Breach Notification , Enterprise Mobility Management / BYOD , Incident & Breach Response
Air Canada: Attack Exposed 20,000 Mobile App Users' DataAirline Hits Password-Nuke Button, Forces Reset on 1.7 Million Accounts
Air Canada is forcing 1.7 million mobile app accountholders to reset their passwords after it detected unusual login behavior that it says may have exposed 20,000 accounts, including customers' passport details. But the airline has been forced to battle ongoing technical problems as well as hordes of angry users.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Air Canada locked all users' mobile accounts after it detected suspicious logins over a three-day period, starting on Aug. 22.
On Wednesday, one week after the suspicious logins had begun, the company began contacting - by email - customers whose accounts may have been accessed by hackers.
"We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts," the airline says in a security alert posted on its website. "As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers' data."
Passport Data at Risk
The personal information contained in the app can vary depending on how much a user shares. At a minimum, app profiles contain a person's name, address and email address.
Some customers may also have input their passport details, which would include birthdate, nationality, the document's expiration date, country of issuance as well as the country in which they permanently reside.
Other data within accounts may have include an Aeroplan number, which is Air Canada's loyalty program; a number for NEXUS, which is a program that allows some travelers to clear immigration faster when going between the U.S. and Canada; and a Known Traveler Number, which is part of the U.S. Transportation Security Administration's expedited prescreening program.
Air Canada has attempted to allay customers' worries over leaked passport data, saying that the risk of a third party taking passport data and obtaining a new document is low if people still have the passport, as well as proof of their citizenship and supporting identity documents.
The government of Canada, for example, won't issue a new passport to someone "based on only the information found in a passport," the airline says.
Air Canada says the breach has not exposed any payment card data. The airline says that all payment card data gets encrypted and held in accordance with the Payment Card Industry's Data Security Standard, known as PCI-DSS.
Airline Invalidates All Mobile App Passwords
Air Canada's move to lock all mobile accounts and force app users to reset their passwords is a step that many online service providers try to avoid because it frequently irritates users and can lead to customer support challenges.
Troy Hunt, a data breach expert and creator of the Have I Been Pwned service, says a user-wide password reset "is really a blunt, sledgehammer approach."
The reset will help safeguard the accounts of users who picked weak passwords or reused the same passwords across different services, Hunt says. But such a reset punishes anyone who already has strong, unique passwords for every service they use, he adds.
Hunt says the system-wide reset suggests that Air Canada was struck by a large credential-stuffing attack. Such an attack involves hackers taking large lists of email addresses and passwords that have been amassed from data breaches and using them to attempt to unlock accounts on other, unrelated sites (see Credential Stuffing Attacks: How to Combat Reused Passwords).
Air Canada's mobile app requires an email address and a password to log in, so it's an obvious target for that type of attack, Hunt says. While organizations can take steps to guard against automated credential stuffing attacks, for example by rate-limiting access attempts via APIs, there "tends to be a nonchalance" toward putting such protections in place, he says.
Many organizations will lock an account if someone who's attempting to access it enters an incorrect password too many times from the same IP address. But advanced attackers often go around this defense by using a large pool of IP addresses, Hunt says.
Furthermore, if attackers had executed multiple, successful login attempts, Air Canada might have had a tough time separating legitimate logins from unauthorized ones, and thus opted to reset all passwords, Hunt says.
One big problem with system-wide password resets is that they often anger users and overwhelm customer-support teams. Indeed, Air Canada has warned that its decision to reset all mobile app users' passwords might cause customer-service delays.
"We ask customers to be patient and assure them their data is protected and not accessible to unauthorized users. We apologize for the delay," the company says. "Please wait several hours and try again."
Several people have already complained about their inability to reset their password, according to the reviews section for Air Canada's mobile app on Google's Play store.
"Rubbish! I get an email this morning saying my mobile+ account has been suspiciously accessed and I go on the app to change my password, and it won't let me," writes one user. "So I sign out and go to sign in again, tells me to turn off airplane mode and turn on Wi-Fi. Dude, I'm in my own house!"
Password Complexity Downsides
As part of the reset process, Air Canada says it is "using improved password guidelines to further enhance security measures."
The new password guidelines advise using at least 10 characters, with one upper-case letter, one number, one symbol or special character and one lower-case letter.
But one Twitter user noticed that the password guidance is different for the website.
Dear @AirCanada your security warning from this morning is a real joke! pic.twitter.com/XOTUD80N1e— Laurent Duveau (@LaurentDuveau) August 29, 2018
Hunt says that forcing users to conform to a defined level of complexity is increasingly falling out of favor. Last year, the National Institute of Standards and Technology published its latest digital identity guidelines, specifically recommending against this practice. That's because users tend to alter their go-to passwords with slight modifications to conform to the complexity rules, and those slightly revised passwords may be easy for attackers to guess.
When password complexity rules are in place, users "will choose something terrible, and this is human nature," Hunt says.