Data octopus acquires messaging service – and also your corporate data?SecurEnvoy 31/03/2014 Archive
The social media network Facebook recently caused a stir when it announced that it will acquire the popular messaging service WhatsApp. The resulting concerns are understandable – the merger of a data octopus disguised as a “social platform” with an unencrypted messaging service via which millions of messages, pictures and videos are sent daily might well be seen as a dangerous combination.
And it is not just private individuals that are threatened by the new partnership – companies are also indirectly at risk because employees often use their business devices, such as smartphones, for private purposes, or install applications such as WhatsApp in order to communicate with colleagues. This could allow hackers to gain access to the corporate network.
This is because, despite a recent extension of its privacy settings, WhatsApp still sends all its messages unencrypted. In other words, the provider can always view the content of messages and, if necessary, make such content available to partners. Even private individuals can access the content, because there are now apps available that are apparently able to fully read the chat messages. This is a nightmare for IT managers, who see droves of sensitive information moving around in plain text. Passwords can also be extracted or derived from chat discussions. From there it is only a small step to having a hacked user account. But there is a better way: mobile devices that risk providing an entry point for attackers can also be used as security barriers – by means of tokenless two-factor authentication. Users can obtain a six-digit passcode via SMS, e-mail or soft token app, which is then entered along with personal login details and a password in order to login. Only the correct combination of these factors enables access. In other words, even if cyber-criminals gain access to the username and password, they still lack the passcode that would ultimately grant access.
This approach allows IT departments to protect their networks from unauthorised intruders and keep the data octopus in check – even if employees are somewhat careless with their login information.