[BreachExchange] Post Breach Identity Theft Monitoring: Too Little Too Late

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 13 19:21:59 EDT 2017


http://www.securityweek.com/post-breach-identity-theft-
monitoring-too-little-too-late

We have all seen this story play out so many times: A company suffers a
massive breach exposing thousands or millions of their customer’s personal
information, which effectively compromises trust in the organization and
their established security methods. The company responds by talking about
how incredibly sophisticated the attackers were, and then they offer
identity or credit monitoring services to the victims. Providing this
service makes the company look like it is taking care of its customers, but
it is really just a cheap PR ploy with little effect. I rant and rave in my
cubicle every time this happens.

First, we all know that the company’s information was actually taken by a
basic phishing attack using well-known exploits. Second, we know, and they
know, that the protection the company is offering will do almost nothing to
help their affected customers. The public should demand more.

Consider what these monitoring services actually do. While there are many
different vendors, they all provide the same basic set of services:
monitoring and insurance. In some cases, they partner with major security
companies to provide the same protection that you can usually get for free
elsewhere.

To help detect a criminal using the stolen information for some nefarious
purpose, a monitoring service will watch credit reports and public records
for changes. If the criminal applies for a new credit card or takes out a
loan, it will show up. Similarly, if a new address appears in the public
records, it will trigger an alert. Regardless, at this point, the victim
has already been defrauded, and the damage has been inflicted. The victim
will need to start the work of unwinding these changes and trying to
protect and restore their credit ratings. While many of these monitoring
services come with insurance to cover the actual costs of recovery, most
never actually make up for the inconvenience and trouble.

The real problem is that credit-based attacks are infrequent when compared
to other crimes following a major breach. Use of stolen credit cards,
phishing, and account takeover are far more prevalent, yet, are essentially
invisible from the monitoring program.

In some cases, the problem is even worse and the stolen information can be
used in much more dangerous ways. The OPM breach is a perfect example of
this. Very sensitive information about millions of highly cleared
government workers was stolen, probably by a team associated with the
Chinese government. The people who were exposed are extremely vulnerable to
being targeted in attacks against our national security. Anyone with access
to this data could create fantastically effective spear phishing campaigns
and would know the connections and relationships that could best be
exploited to access the information and organizations they want.

What did the government provide to these victims to protect them from
sophisticated nation state attackers with strategic intent? Identity theft
protection.

This will not do.

Victims deserve a response that will actually make them safe. Organizations
need to offer tools and services that provide real protection against
likely damages. I see three protections that would be of real help to
people after a breach.

Replacing stolen credit card information is painful and, currently, there
are no services to really help people update their information with every
merchant that has it. As new forms of payment are deployed this may become
easier, but for now, it is crying out for a good solution.

Protecting against account hijacking is also difficult, but increasing
numbers of businesses support multi-factor authentication, particularly
ones of high importance like banks and brokerages. With multi-factor,
simply stealing the username and password is not enough to access the
account. An additional factor like a token generator on your phone or an
SMS messages, need to be involved. Attackers get around this by using a
phishing attack to hijack your accounts right from your computer. Phishing
attacks are the key to getting it all. Attackers use the stolen data to
send a very believable message to the victim with a link to a web page.
That page will typically install malware on the user’s computer which
allows passwords to many websites to be stolen and real time hijacking of
all their sessions.

Often, security professionals blame users for clicking on these links, but
especially in the case of breach victims these are untrained individuals
who are largely unaware of the possibility of being attacked. These attacks
can be very hard to detect because the attackers have access to enough
information to make the phishing emails look very realistic.

This is the area where breached organizations can provide real value to
their customers who have been exposed. Next generation tools that are
effective at stopping malware can make a great difference. Even better are
solutions that ensure hostile websites are unable to breach the user’s
computer at all. Effective isolation solutions would insulate victims from
a large fraction of the consequences of a breach, which is much better than
being told that your personal information has been used in a credit fraud
months after the fact.

In addition to basic credit monitoring, breached companies need to get
ahead of the attacks and start providing security solutions that actually
protect the victims before they are victimized again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170313/bb55abd7/attachment.html>


More information about the BreachExchange mailing list