The recently published 2012 Internet Security Threat Report from Symantec offers a deep and sometimes chilling insight into the world of cybercrime, the crooks, and the victims.
The report is pretty comprehensive but one of the first snippets to jump out at me was Symantec’s discovery that the largest growth area for targeted attacks in 2012 was the small business. Businesses with fewer than 250 employees accounted for nearly a third of all attacks detected by Symantec. And that was double the previous year.
Yet another clear sign that the small business is clearly a hot target for hackers. According to Symantec, “small businesses believe they are immune to attacks targeted at them. However, money stolen from a small business is as easy to spend as money stolen from a large business. And while small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property, and keep money in the bank.”
Small business owners have argued for years that they can simply hide in the crowd because there are simply so many of them (27 million in the U.S. alone), and hackers will never find them. They forget though, that hackers are using sophisticated automated tools to prod and probe millions of small businesses, and jump on the ones, the many, they find vulnerable.
Those vulnerabilities can lead to data and identity theft, the distribution of malware and ransomware, the launch of crippling Denial of Service attacks, and even the blacklisting of the business web site by search engines.
Symantec also made another argument that could point to the selfishness of some business owners when it comes to security. And that even if you won’t do it for yourself, do it for others. “The lack of adequate security practices by small businesses threatens all of us,” says Symantec. “Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small business that has a business relationship with the attacker’s ultimate target, using the smaller company to leap frog into the larger one.”
In the coming weeks I’ll be highlight even more research that reveals the stunning number of small business web sites that are identified with major security vulnerabilities each month, and evidence that hackers are actively hijacking these sites.
Yesterday I received a call from a victim of identity theft who had been informed through one of those now-common data breach notification letters that thieves had obtained her personal information and she could be a victim of identity theft.
The letter came from a Southern California healthcare company called Crescent Healthcare, owned by pharmacy giant Walgreens. According to the letter, the stolen information could include her Social Security Number, along with her name and address, phone numbers, and her date of birth. And as if that wasn’t enough the worry about, the thieves may have also stolen her medical records and health insurance information.
Although she was now panicked at the thought of how much damage this information could do to her credit and her life, she got little comfort from the letter. No further information, no web site to answer questions, no hotline number for victims, and no offer of any identity protection or credit monitoring.
She was, however, given the phone number of one of the credit bureaus who would gladly freeze her credit for a fee of $10 – for each credit bureau. That’s hardly a robust response to a data breach, given that any consumer in the country can freeze their credit reports for a fee.
According to the victim, the credit bureau did offer to waive the fee if she could produce a police report to verify she was indeed a victim – again, a right every consumer has. The problem with that request is two-fold; as she doesn’t yet know if she’s a victim of identity theft and not just a data breach, her police department refuses to take a report. As far as they’re concerned, she has yet to be the victim of a crime.
Even if she could get a police report, it would probably take a couple of weeks. Then she’d have to mail the report, along with a bunch of other information, to each credit bureau to request the free freeze. By the time the freeze is in place, weeks or even months could have elapsed, giving thieves plenty of time to wreak havoc on her identity and her life.
I tried to learn more about the breach from Crescent, but not surprisingly, they were trying hard to pretend like it never happened. There was no mention of the breach anywhere on their web site, no information for victims, no-one to contact for more information.
When I checked the Walgreens site, I got the same result. Nothing. Complete radio silence. But I wasn’t surprised. There are plenty of CEOs out there who are completely, and probably genetically, unable to do the right thing. They hope that by shifting very quickly into denial mode and ducking behind their executive desks, they can escape the wrath of a data breach.
And they’re probably right. Victims can do little to hold these indifferent executives responsible. And with an average of one new reported data beach every single day in the U.S., there’s little the media can do to publicly shame these companies.
What these heartless executives don’t realize is the enormous long-term emotional impact that data breaches can have on victims, even if the carelessness of the breached business never actually leads to identity theft. Victims of identity theft liken it to severe stalking. You know that someone out there has enough information on you to make life very difficult, but you just don’t know when the manure is going to hit the air conditioning system.
At the end of our conversation the victim asked me directly “If they have all this information, including my Social Security Number, will I have to look over my shoulder for the rest of my life?” I had no good answer for her.
Shame on Walgreens for victimizing their customers, twice in a row. I hear there are rumblings of a class action lawsuit but I doubt this will be of much consolation to the victims, as these lawsuits rarely fix the long term fallout.
Ever wondered if you have a ghost identity? Not necessarily a doppelganger or a fetch (you’d have to be Irish to get that) but a real person living secretly and mysteriously under your identity? It’s more common than you might think, and it’s often because of something in your credit report called a sub-file.
Take the case of Marco (not his real name). He’s an artist, in his late sixties, and leaving a very peaceful life in Northern Arizona. Peaceful, that is, until he gets yet another alert from his identity monitoring service that someone else is using his Social Security number.
Thinking immediately that he had become yet another victim of identity theft, he went straight to his credit reports to see how bad the damage was. But there was no damage. The problem for Marco is that there’s no sign of any fraud or identity theft in his credit report, no fraudulent accounts opened, no damage to his credit score, and no debt collectors looking for money from him.
Marco is the victim of a sub-file, an almost secretive additional credit file that the credit bureaus keep on millions of consumers. Credit bureaus are really like intelligence agencies, and some boast that they have more personal information gathered on U.S. citizens that all the U.S. national intelligence agencies combined.
The bureaus are hounds for information, and any time a Social Security number is used in the wild, it usually ends up in the files of the bureaus. Even if it’s the wrong name associated with the SSN, even if no credit is applied for, and even if no fraud has been committed.
That information can simply come from a mistake, an incorrect filing, a typo, or some other innocent event. But as soon as the bureaus come across the information, and can’t figure it out, it usually ends up in a consumer’s sub-file where it lives forever.
