[BreachExchange] Data breach notifications may facilitate identity theft

Destry Winant destry at riskbasedsecurity.com
Wed Aug 22 23:23:55 EDT 2018


https://iapp.org/news/a/data-breach-notifications-may-facilitate-identity-theft/

It is a serious claim that data breach notification letters may
facilitate identity theft. Rather than make an argument for that
position, an explanation of how to accomplish identity theft using a
data breach notification letter will be provided here and publicized
elsewhere. When malicious actors begin performing the exploit, debate
over the proposition reflected in the title will become moot.

The steps are not complicated and may be accomplished by nearly
anyone; technical skills for hacking are not required.

Obtain a copy of a breach notification letter that advertises free
credit monitoring and provides contact information for a credit
monitoring agency that will purportedly provide the service.
Upon a news event proclaiming a data breach of a large retailer,
financial institution, or company that provides payroll or accounting
services to large employers, tailor the letter to appear to be from
the breached entity. If the breached entity is a company that provides
business services, rather than only consumer products, alter the
letter to state that large retailers or employers use the company for
payroll or other accounting services. Many people may readily accept
that some large retailer uses a particular bank in an official-looking
letter, because there may be no way for consumers to readily ascertain
otherwise.
In the contact information for the credit monitoring agency, put the
website address for your own website – something that appears (at
least superficially) to be legitimate and a phone number that will be
forwarded somewhere outside the U.S. legal jurisdiction.
Create a website that appears legitimate and both refers website
visitors to your special phone number and also conveniently permits
visitors to enter personal data in order to start their “free credit
monitoring service” right away.
Staff a call center where the phone number rings, with people trained
to act as customer service representatives of the credit monitoring
agency.
Purchase a list of addresses, such as those commonly sold for direct
mail advertising campaigns. Expect to pay more for lists that are
advertised as having a higher rate of response. If possible, perhaps
select a list that may be at least somewhat tailored geographically or
demographically to coincide with likely customers of the breached
entity or a retailer (which you had asserted in the letter to be a
customer of the breached entity).
Mail your breach notification letter to the addresses on the list, and
wait for the phone calls to start coming in.
Some consumers may investigate whether a breach had actually occurred.
This is why it may be beneficial to send out your own letter under the
cover of a legitimate breach event. When the consumers (who did bother
to investigate) see news of the breach on the internet, they may be
more likely to trust your letter and respond to your invitation to
divulge important information.
When your call center receives phone calls from panicked recipients of
the letter, take in their personal information. Your call center staff
may request all personal information that is necessary to perform
credit monitoring and “verify” the callers’ identities. The callers
will likely provide all the information necessary to accomplish a
first-rate identity theft, without suspicion.

Why will this work?

Because your data breach notification letter will not urge the
recipients to independently obtain the contact information for the
credit monitoring agency by themselves. The serious problem here is
that the consumers may have already received prior breach notification
letters (from earlier breaches in which they were victims) – and most
likely none of those letters urged the recipients to independently
obtain the contact information, either.

A fundamental security concept is that an initial notification of an
alleged security incident (or risk), and critical information
regarding remediation resources, should arrive through different
channels. Such a protocol can reduce the likelihood that a single
compromise of one communication channel can induce someone to take
actions that may be problematic. Unfortunately, however, many common
data breach notification rules (whether law or regulation) mandate
that the contact information for credit reporting agencies be included
in the communication to breach victims. Companies (and vendors
providing notification services) simply have no choice.

Although the intent is clearly for the victims’ convenience, the
result is not entirely harmless: The current content of breach
notification letters is conditioning consumers to become complacent in
a poor security practice, trusting information regarding remediation
within the same correspondence that provided the initial alert
regarding a security incident or risk. Because many consumers have
already seen at least one data breach notification letter, some may
already be conditioned to improperly trust a single notice, and thus
may be more susceptible to the exploit.

A solution, and reversal of the conditioning accomplished thus far, is
not difficult: The requirement that the contact information for a
credit reporting agency be included within breach notifications should
be replaced with a requirement to encourage consumers to obtain the
credit reporting agency’s contact information through independently
verifiable sources. Additionally, it may be helpful to include an
admonition to not trust company contact information found within any
correspondence that arrives unexpectedly (as breach notification
letters often do) in the future, and also a suggestion that consumers
should generally use only contact information that the consumers had
located with their own efforts, prior to disclosing information that
could be used for identity theft.

If the requirement persists to include contact information for a
credit reporting agency within breach notifications, companies that
generate the notifications may wish to conspicuously note that the
information is required by law, and also conspicuously inform
consumers regarding independent verification being the more secure
practice.


More information about the BreachExchange mailing list