Who are you?
Another day, another breach. Well, not so fast. Not this time. The Equifax breach may not be the largest breach in history, impacting “potentially” 143 million U.S. consumers, but per the company’s press release, cyber criminals accessed databases containing consumers’ names, Social Security numbers, birth dates, addresses, and possibly driver’s license numbers. Additionally, credit card numbers for “approximately 209,000 U.S. consumers” and files with personally identifying information (PII) on “approximately 182,000” more U.S. consumers were also compromised. Some UK and Canadian residents may also have been impacted.
What makes this breach so special, then? Companies issuing breach notifications has become commonplace, almost expected. Why should consumers care more this time? Because, says Tammy Moskites, CISO of Venafi, cyber criminals have accessed “the mega-superstore of customer data.” Everything a criminal would need to steal someone’s identity, drain bank accounts, and commit further criminal acts is contained inside this one payload. “If I were a criminal,” she says, putting on her fictional black hat, “where would I go to get all the data on someone I could possibly get—data that is checked and validated by consumers themselves on a regular basis? One of the major credit reporting agencies would be the place to go!”
As a result, this is bigger than Home Depot, Target, or Anthem. It’s lousy enough to get one’s credit card, email address, or other basic PII stolen, but much of that data is already readily available on the web if you know where to look. Having that data in the hands of criminals can be frustrating, upsetting, and troublesome, but (for the most part) the damage is short term. Credit cards can be cancelled. Passwords and usernames to breached accounts can be easily changed. And, yes, Social Security numbers can be changed, too, when push comes to shove.
I woke up in a Soho doorway
The main factor with the credit bureau’s breach, though, is that so much validated consumer identity information was provided in one neat little package. With everything handed over to the criminals, it’s trivial for them to access and set up all kinds of accounts in victims’ names. This isn’t like having your credit card stolen and having to deal with the credit card company to prove you didn’t make or authorize certain transactions. This is about large-scale identity theft and the implications thereof.
Oh, right—I almost forgot: Equifax is one of the “big three” whose sole purpose of existence is to protect consumers from having identities and financial futures stolen.
A policeman knew my name
Bill Dean, Senior Manager of LBMC Information Security Services, where he is responsible for incident response, digital forensics, and electronic discovery, feels that the Equifax breach is the worst in history to-date, based on the type of data that’s been stolen in one fell swoop. U.S. consumers have proven time and again that they’re not overly concerned about privacy and cybersecurity (and at some point one has to stop and wonder if they’re right to an extent—all of our data is all over the dark web anyway), but this is primarily because we haven’t seen harsh ramifications. However, ask anyone who has had his or her identity stolen how they feel about security and privacy and you’ll likely hear that person signing a different tune.
“You can’t turn off your identity,” says Dean, as he considers the fallout from this breach. The average consumer may not realize it yet, but “This data offers the opportunity for criminals to replicate a person, completely take over an identity.” Which should be nothing short of terrifying. The problem is that we’ve all gotten so used to handing over any sensitive data that’s requested of us. We type it into forms, we write it down on sheets of paper, we email it in clear text, we provide it for access to apps. And most of the time we don’t know what the party to which we’ve just handed over our data to is doing with that data. How are they using it? Are they sharing it? Selling it? Don’t know. Don’t care. (Don’t believe me? How much pushback did the FCC get on its recent ISP ruling? Exactly.)
The fact is, all that data is out there anyway. No, really. It is out there! Your Social Security number, name, address, phone number, driver’s license…it’s all available on the web, and any moderately clever hacker can find it. It’s already available, so why is the Equifax breach such a big deal? Because all of this information that consumers provide flagrantly can be procured and used by criminals to take out mortgages, file tax returns, open or close bank accounts, access funds in those accounts, apply for jobs, buy expensive goods and services, and do all sorts of irresponsible things without leaving an easy trail to follow.
“Imagine,” says Dean, “applying for a mortgage with all of your own personal information only to find out that there are other, highly-leveraged mortgages written in your name with your Social Security number attached? How about learning you have no money in your retirement account because ‘you’ withdrew it six weeks ago?” What happens when you can’t access your $15,000 tax return rebate because someone else has already kindly taken that check off your hands? Or if your kid can’t apply for financial aid for college because your credit score is now at 600 due to identity theft?
He said you can go sleep at home tonight
This is all real life, but yet, as a society, we allow this to happen because personal and sensitive information continues to be used as authenticators when, in fact, they should be treated no differently than people’s names or email addresses. SSNs, birth dates, and mother’s maiden name shouldn’t be considered the verification that a person is who she says she is. I can find that info online in short time. And I have a music degree. (What? PII? Nope—you can see that on LinkedIn.)
As an industry, security practitioners need to start stepping up to the plate and demanding that actual secrets be used as verifiers. Your Social and date of birth can still be used as identification, but no one should be able to open an account with information that can be searched online. (If you think only hackers can find information online, you obviously don’t have friends with Masters Degrees in Library Science.)
Moskites was absolutely right in her comments: cyber criminals have hit the jackpot with this breach. They’ve accessed everything they need to commit large-scale, long-term identity theft. And not because they exploited a common vulnerability in the website, which allowed them to access the database, but because the data in the database shouldn’t be used by businesses as both personal identifiers and verifiers. “I am who I say I am so therefore I am permitted to open a new credit card account or buy an expensive car.” Nope.
But that’s not security! That’s a business decision!
If you can get up and walk away
Security is part of the business. It’s 100% security’s job to help business understand the risks of collecting, using, and storing personal data, and it’s also security’s place to advise on methods to lessen business risk through data security. At present, too much value is placed on PII. That’s a procedural failing.
The Equifax breach could ruin people’s lives. Literally. Which is why it is not just another “oops” that can be resolved through a bit of free third-party credit monitoring and a class action lawsuit. Although we’re not going to know for a very long time the extent of the damage, hopefully this breach is a signal to security practitioners that our approach to protecting identities needs to change. We talk about two-factor and multi-factor authentication on accounts all the time; where is the 2FA/MFA on identity verification? At present, it’s just another identifier that’s posted in a dark web forum. There is no true 2FA/MFA verification process for identity. More identity doesn’t verify identity.
But I lived at 4 Privet Drive growing up! Yeah, found that in a cached Facebook post from 2009.
Adding more security controls around websites and databases won’t solve this problem. Not entirely. This problem can only be solved by addressing how we use data to identify/verify/authorize people to systems/accounts/services. Answers can be found in what we already know: additional factors of authentication. As the saying goes, the horse has left the barn, at least as it relates to PII. Now it’s time to ensure access to that PII does not dictate how we can live the rest of our lives.
Businesses do not yet understand this. It’s up to security practitioners to educate peers on the hazards of using data like birth dates and SSNs to both create and access accounts. Security’s job isn’t to merely protect the data the business collects; it’s to contribute to decreasing business risk, and we must apply already-known best practices in information security to achieving this task.
It’s time to stop focusing squarely on technology and start transforming the practice of information (cyber)security into a strategic business function.
Data breaches happen, but how you prepare and react makes all the difference. To learn more about this topic and others that impact your day-to-day role, be sure to visit our Threat Intelligence Summit in Austin, Texas this November, or the highly anticipated InfoSec World Conference in Orlando, Florida in March.