losing the privacy war - national cyberwatch center · 2017-12-15 · equifax breach timeline march...
TRANSCRIPT
LOSING THE PRIVACY WARDr. Margaret Leary, CIPP/G, CISSP, CE|H
Agenda
• EquifaxBreach• IssueswiththeUseofPIIforIdentityAuthentication• Recommendations
http://www.wrcbtv.com/story/36358092/the-one-move-to-make-after-equifax-breach
EquifaxBreachTimelineMarch29– April17- Equifax’sTALXpayrolldivisionhackedMid-May,2017– AttackersbreachEquifaxJuly29– EquifaxdiscoversbreachandstopsintrusionAug.1and2– Threetopexecssellof$2milliondollarsworthofstockSept.7th – disclosedlossof143millionconsumerBreachincludednames,SSNs,birthdates,addresses,somedriver’slicensenumbers,andcreditcarddataSept.8th – Sen.WarrenchastisesEquifaxfortryingtopushcustomersintoarbitrationOct.2nd - ReviewbyMandiant increasedthenumberaffectedto145.5million– U.S.onlydatabasesandabout8,000CanadiansOct.24th – UK’sFinancialConductAuthority(FCA)isinvestigatingEquifaxforthe400,000,oops….now694,000Britishpeopleaffected.
TheTechnicalDetails
• AttackersenterthroughaWeb-application,ApacheStrutsvulnerability,CVE-2017-5638forwhichapatchhadbeenreleasedtwomonthsprior(grantedpatchwaslaborintensiveandinvolvedrebuildingallWebappsusingthebuggycode)• Equifaxhadtwomonthstopatch,priortoexploitation,andchosenottodoso• Otherissuesthatmighthavecontributedwouldrelatetoprivilegeescalation,orthelackofnecessityfortheattackerhavingtoevendothat.Previously,BrianKrebshadreportedthatawebportalforhandlingcredit-reportdisputesinArgentinausedadmin/admincredentials
CountingtheCostProfittoEquifax
• EndresultisFTC,SEC,andmultiplestateswillbelininguptofineandprosecute
• Basedonindustryaverages,likelytocosttensofmillionsofdollars(Hall,2017).
• Equifaxloses143millionrecords,andprovidesfreecreditmonitoringservicesfor12months.
• But….wait….Equifaxsellscreditmonitoringservices($29.95).Howmuchwillitreallycostthemtoprovidetheirownservice,TrustedID Premier,forayear“forfree”?
• Howmanyofthesesubscriberswill,then,renewtheirsubscriptionservicesattheendoftheperiod?!?
• Ifonly1%ofvictims(1.43million)subscribeaftertheinitialfreeyearthatrepresents- $42.8millionpermonth- $514milliondollarsperyear.
TheREAL Issue
• DidEquifaxreallydoidentitymanagementafavorbyreleasingthisinformation?• HowwillaFederalBreachNotificationbillinadvertentlybenefitdataaggregators,whoarethemajorityofthelobbyistsbehindaskingforaFederalBill?• Atstakeisa“KBA”(Knowledge-BasedAuthentication)industryworthbillionsofdollars
Knowledge-BasedAuthentication(KBA)
• Authenticationprotocolthatusessecurityquestionsbasedondataaggregatedfromtheindividualincluding:• Favoriteteacher?• SSN• DOB• Nameoffirstpet?• Whoholdsyourmortgage?• Howmuchdidyoufinanceyourcar?• Squarefootageofyourhouse?• Mothersmaidenname
• Serviceproviders(Axiom,Equifax,LexisNexus,Experian,etc.)provideKBAservicestoallbusinesses,state,andfederalagencies,includingtoVitalCheck forBirthCerts(“BreederDocs”)
*IdentityattributesinredarethosethatwerelostintheEquifaxbreach
TheIssueswithKBA(Pseudosecrets)
• Neverintendedthatthisinformationbekeptprivate!!!• SocialMediaSites• Guessable• Discoverable• Hacked!!
• Yahoo!Breachin2013(revealedin2016)lostmorethan1billion+useraccounts–includingsecurityquestionsandanswers
• In2015,hackersaccessedIRS’GetTranscriptprogram(SSNs,etc),whichusedKBA,todownloadincometaxreturnsandfilefraudulentreturns
• NISTevennolongerallowsitsuseasanauthenticationprotocolwithFederalagencies…….unfortunately,itisstillusedtoauthenticateidentitytoonlineapplicationsforcredit,whichcommoditizesthesepseudosecrets.
