Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2020
Doug Lhotka

Are we losing the cybercrime war?

By

I didn’t share a Friday photo last week because I’ve been working on this post in response to a question a friend asked:  “Are we losing the cybercrime war?”

It sure feels that way.  In the past couple of years, we’ve had three major data disclosures – Aetna, Equifax and Yahoo, not to mention the myriad of lower-level incidents.  While the data lost in each is different, all three have major implications for security and privacy.  I’ve written before that we should all assume that our data’s been stolen and take precautions, and that’s absolutely the case.  All the big breaches are failures of prevention (data retention, patching, privileged credential protection), detection (instrumentation, analytics), and response (both technical and public relations).  That sounds like a systemic failure to me.

I’m a fan of the Fifth Discipline by Peter Senge, and tend to look for system causes rather than blame people, but in each of the large breaches, people’s decisions played a major role – from failure to invest in prevention, to failure to operationalize detection, to tone-deaf responses to incidents.  But let’s take a step back and look at the larger system in which those people operate – not just within their companies, but the entire economic and legal environment, for that’s where the real systemic problems lie.

As one of my favorite authors and bloggers, Jerry Pournelle (he recently passed away) was fond of saying, unrestricted capitalism will result in human meat being sold in street stalls.  Don’t get me wrong – I’m a hard-core capitalist, and believe in the power of the free market, but in this particular case we don’t have one.  Crony capitalism has tilted the regulatory and legal environment in the favor of a handful of large corporate entities (concentrated interest) and away from citizens and consumers (diffuse interest).  Companies that make their living exploiting consumer information are among the worst offenders, but all to some degree use their size and scale to manipulate laws and regulations in their favor to the exclusion of new entrants.

In an environment where ‘two years of credit monitoring and an apology’ is the worst expense a company will endure, we’re going to continue to get more breaches.  That’s because the bean counters will calculate the security budget based on the probability of a breach * scope of the breach * the cost of a breach on an annual basis.  That’s resulting in underinvestment in cybersecurity because the cost factor is artificially low.  What we need to do is change the cost and responsibility piece of the equation – once we do that, we’ll see the companies change their behavior.  This is exactly what happened with the Ford Pinto back in the 70’s.  In that case, the damage to the Ford brand overall was significant, and their competitors immediately changed practices to avoid a similar situation.    None of the three I mentioned above are in any danger of dying because their customers weren’t impacted – Equifax sells reports to creditors, Anthem sells insurance to businesses, and Yahoo sells information about consumer activity.  Consumers can’t really choose to avoid them having their data, so we’re stuck.  And that’s the first thing we need to fix.

First, data about a consumer needs to belong to the consumer.  Companies then become data custodians instead of data owners, cannot share data with a third party unless there is opt-in consent, and are monetarily responsible for disclosure as the asset itself has been lost (rather than damages incurred).   That’s the lynchpin.  Note that this would break Google and Facebook’s business model.

Next, full disclosure, within 14 days of discovery of a data disclosure (no limit on records) should be mandatory.  An exception where there is an ongoing law enforcement investigation and no evidence of exploitation of the data would make sense.  But once there’s evidence of exploitation (even less than 14 days), individual notification must follow immediately.  By US Mail if possible (e.g. if they have your physical address), by email at least.  Social media, websites, and news reports are not sufficient.

Last, and most important, the cost born by the company should reflect the risk to the consumer.  That means a statutory floor for damages – payable in cash direct to the consumers impacted.  Note that this would break the class-action attorney’s business model.  This should be tiered based on the data lost.  For example, compromised credit card numbers have a minimal impact on consumers, so set a low bar of $25 to $50 per consumer for the inconvenience of having to get new cards and change all their monthly payments.  The issuers should be compensated both for the cost of fraud on those accounts and for the cost of issuing new cards.  Medical and credit records are much higher value, so perhaps $100-200 plus the cost of lifetime security freeze and credit monitoring services (at retail rates, by a company of the consumer’s choosing if they want it) would be the right benchmark.

You can be sure that would get companies to take notice (they will fight the last one tooth and nail – as will the plaintiff’s bar).  It would change the calculation on what information to retain (getting rid of risky data becomes the cost effective option, rather than retaining to exploit it), and how to protect it.  The credit agencies are the prototypical example here – they hold massive amounts of information on consumers (who are the product) and have an economic incentive to release it to any and all comers, as that’s how they get paid.    GDPR in Europe has penalties attached to it, but mostly for non-compliance, rather than for disclosure costs, and they’re not paid to consumers, rather to the EU itself.

So unfortunately my three points above might as well be “I wish I was younger, taller and thinner”.  We might be able to made some changes around the margins (the thinner), but the concentrated interests will likely prevent any real reform from happening (taller and younger).

Because it’s all about the money.  Cybercriminals attack where it’s stored, companies invest based on cost of loss, and consumers wonder where it went.  Put it another way: right now, the criminals are winning, the companies are wondering, and the consumers are spending.

SSN is not a secret (and never was)

By

(c) Depositphotos / johnkwan

With the Equifax breach, there’s been a lot of commentary about it’s impact, and much of it has one important fact wrong:  SSN was never intended to be a secret.

