LOSING THE PRIVACY WARDr. Margaret Leary, CIPP/G, CISSP, CE|H

Agenda

• EquifaxBreach• IssueswiththeUseofPIIforIdentityAuthentication• Recommendations

http://www.wrcbtv.com/story/36358092/the-one-move-to-make-after-equifax-breach

EquifaxBreachTimelineMarch29– April17- Equifax’sTALXpayrolldivisionhackedMid-May,2017– AttackersbreachEquifaxJuly29– EquifaxdiscoversbreachandstopsintrusionAug.1and2– Threetopexecssellof$2milliondollarsworthofstockSept.7th – disclosedlossof143millionconsumerBreachincludednames,SSNs,birthdates,addresses,somedriver’slicensenumbers,andcreditcarddataSept.8th – Sen.WarrenchastisesEquifaxfortryingtopushcustomersintoarbitrationOct.2nd - ReviewbyMandiant increasedthenumberaffectedto145.5million– U.S.onlydatabasesandabout8,000CanadiansOct.24th – UK’sFinancialConductAuthority(FCA)isinvestigatingEquifaxforthe400,000,oops….now694,000Britishpeopleaffected.

TheTechnicalDetails

• AttackersenterthroughaWeb-application,ApacheStrutsvulnerability,CVE-2017-5638forwhichapatchhadbeenreleasedtwomonthsprior(grantedpatchwaslaborintensiveandinvolvedrebuildingallWebappsusingthebuggycode)• Equifaxhadtwomonthstopatch,priortoexploitation,andchosenottodoso• Otherissuesthatmighthavecontributedwouldrelatetoprivilegeescalation,orthelackofnecessityfortheattackerhavingtoevendothat.Previously,BrianKrebshadreportedthatawebportalforhandlingcredit-reportdisputesinArgentinausedadmin/admincredentials

CountingtheCostProfittoEquifax

• EndresultisFTC,SEC,andmultiplestateswillbelininguptofineandprosecute

• Basedonindustryaverages,likelytocosttensofmillionsofdollars(Hall,2017).

• Equifaxloses143millionrecords,andprovidesfreecreditmonitoringservicesfor12months.

• But….wait….Equifaxsellscreditmonitoringservices($29.95).Howmuchwillitreallycostthemtoprovidetheirownservice,TrustedID Premier,forayear“forfree”?

• Howmanyofthesesubscriberswill,then,renewtheirsubscriptionservicesattheendoftheperiod?!?

• Ifonly1%ofvictims(1.43million)subscribeaftertheinitialfreeyearthatrepresents- $42.8millionpermonth- $514milliondollarsperyear.

TheREAL Issue

• DidEquifaxreallydoidentitymanagementafavorbyreleasingthisinformation?• HowwillaFederalBreachNotificationbillinadvertentlybenefitdataaggregators,whoarethemajorityofthelobbyistsbehindaskingforaFederalBill?• Atstakeisa“KBA”(Knowledge-BasedAuthentication)industryworthbillionsofdollars

Knowledge-BasedAuthentication(KBA)

• Authenticationprotocolthatusessecurityquestionsbasedondataaggregatedfromtheindividualincluding:• Favoriteteacher?• SSN• DOB• Nameoffirstpet?• Whoholdsyourmortgage?• Howmuchdidyoufinanceyourcar?• Squarefootageofyourhouse?• Mothersmaidenname

• Serviceproviders(Axiom,Equifax,LexisNexus,Experian,etc.)provideKBAservicestoallbusinesses,state,andfederalagencies,includingtoVitalCheck forBirthCerts(“BreederDocs”)

*IdentityattributesinredarethosethatwerelostintheEquifaxbreach

TheIssueswithKBA(Pseudosecrets)

• Neverintendedthatthisinformationbekeptprivate!!!• SocialMediaSites• Guessable• Discoverable• Hacked!!

• Yahoo!Breachin2013(revealedin2016)lostmorethan1billion+useraccounts–includingsecurityquestionsandanswers

• In2015,hackersaccessedIRS’GetTranscriptprogram(SSNs,etc),whichusedKBA,todownloadincometaxreturnsandfilefraudulentreturns

• NISTevennolongerallowsitsuseasanauthenticationprotocolwithFederalagencies…….unfortunately,itisstillusedtoauthenticateidentitytoonlineapplicationsforcredit,whichcommoditizesthesepseudosecrets.