DiscoverabilityofPseudosecrets
• My2008studyanalyzed6,598publicrecordssitescontainingidentityattributestodeterminethefrequencywithwhichtheycanbediscoveredinpublicrecords,calculatinga“discoverabilityindex”• Propertyrecordsyieldedthegreatestnumberofidentityattributes,followedbyarrestrecords(includingphysicalattributesandphotos),thencourtrecords.• ResultsconfirmedamoderatecorrelationbetweenFTC-reportedIDtheftratesandthenumbersofpublicrecords/contentspublishedbystate(somecountiespublishbirthcertsoflivingindividualswithmother’smaidenname).
ComparativeDiscoverabilityofIdentityAttributesfromOnlinePublicRecords(notSocialMedia)
IdentityAttribute Index
Name .30
HomeAddress .17
DOB .14
Physicaldescription .08
Propertyvalue .08
Propertytax .08
Squarefootageofresidence .08
PlaceofBirth .02
BirthYear .02
Driver’sLicenseNumber .01
VIN .01
Homephonenumber .01
Mother’sMaidenName .01
Discoverability
•Question:IfIpostedafileofSocialSecurityNumbersonmyWebsite(let’ssay,tenortwentythousandofthem),haveIcommittedacrimeorcanthisleadtoidentitytheft?
Discoverability
•Question:IfIpostedafileofSocialSecurityNumbersonmyWebsite(let’ssay,tenortwentythousandofthem),haveIcommittedacrimeorcanthisleadtoidentitytheft?• No….itsjustlistofnumbers.PIIispersonaldatathatuniquelyidentifies anindividual
IdentityDataAggregation
•DanielSolovelongagodescribedaproblemwithdataaggregationwhere,inisolation,apieceofinformationmaynotbeinvasive,butwhenamassed,theforma“digitaldossier”onthevictim(Solove,2003)•Usingpublicrecords,I’vecompileddossiersincludingVIN,DOB,name,address,housevalue,allowingmetocalculateDTIand,hence,likelysalarywithin10minutes
TheProblemwithAggregation
LatanyaSweeney,k-anonymity:amodelforprotectingprivacy.InternationalJournalonUncertainty,FuzzinessandKnowledge-basedSystems,10(5),2002;557-570.
CorrelatingDiscoverableAttributestoIdentityTheftRates• AccordingtoFTC,tax-relatedfraud(34%)wasthemostcommonreportedformofidentitytheft,followedbycreditcardfraud(33%),phoneorutilitiesfraud(13%),andbankfraud(12%)• Previousstudyresults(Leary,2008)demonstratedthatstatespublishinggreaternumbersofpublicrecordstendedtohavehigheridentitytheftrates• Ten(67%)ofthestateswiththehighestIDtheftratesin2017,wereinthetop15in2008(inred)• Identitytheftcomplaintsactuallydropped3%from2015– 2016– howeverwearetalkingadropfrom3,140,803to3,050,374
• 2017Stateswiththehighestratesincluded:
1. Michigan2. Florida3. Delaware4. California5. Illinois6. Connecticut7. Maryland8. Missouri9. Nevada10. Arizona11. Georgia12. Texas13. RhodeIsland14. Washington15. Colorado
SoHowPrivacySavvyAreYou?
• Doyouprovide“real”informationforshoppersloyaltycards,suchasatFoodLionorSafeway?• DoyouprovideyourrealSSNatdoctor’soffices(isitrequiredtodoso)?• Doyouprovideyourkids’realSSNsattheirschools?Isitrequired?• DoyouanswerauthenticationquestionstruthfullyataWebsite,soyoucanrecoveralostpassword?• Doyouuseafreeonlineservice(Gmail,Facebook,etc.)?• Whichissafer,shoppingonline,oreatingoutatarestaurantandpayingwithyourcreditcard?
You Get What You Pay For
“Allusersofemailmustnecessarilyexpectthattheiremailswillbesubjecttoautomatedprocessing.Justasasenderofalettertoabusinesscolleaguecannotbesurprisedthattherecipient’sassistantopenstheletter,peoplewhouseweb-basedemailtodaycannotbesurprisediftheiremailsareprocessedbytherecipient’s[emailprovider]inthecourseofdelivery.Indeed,‘apersonhasnolegitimateexpectationofprivacyininformationhevoluntarilyturnsovertothirdparties.”GoogleCourtFilingAugust2013 - Mick,Jason,2013.“Google:Yes,we“Read”YourGmail”• Feeling glad that you aren’t one of the 425 million Gmail
users? Don’t be – have you sent an email to a Gmail user?
