Robinhood Hack Shows the Need for a More Human Approach to Security

The industry already has a list detailing cybersecurity flaws. It’s time for a similar compilation of other vulnerabilities that may compromise system safety.

Robinhood Markets Inc. got hacked. Again. A year ago, the breach hit almost 2,000 accounts. This week’s event compromised the personal information of 7 million users.

As a result, hackers obtained a list of email addresses for 5 million people and got a separate cache of the full names of 2 million more. The California-based online brokerage seems to be playing down the incident, noting that key data like Social Security, debit-card or bank-account numbers weren’t taken.

The common thread in both attacks, and indeed many cybersecurity breaches, can be found in the company’s statement. It should also serve as a wake-up call to the industry:

The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.

Note that term: socially engineered.

By using it to explain the attack, Robinhood is saying that a human was manipulated into doing something that shouldn’t have been done.

It’s well understood that to breach, or secure, a system you need to know how it functions. One of the first things cybersecurity students learn is how memory works in a computer, and then train on breaking these processes to attack the software they run on. In this case, the financial services company is saying that a person was breached. To some extent, they’re not wrong.

But by using “social engineering” to explain what happened, Robinhood falls into the same trap that many others are also guilty of, which is to dehumanize the people who sit between computer systems and the adversaries who want to break in. Those on the front line have become akin to buffer overflow attacks — used to gain control of a computer — or compromised encryption keys, which can unlock secret communications. Read the full article here.

"The question organizations are facing is not if a cyberattack will happen, but when." Sourced offers security consulting and account hardening for both corporate teams and individual clients. Learn more.

18 views0 comments