Attacks/Breaches
4/9/2014
10:00 AM
Kerstyn Clover
Kerstyn Clover
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

What’s Worse: Credit Card Or Identity Theft?

When it comes to data loss, it's time for the conversation to shift from credit cards to personal information like Social Security numbers, home addresses, and your favorite flavor of ice cream.

The Target data breach is often discussed in relation to loss of cardholder data, but in terms of personally identifiable information like a Social Security number or home address, it’s also a cautionary tale about how much data a company might be collecting and tracking. When I read a Forbes article recently about how Target identified a pregnant girl before her own family heard the news, I was both impressed and disturbed.

Stores, banks, the government, and many other entities have a lot to gain from the business intelligence they derive by collecting and correlating data. But when that data is leaked there is often no way to know just what and how much has been exposed. With lost personally identifiable information (PII) criminals may know when I am most likely to fill up my gas tank or what my favorite flavor of ice cream is.

Worse yet, that information could be leveraged against me, with enough time and persistence, to gain access to something like a line of credit. I know from firsthand experience that small details, like children’s names and birthdays, are the key to securing critical information during social engineering assessments. Imagine what a criminal could accomplish with thousands of personal records.

To frame the issue better, when it comes to protecting information, many consumers believe that using debit cards with PIN numbers is the safer way to go. I recall talking with family members and hearing how most of them refuse to run their debit cards as credit when they have the choice.

If PIN data is encrypted from the moment it is entered, its loss might not be a huge issue, although it does raise the question of where the encryption key is being stored. The key should only be held at the payment processor, far away from the entry devices and point-of-sale systems. Of course, very few systems I have analyzed for potential cardholder data loss should have been storing credit card data, but so far everyone has. We also know that with time and effort encryption can be broken.

Many companies will attest that their encryption is "very strong," contributing to the idea that PINs are safe. However, it’s not uncommon to find that many people say their security is strong, and it turns out to be WEP encryption or randomly generated complex passwords that are then stored on a sticky note in view of everyone in their office.

My crystal ball is in the shop today, but if I had to make a prediction I would say that the PINs and PII lost as part of so many data breaches are going to show up somewhere in some manner and cause serious damage. Unfortunately, the discussion about these types of information and, more importantly, why they are not stored securely has taken a backseat to credit card security and whether or not the US should adopt chip-and-pin technology.

An unexpected or unknown threat such as nebulous "personal information" loss is always worse than the threats you can identify and prepare for. It's time for the conversation to shift. Given the variety of information that could be circulating about you at any given moment, what type of data loss keeps you up at night?

As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 2:54:28 PM
Re: Identify Theft & bitcoins
@CypherpunkI - In my state -- Massachusetts, they've installed bitcoin ATMS in South Station and a major subway hub. But the state consumer protection agency is advising consumers to be careful.  Personally, I'm still a little bit leery of them..

 
Cypherpunk
50%
50%
Cypherpunk,
User Rank: Apprentice
4/10/2014 | 2:48:26 PM
Re: Identify Theft
Identity theft and credit card data breaches by retail merchants are driving consumers to seriously look at bitcoin as an alternative payment network. Bitcoin transactions are peer-to-peer "push" operations so they do not require any third party intermediary, cannot reveal personally identifying information and are verfified by a worldwide network of computers so the payments are confirmed in minutes instead of hours or days. As an added bonus, transaction fees on the bitcoin network are miniscule compared with credit card fees (~$0.004 paid by the customer, as compared to 3%-5% of the purchase price paid by the merchant to the credit card processor).

The credit card system is entrenched 1950's era technology that hasn't had to evolve for decades; cryptocurrency is 21st century technology that is designed for today's mobile marketplace which places security as the first priority, not tacked on as a hastily-written emergency patch. 
gosmartyjones
100%
0%
gosmartyjones,
User Rank: Apprentice
4/10/2014 | 1:34:50 PM
Without Question, it's Identity Theft
Remember something very important about identity theft, and that's the notion of "one and done". You only have one birthdate, social security number, and other unique vitals. Once they are breached, they've been forever compromised and cannot be changed. As a PCI-QSA, breaches occur – and will continue to occur – but how lasting is the damage, really? You can replace your credit card number, but not your unique vitals and it's why I strongly favor compliance assessments that should be focusing on critical aspects of Personally Identifiable Information (PII). 

