“At the moment it seems that barely a day goes by without another story breaking around a password-protected service being compromised in some way. Both of the Twitter hacks and Vodafone story highlight, yet again, how easy it is to break into a service that is protected by only fixed PINs or passwords. It is clear that fraudsters are becoming increasingly sophisticated and yet amazingly these high profile brands just seem to shrug their shoulders and ask their users to change their password. This does nothing to prevent the same thing happening again in the future and is just playing into the fraudsters hands.

“An easy and cost effective solution which would avoid future embarrassment and user frustration, all they need to do is use a one-time passcode system, which would mean that even if a user was to inadvertently enter their details into a phishing site the fraudster wouldn’t actually be able to use the PIN or password that they had stolen.

“As we’ve seen, passwords can be compromised through various forms of attack, including shoulder-surfing, key-logging, phishing and screen-scraping, but the Vodafone case highlights a growing trend of attack that comes under the umbrella of ‘social engineering’. Essentially this refers to fraudsters collating user information - such as DOB, address, mobile phone numbers - from social networking sites and then using them to impersonate an individual. So while it’s vital that service providers use more secure and user-friendly ways of authenticating their customers, this needs to be matched with industry-wide education on how users can safeguard themselves against security breaches like this in the future.

“Finally, whilst many people simply see networking sites such as Twitter and Facebook as a social thing and therefore believe they don’t matter very much, people in corporate life should be reminded that this same username/password combination is probably being used to secure their cloud-based corporate information such as email and CRM systems.”