DiscoverabilityofPseudosecrets

• My2008studyanalyzed6,598publicrecordssitescontainingidentityattributestodeterminethefrequencywithwhichtheycanbediscoveredinpublicrecords,calculatinga“discoverabilityindex”• Propertyrecordsyieldedthegreatestnumberofidentityattributes,followedbyarrestrecords(includingphysicalattributesandphotos),thencourtrecords.• ResultsconfirmedamoderatecorrelationbetweenFTC-reportedIDtheftratesandthenumbersofpublicrecords/contentspublishedbystate(somecountiespublishbirthcertsoflivingindividualswithmother’smaidenname).

ComparativeDiscoverabilityofIdentityAttributesfromOnlinePublicRecords(notSocialMedia)

IdentityAttribute Index

Name .30

HomeAddress .17

DOB .14

Physicaldescription .08

Propertyvalue .08

Propertytax .08

Squarefootageofresidence .08

PlaceofBirth .02

BirthYear .02

Driver’sLicenseNumber .01

VIN .01

Homephonenumber .01

Mother’sMaidenName .01

Discoverability

•Question:IfIpostedafileofSocialSecurityNumbersonmyWebsite(let’ssay,tenortwentythousandofthem),haveIcommittedacrimeorcanthisleadtoidentitytheft?

Discoverability

•Question:IfIpostedafileofSocialSecurityNumbersonmyWebsite(let’ssay,tenortwentythousandofthem),haveIcommittedacrimeorcanthisleadtoidentitytheft?• No….itsjustlistofnumbers.PIIispersonaldatathatuniquelyidentifies anindividual

IdentityDataAggregation

•DanielSolovelongagodescribedaproblemwithdataaggregationwhere,inisolation,apieceofinformationmaynotbeinvasive,butwhenamassed,theforma“digitaldossier”onthevictim(Solove,2003)•Usingpublicrecords,I’vecompileddossiersincludingVIN,DOB,name,address,housevalue,allowingmetocalculateDTIand,hence,likelysalarywithin10minutes

TheProblemwithAggregation

LatanyaSweeney,k-anonymity:amodelforprotectingprivacy.InternationalJournalonUncertainty,FuzzinessandKnowledge-basedSystems,10(5),2002;557-570.

CorrelatingDiscoverableAttributestoIdentityTheftRates• AccordingtoFTC,tax-relatedfraud(34%)wasthemostcommonreportedformofidentitytheft,followedbycreditcardfraud(33%),phoneorutilitiesfraud(13%),andbankfraud(12%)• Previousstudyresults(Leary,2008)demonstratedthatstatespublishinggreaternumbersofpublicrecordstendedtohavehigheridentitytheftrates• Ten(67%)ofthestateswiththehighestIDtheftratesin2017,wereinthetop15in2008(inred)• Identitytheftcomplaintsactuallydropped3%from2015– 2016– howeverwearetalkingadropfrom3,140,803to3,050,374

• 2017Stateswiththehighestratesincluded:

1. Michigan2. Florida3. Delaware4. California5. Illinois6. Connecticut7. Maryland8. Missouri9. Nevada10. Arizona11. Georgia12. Texas13. RhodeIsland14. Washington15. Colorado

SoHowPrivacySavvyAreYou?

• Doyouprovide“real”informationforshoppersloyaltycards,suchasatFoodLionorSafeway?• DoyouprovideyourrealSSNatdoctor’soffices(isitrequiredtodoso)?• Doyouprovideyourkids’realSSNsattheirschools?Isitrequired?• DoyouanswerauthenticationquestionstruthfullyataWebsite,soyoucanrecoveralostpassword?• Doyouuseafreeonlineservice(Gmail,Facebook,etc.)?• Whichissafer,shoppingonline,oreatingoutatarestaurantandpayingwithyourcreditcard?

You Get What You Pay For

“Allusersofemailmustnecessarilyexpectthattheiremailswillbesubjecttoautomatedprocessing.Justasasenderofalettertoabusinesscolleaguecannotbesurprisedthattherecipient’sassistantopenstheletter,peoplewhouseweb-basedemailtodaycannotbesurprisediftheiremailsareprocessedbytherecipient’s[emailprovider]inthecourseofdelivery.Indeed,‘apersonhasnolegitimateexpectationofprivacyininformationhevoluntarilyturnsovertothirdparties.”GoogleCourtFilingAugust2013 - Mick,Jason,2013.“Google:Yes,we“Read”YourGmail”• Feeling glad that you aren’t one of the 425 million Gmail

users? Don’t be – have you sent an email to a Gmail user?

