The Fine Print Isn’t Enough
In the past few months we have seen several instances in which institutions whose security was breached tried to shift responsibility for the consequences to their customers. In some cases, account access credentials were acquired by attackers through malware. In other cases, it was simply a matter of password reset procedures that are too easy to game. However, “social engineering,” or tricking humans into disclosing credentials and other sensitive data, is one of the favorite attack vectors on corporate systems. This year’s DefCon even had a contest for social engineering attacks with an iPad as the prize.
In light of that, we are following an interesting case making its way through the courts in New York. The plaintiffs are Baidu, Inc. and Beijing Baidu Netcom Science & Technology Co., Ltd., the largest Internet search engine service in China. The defendant is Register.com, where Baidu registered its domain name “baidu.com.” Register.com provides its clients, including Baidu, with Internet traffic routing services. On January 11, 2010, someone successfully attacked Baidu by gaining unauthorized access to Baidu’s account at Register.com. As a result, for about five hours Internet traffic intended for Baidu’s web site was re-directed to a web page showing an Iranian flag and a broken Star of David and proclaiming: “This site has been hacked by the Iranian Cyber Army.”
The Register.com Master Services Agreement (MSA) accepted by Baidu states that Baidu agrees to use Register.com entirely at its own risk and that Register.com has no liability if Baidu experiences problems as a result of using Register.com. However, New York courts have ruled that they will not enforce such limitation of liability clauses, even between sophisticated commercial parties, if there is evidence of gross negligence and reckless disregard by the party providing the service. The judge who evaluated Register.com motion to dismiss the Baidu suit ruled in favor of Baidu. His reasoning was that Register.com did not follow its own security procedures, allowing the attacker to obtain access to the Baidu account even though the attacker repeatedly provided incorrect information to the customer service representative. The case was cleared to proceed to trial.
The attack was conducted via a chat between the attacker and the Register.com call center. The attacker asked the customer service representative to change the e-mail address on file for Baidu. Even though the attacker could not provide correct security verification information, the representative sent a security code—to the Baidu e-mail address on file. The attacker did not have access to that e-mail account, and when asked by the representative for the security code responded with an incorrect 8-digit number. Nevertheless, the representative changed the e-mail address on file and provided the attacker with the Baidu account username. This allowed the attacker to follow the password reset procedure on the Baidu account at Register.com and change the password for the Baidu account. Once the attacker had access to the Baidu account, he redirected traffic to a different site.
Installing automated strong authentication linked to potentially risky transactions, like password reset, helps mitigate security risks. Businesses and individuals expect their sensitive information and financial interests to be protected, no matter what the contractual small print says. The Baidu case and others like it tell us that the courts also agree, but good business practices shouldn’t wait on the courts for a reading on the minimal effort required. Best practice tells us that protecting your customer’s personal information and your own corporate data is the smart thing to do.
Recommended For You
Authentication Strategies for Today’s Digital Age Carefully orchestrated authentication and identification strategies are critical in today’s digital era, especially since […]
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]