Only in very extreme circumstances can you get another social security number, but as for credit cards, just give your bank a call.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/10/2014 | 12:39:00 PM
Re: Identify Theft -- Awareness Training
I did read it, and unfortunately, I'm not surprised. In fact, I'm inclined to think that the survey results may have understated the number of users who were not trained. Additionally, it begs the question whether or not the training was actually effective. Unfortunately, the true measure of effectiveness would be the examination of a breach to see if it was a direct result of unsafe practices. Accidental exposure does occur, and it can be argued that accidents are a result of unsafe practices, but we are all human beings and we do have weaknesses. So on a more practical side, the measure of effectiveness cannot devolve to a simple Q&A test - it has to be a simulated real world test like an internal social engineering exercise. Automated auditing tool reports can also provide data regarding those practices; i.e. filters or applications that prevent storage of PII or PHI or CC data in insecure locations such as workstations, etc. An example of lack of awareness: a few years ago while we were undergoing an HR application implementation, I was contacted by the vendor's conversion specialist to ftp a file so they could import data into the application. The file name was empdata. Naturally, alarm bells rang in my head, and when I examined the contents of the file, I saw that it contained employee data including banking information for direct deposits, SSNs, dependent infotmation, etc. Normally, the ftp request would have gone through someone else in our organization, and not someone in IT, but for some reason, the request came to me. What shocked me was that I was informed that such a request was "routine" and other clients simply complied without question. When I told them that I refused to ftp the file due to security reasons, the conversion specialist asked me if I would email it to them instead of ftp. I almost lost it right then and there. Long story short, I caused the vendor to implement a more secure way of transfering the files, and they made it a standard procedure with all their clients. Imagine a client having to educate an HR software vendor on secure practices regarding sensitive employee information - what's wrong with that scenario? That incident shows the lack of awareness in too many organizations.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 11:36:40 AM
Re: Identify Theft -- Awareness Training
To your point about security awareness training. Did you read Tim's story today:

Majority Of Users Have Not Received Security Awareness Training, Study Says

The survey of 600 employees, conducted by EMA Research and sponsored by training firm Security Mentor, indicates that 56 percent of workers say they have not had security or policy awareness training from their organizations. The remainder of employees (44 percent) say they have received annual training.

Thoughts on how training can be more prevalent and/or effective? 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/10/2014 | 10:28:39 AM
Re: Identify Theft
@Kerstyn & Neira: Nothing like hitting the nail right on the head! I can't remember how many times I've made that statement about awareness training. Many times, C level executives simply do not see the ROI from awareness training. I attribute this to the failure of security personnel to effectively communicate the business need and impact of all IT security aspects to the organization. If C level executives see IT security in terms of compliance and current bottom line impact only, budget decisions become a matter of spending the least amount to gain an acceptable level of security comfort or compliance. The axiom that compliance equals security has been disproven many times, with the Target breach serving as a glaring example. Security expenditures must be viewed in terms of an investment in the organization's future. Yes, it is intangible, but so are many other investments ourside of security. As far as effectiveness of training, much can be gained by designing the material in such a way that users see a personal gain from it. The training material I prepare frames security practices that affect the organization, and also their personal lives. When seen from that perspective, users will adopt practices that improve the security posture of the organization as well as their own personal security. Not surprisingly, users have thanked me for the information, and told me how they have changed their personal behavior to improve their own personal security, and even disseminated the information in their personal circles. We are creatures of habit and we usually engage in similar practices at home or at work. When you think about it, those practices do not differ much from organizational and personal standpoints. Secure practices do not necessarily have to precipitate from the top down; they can be adopted in a widespread fashion to accelerate and elevate the security posture of any organization much more quickly.
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
4/10/2014 | 9:01:37 AM
Re: Identify Theft
Neira,

 

I read over your blog and you touch on a lot of great points that I did not have the space for in my own. This in particular jumped out at me: "...education and awareness is still failing in most organisations as it seems to be merely driven by compliance and regulation..." and I think that almost anyone in the industry would agree.

A lot of security comes from being aware, trained, and practicing frequently. Unfortunately those are all things that can be very difficult to compel companies or people to work on because they tend to be intangible and require a lot of effort.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/9/2014 | 7:54:41 PM
Data Masking and PII
I feel that as the years progress that the amount of data that is considered PII is increasing. I think one reason this situation is difficult is because you have to way data accessiblity versus security. How can you be secure but also be able to perform your tasks? I think one item that might help is data masking. Now understand like encryption methods, authentication, and other security safeguards, this is a measure that can still be exploited but I think that if multiple masking methods are leveraged for different data sets it makes the data that is being worked with much harder to access.

Also we need to realize its impossible to prevent 100% data leakage. We need to focus on the best ways to prevent as much as possible.

Any one else to posit solutions that may help protect against identity theft and data leakage?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
4/9/2014 | 6:42:44 PM
Re: Identify Theft - a new conversaton
Credit card numbers should really be one-time use numbers.

I wonder if stiffer penalties for identity thieves -- like being forced to manually correct grammatical errors in spam messages -- would create more deterence.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/9/2014 | 4:28:06 PM
Re: Identify Theft - a new conversaton
Agreed, that is a much easier conversation to have than to "try" to explain how to straighten out their credit file, fraudulent charges,life, etc.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?