Robinhood Hack Shows the Need for a More Human Approach to Security
(Bloomberg Opinion) -- Robinhood Markets Inc. got hacked. Again. A year ago, the breach hit almost 2,000 accounts. This week’s event compromised the personal information of 7 million users.
As a result, hackers obtained a list of email addresses for 5 million people and got a separate cache of the full names of 2 million more. The California-based online brokerage seems to be playing down the incident, noting that key data like Social Security, debit-card or bank-account numbers weren’t taken.
The common thread in both attacks, and indeed many cybersecurity breaches, can be found in the company’s statement. It should also serve as a wake-up call to the industry:
The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.
Note that term: socially engineered.
By using it to explain the attack, Robinhood is saying that a human was manipulated into doing something that shouldn’t have been done.
It’s well understood that to breach, or secure, a system you need to know how it functions. One of the first things cybersecurity students learn is how memory works in a computer, and then train on breaking these processes to attack the software they run on. In this case, the financial services company is saying that a person was breached. To some extent, they’re not wrong.
But by using “social engineering” to explain what happened, Robinhood falls into the same trap that many others are also guilty of, which is to dehumanize the people who sit between computer systems and the adversaries who want to break in. Those on the front line have become akin to buffer overflow attacks — used to gain control of a computer — or compromised encryption keys, which can unlock secret communications.
Doing so also plays down the fact that every single engineering flaw is a result of human error. A poorly written piece of code, a badly designed algorithm, or an incorrectly configured server each occur when people make mistakes. The lax security policies written by employees, signed off by executives and overseen by boards of directors are also avoidable missteps. Breaches happen when other people exploit them.
One of the most epic social engineering hacks was outlined by Wired writer Mat Honan, who in 2012 detailed how flaw after flaw in systems run by Google, Apple Inc. and Amazon.com Inc. allowed someone to destroy his digital life. In each step, a human customer service representative was the window through which unbelievably bad company protocols were leveraged to get even more information on Honan, which then became weapons for the next stage in the attack. That Robinhood could be hit nine years later through a similar method indicates the industry isn’t learning from its mistakes.
To date, it’s unclear exactly what the hacker said to that customer support employee on Nov. 3 in order to extract enough information to carry out the attack on Robinhood. But the very fact that a phone call between two people could result in the release of 7 million records isenough to show that the company’s processes are deeply flawed. And it should be self-evident that the staff member is also a victim of such systemic weakness.
There is a better way.
We already have a model for how problem code can be found, identified and reported to the world. The Common Vulnerabilities and Exposures list, sponsored by the Department of Homeland Security, is the go-to place for security professionals to keep tabs on the latest weaknesses and how they might be addressed. This site is an invaluable resource and a major reason why computer systems globally can be kept updated quickly to maintain security.
After Honan’s hack nine years ago, some of those companies pledged to review their practices for resetting passwords, but many still practice poor digital hygiene (users of Apple online services can check their email for a monthly reminder of unsanitary practices). The flaws that led to Honan’s hack were not listed in a real-time central repository for others to freely access.
To that end, I suggest a similar database of social engineering exploits be set up to outline flaws that result from human manipulation. By identifying and detailing exactly how adversaries have, or may, breach the wall between people and machines, the broader industry can start to shut down bad habits and set up best practices. This compilation won’t solve all problems, but it would show industry peers where the vulnerabilities lie and hopefully prompt them into action.
For decades, cybersecurity professionals have recognized and bemoaned the fact that humans are the major reason why their systems become vulnerable to attack. Yet the industry and governments continue to build systems that put the burden on front-line staff, while failing to track and update the ways people become vulnerable. That needs to change, and maybe this Robinhood hack will be the catalyst to make it happen.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Tim Culpan is a Bloomberg Opinion columnist covering technology. He previously covered technology for Bloomberg News.
©2021 Bloomberg L.P.