I’ve written in more detail about this before, but in light of the recent breach, I thought I’d repost it again.  One update, before I get to the original post:  At this point, between Anthem, Equifax, and the others, we should all assume that SSN is no longer secret.  For consumers, that means a credit freeze (where you do establish a secret PIN to unlock the reports).  For businesses, I’ll just say this.  Enough.  Seriously, enough.  Across the board you need to stop using it to authenticate people.  Today.  Unfortunately I think they’re largely too lazy to do it without legislation.

Here’s the original post from January 10th, 2016:

The Social Security Number is the Achilles heel of modern information. It was never intended to be used for identification purposes – in fact, my original card has that printed in big bold red letters right across the front of it.

Well, that didn’t work out well. In college, SSN was our student number. Printed on our ID, posted outside the professor’s office with our grades, and on our transcripts. Medicare and Medicaid members have it printed on their cards. Insurance companies have adopted it and print it on their cards. Financial firms use it not only for tax purposes, but also some as account numbers. It was used in a hundred other ways. And everyone uses it to authenticate their customers, which is the worst of all.

But it’s not a secret!   For the majority of people, given their birthdate and location (did you put real ones on social media?), you can guess their SSN within a few tries. We use it because it’s easy, and the closest thing we have to a national ID number (note – I’m not advocating one).   Even in the face of massive data breaches – 80 million SSN’s in just one (that’s 1 in 5 SSN’s exposed) folks continue to use it. It’s easy, it’s convenient, everyone does it, people remember it – it works.

And it’s dumb.

Let me explain some terminology before continuing, and use an example to help folks understand. We’re going to login to our bank so we can do some online transactions in two steps.

  • We assert our identity – in other words we claim to be someone. That’s the login ID – or identification credential. ID is not a secret.
  • We prove our identity – authenticate our assertion, usually by password, or sometimes by two-factor authentication. Authentication uses a secret (the something you know, are, or have) to prove that you are who you claim to be.

SSN is an identifier – something we use to assert who we are. It’s not a secret, has never been a secret, and we can’t turn it into a secret.   It’s time to stop trying.

The problem is that SSN is being used as an authenticator – a secret that proves that I am who I say I am. It doesn’t matter if we use the last four, or the whole number. Using SSN to prove identity is like leaving the sticker with the combination on the back of the padlock.

So we’re in a mess, and there’s no real easy way out. But here’s some thoughts on ways to start.

First the IRS should implement a PIN system for SSN – for everyone. This PIN should be randomly generated to avoid people choosing birthdates or other easily discoverable information, and yes, resetting it probably should require a trip to the local social security office with documents that prove identity, including a government issued picture ID. Most states will already issue ID’s at no charge to folks that can’t afford them.  Yes, we’re in a bit of a circular situation here because bills and such are used to provide identity and residency, but it’s the best we’ve got. The SSN/PIN system should support two-factor authentication that’s used for things like filing a tax return.

Oh shoot, we’re into national ID territory. Given the recent track record of breaches within the US government, there’s legitimate concern about having all our eggs in one basket. What happens if the next data disclosure is the entire IRS taxpayer database?

So here’s the controversial proposal. Congress should pass legislation limiting the use of the SSN to the IRS only – prohibit commercial use as an identifier, and ban all use as an authenticator. Medicare and Medicaid would be required to move away from SSN (except for ACA compliance) and issue separate identity and authentication tokens to it’s members.

That means that your bank would still have it so they can file your 1099’s, but they’d be prohibited from using it for anything else – and they would not have your authentication information! TurboTax and the like would be able to use the SSN/PIN combination to file returns, but would not store PIN information (the IRS would provide a web service to validate authentication for known-good actors). Insurance companies would have SSN to forward coverage to the IRS for Affordable Care Act (Obamacare) compliance, but would be prohibited from using it for anything else. That means that your local doctor’s office would never need SSN at all – which is a major reduction in the points of failure.

Credit bureaus are going to have a challenge. They will need to develop some sort of identification system themselves. The good news is that most of it is in place – when you get a credit freeze, they issue you a secret authentication token. You use that to unlock credit when you want someone to be able to get a copy of your report. We should grant them antitrust immunity so they can jointly develop a Credit Identification Number system to replace SSN for their use, and then issue that – and an authentication code – to everyone in the database, and retire SSN from use.

It’s a lot of work, it’s not cheap to do, and there’s a ton of details and nuances (like not allowing easy-to-guess security questions as part of an authentication reset system) that have to be worked out.    But with at least 1 in 5 SSN’s is already exposed [Edited – essentially all SSN’s as of 9/2017], it’s long past time to do the hard work.

Friday Photo – In honor of the breach, monsters at the gate – Urquhart Castle & Loch Ness

By

In honor of the big breach this week, I went through the archives looking for an image of a castle in ruins.  Couldn’t have found a more apropos image than this one of Castle Urquhart and Loch Ness.   There be monsters here!

Much of our security infrastructure is based on building a controlled perimeter, much as the engineers of Urquhart did on the shoreline.  That’s important for sure, but what happens once your walls are breached, the bad guys are inside?    Are you only relying moats and castles to protect your critical assets, or do you have watchtowers, patrols, and a garrison stationed inside, ready to respond?

Something to think about when the monsters come.