bank accounts. If the password was the same for all these accounts, then hackers now have access to all of that information.
While users should take the Quora hack seriously, it is not a complete doom and gloom scenario. Quora does not ask for financial information, therefore hacked users will not have bank information compromised. Furthermore, Quora does not store information on anonymous users, so people who use Quora, without an account remain safe.
Was there a way to prevent this?
It’s impossible to determine if the incident could have been prevented completely. After all, we are not entirely sure what security method Quora uses beyond cryptographic hashing. However, the question remains – was it possible to beef up security further to deter hackers? It goes without saying that if a system has multiple layers of security, hackers will be discouraged and move onto an easier target. Was there a second measure Quora could have used to secure their users’ information?
How can you protect yourself?
Two-factor authentication is a security system that adds an extra layer of protection to users accessing their accounts. Hence, users have to validate their identity twice before they gain access. There are three different methods for two-factor authentication: alphanumeric, device-based, and biometric.
The most basic of the two-step verification process, many users would have already encountered some variant of this authentication method. After logging into your account, a message will be sent to your phone (the phone number is given during registration). The message contains an alphanumeric code, which users must enter to gain access to their accounts.
When users get a notification on their phone while logging into their account via another device, they have to verify their identity to access their account through the notification on their phone. We already see some form of device-based authentication when using Gmail. If you log into a Gmail account from a new device, Gmail will send a notification to your phone, asking if it was you that logged into the account.
Arguably the most sophisticated of the two-factor verification methods, biometric access requires fingerprint scanning, facial scanning or even voice confirmation.
Two-factor authentication is effective because the extra security measure acts as a deterrent. Hackers are less likely to target a system that has two levels of security. Furthermore, the system relies on multiple devices to work. Hackers are less likely to gain access to an account if they cannot obtain someone’s mobile device. Thus, it becomes incredibly difficult to hack millions of accounts, if two-factor authentication is used.
The hack on Quora was one of only the most recent reported data breaches and thefts in recent history. For example, Dell and Mariott have also had user information compromised, which reveals a disturbing trend where companies lack adequate security protocols in place to protect customer information. If companies had more robust and secure systems featuring two-factor authentication, for example, this could deter hackers and force them to look elsewhere.
We strongly feel that secure systems that requires multiple levels of authentication (while incorporating multiple devices) would have discouraged hackers. Moving forward, its important for companies to pay greater attention to the security of their users’ information. Incorporating multiple levels of security to protect user information would be a great place to start.
Need help with Two-Factor Authentication in your business?