And that’s why Marco continues to get these alerts. Some other person or persons are associated with his Social Security number, which keeps triggering the alerts. The bureaus won’t do anything about it because they either don’t know or don’t care who the real owner of the Social Security number is.
As the bureaus are very quick to point out, they don’t grant credit and can’t be blamed for people who give credit to the wrong identity. Bureaus simply gather personal information, package it, and sell it. Even if there’s a ghost or two in the machine.
As a story on NBC reported, often the ghost identity is as a result of identity theft. Illegal workers might purchase or even invent a Social Security Number in order to get a job, and if the new employer doesn’t verify the person’s identity, that new hybrid identity is now in the system. But it’s not in the credit report of the person that Social Security Number really belongs to because his or her name doesn’t match.
And in the NBC story, that same SSN can then be shared among and between other illegal workers so that eventually dozens of people are all working under the victim’s Social Security number. Yet no trace of it in credit reports, Social Security earnings, or anywhere else. Except that is, in a sub-file somewhere in the deep dark basement of a credit bureaus.
In another blow to the dishonest peddling of questionable credit monitoring and identity protection services, today the Consumer Financial Protection Bureau (CFPB) announced a massive fine of $210 million against Capital One, for allegedly tricking consumers into paying for things like credit monitoring services without their consent.
$150 million will go to reimburse an estimated 2 million consumers who were affected by this scam, with the remaining going into a Civil Penalty Fund to help future victims.
It looks like the CFPB is not done either, and may have many other financial services companies in its sights, companies that engaged in practices to trick customers into subscribing for worthless services.
In an interview with Reuters, Ed Mierzwinski, consumer program director of advocacy group U.S. PIRG, said “Consumers should know that credit protection and monitoring are the worst add-on products you can buy.” According to Reuters, Travis Plunkett, legislative director of the Consumer Federation of America, is no kinder, referring to these services as “junk products.
Capital One seemed to be blaming its vendors and identity protection partners. According to an investigation by the Wall Street Journal, the settlement ordered that 500,000 customers who were signed up for identity protection through Affinion, makers of the PrivacyGuard monitoring service, and Intersections, makers of the IdentityGuard product, also be reimbursed
It never cease to amaze me that an industry that is supposed be based on absolute trust – inviting consumers to trust their identities to these vendors – deliberately and without apology breach that trust as part of their business model.
More than one in ten U.S. computers are infected by difficult-to-detect “bots” or “zombies,” which “botmasters” can use for anything from sending spam, to eavesdropping on network traffic, to stealing user passwords.
The Online Trust Alliance (OTA) joined a unanimous vote at the Federal Communications Commission’s (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) meeting today, approving the voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (ISPs), also known as the ABCs for ISPs. As a member of the CSRIC appointed by FCC Chairman Julius Genachowski, the OTA has been working with the FCC and leading ISPs to develop this voluntary Code. Under the Chairman’s leadership, this example of private and public sector collaboration is an important step forward to help protect our nation’s critical infrastructure and consumer data.
“Today is an example of the importance of self-regulatory efforts to help improve the safety and performance of the internet,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Sustainable solutions to contain bots must include all stakeholders in efforts to detect, prevent, and remediate these threats.”
Chairman Genachowski said, “The recommendations approved today identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners.”
The development of the ABCs for ISPs was a multi-stakeholder effort over the past 12 months, with the participation of ISPs, trade associations and companies, including OTA members PayPal, Microsoft, Symantec, and Internet Identity, and leading ISPs, including ATT, Comcast and CenturyLink. Focusing on residential users, the Code includes five areas of focus for ISPs: education, detection, notification, remediation, and collaboration.
Based on OTA analysis and initial ISP self-reporting, approximately 51 percent (or 41.2 million) of the 81 million U.S. households who have broadband service are realizing added protection from ISPs who have adopted the Anti-Bot Code of Conduct. The CSRIC report cites research that ISPs also benefited – from reduced upstream traffic, spam, and helpdesk calls – when they took a proactive approach to bot remediation.
OTA as an independent organization committed to enhancing online trust and confidence, encourages ISPs to self-report to OTA. Future reports will include the adoption of similar efforts by other stakeholders and industry segments. More information including the Code and summary of ecosystem support.
“The ABCs for ISPs is a significant step forward and we applaud those ISPs who have already stepped up to the plate,” said Neal O’Farrell, executive director, Identity Theft Council. “We have a shared responsibility to help protect consumers from abuse and identity theft. Consumers should encourage their ISPs and telecommunications carriers to adopt these and other best practices.”
Summary of Public Support
Voluntary Code of Conduct Participation Requirements – To participate in this Code, an ISP is required to engage in at least one activity (i.e., take meaningful action) in each of the following general areas:
Education – an activity intended to help increase end-user education and awareness of botnet issues and how to help prevent bot infections;
Detection – an activity intended to identify botnet activity in the ISP’s network, obtain information on botnet activity in the ISP’s network, or enable end-users to self-determine potential bot infections on their end-user devices;
Notification – an activity intended to notify customers of suspected bot infections or enable customers to determine if they may be infected by a bot;
Remediation – an activity intended to provide information to end-users about how they can remediate bot infections, or to assist end-users in remediating bot infections;
Collaboration – an activity to share with other ISPs feedback and experience learned from the participating ISP’s Code activities.
About The Online Trust Alliance (OTA) https://otalliance.org
OTA’s mission is to develop and advocate best practices, public policy and self-regulation to mitigate emerging privacy, identity and security threats to online services, brands, government, organizations and consumers. By enhancing online trust and confidence, we can realize the potential of the internet, promote innovation and the vitality of commerce.