18
Facebook• Facebook’sTermsofUsespecifiesthat,whileyou“own”allcontentandinformationyoupost,yougrantthemanon-exclusive,transferable,sub-licensable,worldwidelicensetouseallIPcontentthatyoupostonorinconnectionwithFacebook.• U.S.courtshaveconfirmedthatifthedataisvoluntarilysharedwithanotherthenitcanbepostedpublicly• ImportantforpeopletounderstandthatevenprivatizedinformationonFacebookiscollectedandsoldbyFacebooktotheirbusinesspartnersandtoFederalAgencies
WhoCollectsYourPII?
• Whensurveyed,companiesstatethatyourdataistheirmostvaluableasset!
• 2010:Axiomstatedtheyhadmorethan32billiondatarecords
• Banksandcreditcardcompanies• Retailstoreownerswhosellsalesrecords• SmartTVs• LocationdatawithIoT• Barbies (HelloBarbie)• SmartPhones• Yourclothes(formerly“spychips”,nowinventorytags)
• RFIDChipsinpeople?
FlatOrbadvertisesthatittracksyourproductANDyourstaff
WhoPurchasesTheseServices?
• Banks!(20– 40%ofloginservicespurchasedfromdataaggregators)(Brainard,2017)• Creditcardcompanies• Scammers• FederalGovernment,circumventingPrivacyActof1974andotherOMBMemorandumrestrictionsonthecollectionofPIIfromcitizens• In2013,theSenateCommerceCommitteereportedthatofninedataaggregatorcompaniesinvestigated,threerefusedtodivulgetheirdatasourcesandone,Experian,alsorefusedtonameitscustomers.
SoWhatAboutBreachNotificationLaws?
• ImmediatelyfollowingtheEquifaxbreachmultiplemembersofCongresspushforaFederalBreachNotificationbill.Butwillthatresolvetheproblem?• ThereareNO federallawsgoverningthebreachofPII(thankheavens)• Thereare48differentstatelaws(AlabamaandSouthDakatadonot)• Thereareregulations(i.e.HIPAA)governingcertainindustries• FTCisthelargestprivacyenforcementagencyforconsumers
SoIsAllLost?
• Won’tresolveuntilwequitusingpseudosecrets tograntinstantcredit,removingthefinancialincentiveforthecommoditizationofpersonally-identifiableinformation.
• Identity-proofingstandardsneedtobechanged– “identity”needstobeassignedatbirth(i.e.aswithIndia,whichhasoneoftheworld’slargestbiometricdatabasesofiris’fingerprintscansofcitizens)
• NEChasdevelopedafingerprintscannerforbabies6monthsorolderwith99%accuracy
SoWhatCanWeDo?
• Lies,lies,andmorelies:• Donotprovide“real”answerstosecretsatWebsites• Donotprovideyour“real”SSNunlessrequiredtodosobytheIRSorSSA(orifyouareapplyingforcredit)• Donotprovide“real”informationwhenapplyingforshopperloyaltycards• Donotsubmitwarranties
End User Licensing Agreement (EULA)
25http://www.apple.com/legal/itunes/appstore/dev/stdeula/
Don’tLockYourCredit- FreezeYourCredit!
• Creditmonitoringisworthless,inasmuchasitisreactive,notproactive.• Freezeyourcreditatallthreereportingbureaus:• http://freeze.Equifax.com• https://www.experian.com/freeze/center.html• https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp?_ga=2.162593972.943287138.1508890153-1213262464.1508890153• Usuallycostsasmallfee(upto$20)ateachbureau• Understandthatthesecompanieswillattempttosteeryou/scareyouawayfromfreezingyourcredit,ashavingaccesstoyourdatatoselltoothersishowtheymaketheirliving
Imagefromhttps://www.creditcards.com/credit-card-news/credit-report-freeze-1282.php
References• Braninard,GovernorLael(2017).“WhereDoBanksFitintheFintechStack?”SpeechpresentatedattheNorthwesternKelloggPublic-PrivateInterfaceConferenceon"NewDevelopmentsinConsumerFinance:Research&Practicehttps://www.federalreserve.gov/newsevents/speech/brainard20170428a.htm
• Hall,Christine(2017).“HowMuchWilltheDataBreachCostEquifax?”.Availablefromhttp://www.datacenterknowledge.com/business/how-much-will-data-breach-cost-equifax
• Leary,Margaret(2008).“QuantifyingtheDiscoverabilityofIdentityAttributesinInternet-BasedPublicRecords:ImpactonIdentityTheftandKnowledge-BasedAuthentication.“AvailablefromProquest.
• Solove,DanielJ.(2003).Accessandaggregation:publicrecords,privacy,andtheconstitution,MinnesotaLawReview,Vol.86,#6,1137,1184-95.Availablefromhttp://www.law.gwu.edu/facweb/dsolove/