Phishing schemes encompass fraudulent emails, text messages, phone calls, or web sites designed to manipulate people into downloading malware, sharing sensitive information, or otherwise exposing themselves or their organizations to cybercrime. Over one million phishing attacks were initiated in the second quarter of 2022, according to one report, resulting in billions of dollars of losses. The FBI‘s Internet Crime Complaint Center records more than twice as many incidents of phishing as it does any other type of computer crime.
Two recent enforcement orders of the Federal Trade Commission against Chegg Inc. and Drizly LLC herald a new FTC resolve to combat phishing. Both companies had poor records of protecting the security credentials of their employees. Their lapses facilitated data breaches that compromised sensitive information of millions of customers.
The Cyber Attacks Against Chegg and Drizly
Chegg
Chegg Inc. provides educational products and services to students. Among its many services, it helps high school students identify potential sources of scholarship aid, which involves asking students for their names, passwords, religious denomination, date of birth, sexual orientation, and parents’ income. Chegg also records videos of their tutoring sessions. It stores this sensitive data on the cloud using Amazon Web Services (AWS) Simple Storage Service (S3). Prior to the FTC enforcement action, Chegg used encryption technologies to protect some of the data, but they proved to be outdated and insecure. Chegg also stored much of the information in plain text.
According to the FTC, Chegg’s employees shared a single key to access the S3 database and had full access to the data regardless of their job function. They were not required to use multifactor authentication (MFA). Chegg did not regularly change employee passwords, provide regular security training, or delete user information that it no longer needed to provide its services.
Chegg was the victim of at least four cyber attacks in as many years, three of them involving phishing. One attack involved a former contractor who used his Chegg credentials to steal information of about 40 million Chegg customers, which he then made available for sale on the dark web. The data included 25 million plain text passwords that had been decrypted.
In a later phishing attack, a senior Chegg employee provided a malicious actor with access to Chegg’s payroll information, including the social security numbers, birthdates, medical conditions, and bank account information of 700 current and former employees.
Drizly
Drizly’s business involves facilitating the on-line sale of alcoholic beverages. It was victimized by a cyber-criminal who hacked into Drizly files that resided on Github (a service that allows collaboration among software developers). There it learned the credentials for accessing Drizly’s AWS files, which it accessed to copy the personal information of Drizly’s 2.5 million customers.
Both companies claimed to follow commercially reasonable steps to protect personal information. The FTC’s complaints alleged that this was deceptive and that the companies’ security practices were unfair to consumers.
The FTC Orders
The order against Chegg requires it to adopt MFA employee authentication methods that are resistant to phishing attacks. This authentication process may not include telephone or SMS-based authentication methods, which it views as too susceptible to phishing attacks and other malicious techniques such as SIM swapping. The FTC allows the adoption of non-MFA options if they are widely adopted and approved in advance by the FTC.
The order against Drizly includes all of the above, plus a requirement that customers be provided an MFA option. The consumer-facing MFA need not be phishing-resistant.
Both companies were required to develop and implement programs for deleting consumer data that is no longer needed.
The FTC required phishing–resistant MFA for employees because, as the cases demonstrate, duping just one employee of an on-line service can compromise the data of millions of customers. By contrast, the potential damage is much more contained when a single consumer’s data is compromised. That more limited potential for harm, plus the potentially cumbersome requirements of phishing-resistant authentication, may explain why the requirement was not extended to authentication of customers.
What is Phishing-Resistant MFA?
MFA involves verifying identity by using something that the user knows (like a password) and something that only she has access to (like an RSA fob that displays random numbers for 30 seconds at a time). According to guidance issued by the Cybersecurity Infrastructure and Security Agency (CISA)[1], there are only two phishing-resistant MFA technologies:
- FIDO/WebAuthn authentication, and
- Public key infrastructure (PKI)-based authentication.
In most PKI-based MFA deployments, a user’s credentials are contained in a security chip on a smart card. The card must be directly connected to a device for the user to log into the system (with the correct password or PIN). According to CISA, this technology is sensible only for large, complex, organizations with highly mature identity management practices. Thus, for most businesses, FIDO/WebAuth may be the only viable path to phishing-resistant technology.
The FIDO / WebAuthrn authentication standard was developed by the FIDO Alliance[2] in collaboration with the World Wide Web Consortium and uses the FIDO2 authentication protocol. That protocol uses public key/private key cryptography techniques to provide secure access to a protected website. Authentication is done at a user’s device by unlocking the private key, using a secure action such as swiping a finger, entering a PIN, speaking into a microphone, or inserting a second–factor device.
The FIDO2 protocol does not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, does not leave the user’s device.
The protocol helps prevent phishing attacks by using cryptography keys and challenges to verify the legitimacy of the server request (such as a request to login or to authenticate). Under FIDO2, the website or service has specific keys linked to its service.
WebAuthn support is included in major browsers, operating systems, and smart phones. Authenticators can either be separate physical tokens connected to a device via USB or near-field communications such as Bluetooth; or they can be embedded into laptops or mobile devices as “platform” authenticators. FIDO can incorporate various other types of authentication, such as biometrics or PIN codes.
The authentication ties a device to a website. Credentials stolen and used on a different device will not work. Even if the credentials are “phished,” the fraudster cannot successfully use them.
Conclusion
By requiring phishing-resistant MFA for the first time, the FTC is sending a message to all on-line businesses about the inadequacy of ordinary MFA and steering them towards more robust forms of protection. Failure to adhere to standards recommended by the FTC may leave a company vulnerable not only to an enforcement action of the FTC, but to liability to those affected by a breach when, as has happened with Chegg and Drizly, the company is targeted by class action lawyers.
[1] CISA is a part of the U.S. Department of Homeland Security.
[2] The FIDO Alliance includes Google, Apple, Amazon, Intel, Microsoft and many other major companies.
