Phishing Image - Revolut Blog

50k Customers of Revolut affected by Phishing Data Breach

Yet another organisation has been affected by a data breach.

Revolut – a financial technology company offering banking, money management and investment services to its clientele across the world has been the target of a phishing attack.

Revolut hasn’t yet revealed the exact nature of the breach, but it appears that the attacker used social engineering techniques to gain access.

So what is Social Engineering?  Social Engineering is where a threat actor uses techniques to gain information or install malware which ultimately gives the threat actor access to valuable data within the organisation, the most common types of social engineering is phishing, spear phishing, baiting, scareware and pretexting.

Phishing – When communications are sent to individuals asking them to take an action such as clicking a link (which may install malware) or provide information such as access credentials.  If fooled into actioning the requests, they unwittingly give access to threat actors.

Spear Phishing – A phishing attack targeted at specific individuals, e.g. when a cyber-criminal creates an authentic looking communication from someone you would normally trust.  i.e. an internal support engineer, often asking you to click a link and update your password.  Once you have done this, you have given access to the attacker.

Baiting – Leave ‘bait’ around waiting for someone to pick up on it, either hardware like flash drives or via online ads.  Once activated malware is installed onto the system.  If something laying around or within online ads seems too good to be true, it usually is, so don’t click or plug in!

Scareware – Involves victims being bombarded with false alarms and fictious threats.  Users are fooled into thinking their system is infected and encourages them to install software that has no benefit or is malware itself.

Pretexting – An attacker obtains information through a series of communications and carefully crafted messages, that requests sensitive information to enable them to perform a critical task.  Often the attacker impersonates co-workers, the police or other officials.  The pretexter asks questions that are supposedly required to confirm the victim’s identity, whereby they gather important personal data.

A spokesman from Revolut has said that an unauthorised third party gained access to a small percentage of their customers for a short period of time.  Revolut say they discovered the breach on September 11 and had isolated the attack by the next morning.

The data most likely to have been exposed for the 50,000 customers is email addresses, names, phone numbers, postal addresses, account data and some payment card data.

Threat actors continue to cause havoc for organisations, like Revolut, as they can work quickly targeting the weakest point in your security defences, to gain access to valuable data.  Causing massive headaches for business owners by their increase in workload in notifying customers who have been affected and then applying patches or new systems to plug the breach, but also the possibility of substantial fines, for allowing such a breach to happen.

Unfortunately, Revolut is not unique in suffering such an attack – the best approach to prevent such cyber-attacks is to implement phishing resistant multi-factor authentication.

So how can you achieve phishing resistant MFA?

Passwords alone are simply not enough to deter threat actors from attempting to gain access to your data and systems.  You need multi factors authentication to secure your systems and files – ideally Public Key Infrastructure (PKI), which is the strongest form of authentication and is authenticated by

  • Something you know e.g. a PIN
  • Something you have – e.g. a smart card, USB Token or smartphone
  • Something you are – biometric data such as a fingerprint or face ID.

A third-party device like a USB token or smart card is ideal and managed by MyID® which uses cryptographically based credentials to strongly bind a digital identity to an individual, enabling organisations to take control of their user identities, providing optimum protection against data breaches.

At Intercede we recognise that although PKI is the gold standard, it is not the only solution, and we offer a range of solutions that provide stronger authentication at the level of security the customer requires.

Password Policy

Consider your password policy – make sure your employees have to choose long and complex passwords which have been checked against known breached passwords.

Make sure there is a system in place so that passwords are regularly checked and changes as soon as they are known to be compromised is good practice.

And remember simply adding another factor without tackling those breached passwords is like sticking a plaster on a broken bone – it won’t actually fix the break.  Possible breached credentials are still a weakness, which cyber criminals may still have access to.

Secure Digital identities from MyID

MyID® is a feature-rich credential management system that enables organisations to deploy digital identities to a wide range of secure devices, simply, securely and at scale.

MyID credential management solution could help prevent such cyber-attacks, by implementing phishing resistant multi factor authentication.

To see how MyID can help you plug that gap

Demo Request

Trusted By Governments and Large Enterprises Worldwide

Where protecting systems and information really matters, you will find MyID. Whether its citizen data, aerospace and defence systems, high-value financial transactions, intellectual property or air traffic control, we are proud that many leading organisations around the world choose MyID to protect themselves against data breach and ensure business continuity.