18

Facebook• Facebook’sTermsofUsespecifiesthat,whileyou“own”allcontentandinformationyoupost,yougrantthemanon-exclusive,transferable,sub-licensable,worldwidelicensetouseallIPcontentthatyoupostonorinconnectionwithFacebook.• U.S.courtshaveconfirmedthatifthedataisvoluntarilysharedwithanotherthenitcanbepostedpublicly• ImportantforpeopletounderstandthatevenprivatizedinformationonFacebookiscollectedandsoldbyFacebooktotheirbusinesspartnersandtoFederalAgencies

WhoCollectsYourPII?

• Whensurveyed,companiesstatethatyourdataistheirmostvaluableasset!

• 2010:Axiomstatedtheyhadmorethan32billiondatarecords

• Banksandcreditcardcompanies• Retailstoreownerswhosellsalesrecords• SmartTVs• LocationdatawithIoT• Barbies (HelloBarbie)• SmartPhones• Yourclothes(formerly“spychips”,nowinventorytags)

• RFIDChipsinpeople?

FlatOrbadvertisesthatittracksyourproductANDyourstaff

WhoPurchasesTheseServices?

• Banks!(20– 40%ofloginservicespurchasedfromdataaggregators)(Brainard,2017)• Creditcardcompanies• Scammers• FederalGovernment,circumventingPrivacyActof1974andotherOMBMemorandumrestrictionsonthecollectionofPIIfromcitizens• In2013,theSenateCommerceCommitteereportedthatofninedataaggregatorcompaniesinvestigated,threerefusedtodivulgetheirdatasourcesandone,Experian,alsorefusedtonameitscustomers.

SoWhatAboutBreachNotificationLaws?

• ImmediatelyfollowingtheEquifaxbreachmultiplemembersofCongresspushforaFederalBreachNotificationbill.Butwillthatresolvetheproblem?• ThereareNO federallawsgoverningthebreachofPII(thankheavens)• Thereare48differentstatelaws(AlabamaandSouthDakatadonot)• Thereareregulations(i.e.HIPAA)governingcertainindustries• FTCisthelargestprivacyenforcementagencyforconsumers

SoIsAllLost?

• Won’tresolveuntilwequitusingpseudosecrets tograntinstantcredit,removingthefinancialincentiveforthecommoditizationofpersonally-identifiableinformation.

• Identity-proofingstandardsneedtobechanged– “identity”needstobeassignedatbirth(i.e.aswithIndia,whichhasoneoftheworld’slargestbiometricdatabasesofiris’fingerprintscansofcitizens)

• NEChasdevelopedafingerprintscannerforbabies6monthsorolderwith99%accuracy

SoWhatCanWeDo?

• Lies,lies,andmorelies:• Donotprovide“real”answerstosecretsatWebsites• Donotprovideyour“real”SSNunlessrequiredtodosobytheIRSorSSA(orifyouareapplyingforcredit)• Donotprovide“real”informationwhenapplyingforshopperloyaltycards• Donotsubmitwarranties

End User Licensing Agreement (EULA)

25http://www.apple.com/legal/itunes/appstore/dev/stdeula/

Don’tLockYourCredit- FreezeYourCredit!

• Creditmonitoringisworthless,inasmuchasitisreactive,notproactive.• Freezeyourcreditatallthreereportingbureaus:• http://freeze.Equifax.com• https://www.experian.com/freeze/center.html• https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp?_ga=2.162593972.943287138.1508890153-1213262464.1508890153• Usuallycostsasmallfee(upto$20)ateachbureau• Understandthatthesecompanieswillattempttosteeryou/scareyouawayfromfreezingyourcredit,ashavingaccesstoyourdatatoselltoothersishowtheymaketheirliving

Imagefromhttps://www.creditcards.com/credit-card-news/credit-report-freeze-1282.php

References• Braninard,GovernorLael(2017).“WhereDoBanksFitintheFintechStack?”SpeechpresentatedattheNorthwesternKelloggPublic-PrivateInterfaceConferenceon"NewDevelopmentsinConsumerFinance:Research&Practicehttps://www.federalreserve.gov/newsevents/speech/brainard20170428a.htm

• Hall,Christine(2017).“HowMuchWilltheDataBreachCostEquifax?”.Availablefromhttp://www.datacenterknowledge.com/business/how-much-will-data-breach-cost-equifax

• Leary,Margaret(2008).“QuantifyingtheDiscoverabilityofIdentityAttributesinInternet-BasedPublicRecords:ImpactonIdentityTheftandKnowledge-BasedAuthentication.“AvailablefromProquest.

• Solove,DanielJ.(2003).Accessandaggregation:publicrecords,privacy,andtheconstitution,MinnesotaLawReview,Vol.86,#6,1137,1184-95.Availablefromhttp://www.law.gwu.edu/facweb/dsolove/