Security lessons Zappos' 24 million customer breach should teach us
Another major breach is in the headlines. Zappos, an online shoe and apparel retailer owned by Amazon, disclosed Sunday night that more than 24 million of its customer accounts had been compromised. Hackers accessed customer names, email addresses, phone numbers, the last four digits of credit card numbers and cryptographically scrambled passwords.
To its credit, Zappos moved quickly, resetting the passwords for all the affected accounts. But it was cold comfort for those who may still be in danger of having their data exposed if they used the same or similar credentials on other websites. This concern prompted Zappos CEO Tony Hsieh to warn customers of possible phishing scam exposures in an email to affected customers. It’s another reminder of the sad state of security today.
Allegedly, the attack originated on one of the company’s servers based in Kentucky. While details of how the server was hacked are scant, perhaps the best advice to all the would-be Zappos of the world would be to take the simple step: Restrict server access to only known PCs.
Establishing the identity of a platform isn’t difficult at all, in fact, the corporate PCs that would need access to an enterprise server already have the technology embedded on the motherboard. The Trusted Platform Module (TPM) can attest to the identity of the device with nearly absolute certainty.
And a second, powerful safeguard is encryption. With that much sensitive information housed on the network, encryption at the server level should be considered a "must" to prevent a Zappos-like breach in the future.
And the last lesson from the Zappos breach? Isn’t it time we armed the consumer with stronger authentication than the fragile username and password? Here, too, the TPM has proven its ability to play a role; providing an excellent mechanism to protect individual identity with an extremely secure, integrated capacity to store a PC’s security keys.
Because the TPM can store multiple keys, it enables the end-user to access secure services from multiple independent providers – each with a unique, secure key. Whoever owns the PC controls the keys stored in the TPM—giving power to the end user, where it belongs.
Steven Sprague is CEO of Wave Systems. His expertise lies in leveraging advancements in hardware security for strong authentication, data protection, advanced password management, enterprise-wide trust management services and more. Mr. Sprague earned a BS from Cornell University in 1987.