Wednesday, April 1, 2020

Zoom is being blamed for a Windows bug.

Journalist often paint outside of the lines looking for a punchy story.

Zoom this week is being targeted by what almost looks like a coordinated smear campaign with an overwhelming amount of bad press with regards to exposed credentials.

As a security veteran I do clearly get upset when security stories are blown way out of proportion.

Especially when it appears that someone is trying to manipulate the public opinion and bash a specific product.  Even more so, when the issue is actually a Windows OS issue.

Journalists are irresponsibly claiming that using zoom sends off you username and passwords and allows attackers to connect to your computer.

THIS IS FALSE.

First off, this issue only manifests itself if someone in your meeting sends you a link to click via a chat session and you click on it.

Secondly, your username and password is not just sent out in clear, it is still hashed (protected with some cryptography).  So this applies to you if your password sucks and not if you use a good quality and length password.

Thirdly, inbound connections are blocked by your home router/firewall and your enterprise firewalls. This means an attacker can't just reconnect to your computer.  And remember number 1, the attacker would be someone you invited into your meeting.

So if your meetings have passwords and you don't just let everybody in, how would the attacker even know your meeting is happening and get in there......

Also, simple fix.... turn off the chat function in your meetings until this gets fixed.

Wow... simply fix eh!  The sky is not falling after all.

Second thing of high importance as pointed out by a colleague.  Don't click on Zoom links that come into your email unless you are expecting it.  

Another attack vector currently in play is that a malicious link sent to you, could open your zoom client and trigger this vulnerability.  So the old rule still stands, don't click on links that you don't trust.  If you are expecting a meeting invite, all good.

Some technical changes can be made to your Windows workstation so that it no longer sends off NTLM outbound, and this would be the ideal scenario, however, not everyone is technically tooled to do this.

What would be ideal is if Microsoft would patch this and change the default forcing Windows to NOT send out NTLM to the Internet.

keep in mind that if your password is of good quality (a long and complex password), this vulnerability fails since the attacker cannot break your password.

So lets all calm the hell down.  Yes you can keep using Zoom.  This risk is LOW.

Until these articles, I had not created a Zoom account.  Well, I just did, and I actually really like the thing.  It allows me to change my background to a beach, and with all the self isolation we are going through during this Covid crisis....  I think I really like that option.



In closing, Zoom has had numerous security shortcomings in the last months and years.  They certainly do not appear to be perfect in any sense.  Lets just keep the over exaggeration of security findings down to a minimum. 

There currently is a significant increase in malicious meeting invites and the bad guys are targeting the most common tools like Zoom.  

So this means that we will see breaches attributed when all these factors are combined.  

Keep in mind that some of these tools (like Zoom) are free, and that means that you are the product in some way.

_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Monday, February 24, 2020

Qualified lead, or outright fraud. When journalists help push snake oils and magic dust.

Journalists look for good stories.....  and sometimes someone serves them one that is too good to be true.  But a journalist isn't a security expert, so if the speech is really good, they too fall victim and inadvertently help market something they shouldn't.

Nothing gets me out of bed faster then receiving a message about an article showing a journalist falling for a manipulative marketing trick and actually become part of the unjustified hype machine that promotes unethical services. 

Well, ok... that's not exactly true... I can think of a few things that would get me up in the morning, but I digress.

All joking aside, this subject is so important, that I felt compelled to produce a video in both French and English to address the subject with my clients.

Their are hundreds of sites offering DarkWeb monitoring...

In fact, as I teach in various Universities and Colleges, I made it a mission to give an entire class on this subject over the last few months.



---

Just to be clear, this is about cybersecurity and lacking morals, willing to do anything to get business, not sales, but let me open with this.

Qualified leads.   The bread and butter of a heathy sales cycle.

What if we could find a way to drive customers directly into our sales pipeline....

Well, many companies are doing this today with the help of cool and frightening cybersecurity term that you may have heard.   "SEARCH THE DARK WEB".

So here is the problem with that.

Marketing and security do not play well together.  If your motivation is to sell something, chances are security is a secondary objective.

What if someone told you they could check out your health at the click of a button, and come back and tell you they found nothing wrong with you.  Or worst, they found two things wrong with you, and you can correct them with the "doctors" help.

You would feel great.  Thank goodness someone was nice enough to help me identify these two things so I could handle them.  

Well, the problem is, that "doctor" didn't actually check much of anything compared to what you perceive.  After all, are you qualified to know if that doctor did a good job.  Or even did anything qualified for that matter.

----

Searching the dark web and telling you if you have been breached so you can sleep well at night is as close to fraud as you can get unless it is clearly explained to you that the chances of finding your data is slim, and that you are mostly looking for passwords, not actual corporate data.

It isn't that you cannot find things on the dark web, it is that you cannot find your things on the dark web with any level of certainty.

Let me explain with a visual diagram, take a good look at these three tiers:





So lets break this down into logical and comparable pieces.

PART 1:  Surface web

The surface web is you everyday Google searchable results.  Compare that to a published catalog or menu of items.

If someone is selling your data on the surface web, you MAY find it by crafting a good search query in google.  It still remains unlikely to find it, because the internet is endless, but it is certainly possible.

Sites like PASTBIN are common grounds to at least start the exchange of data by providing samples, and an email to start the trade.

So lets compare this to visiting every bar in the world, sitting at every table, and asking every shady individual if they are selling your data.

Not impossible because of tools like google, but still a challenge.

PART 2:  Deep web

This is still on the regular public internet, but, it requires a user account to log in.  So imagine we compare this to visiting a bar again, well, this time, you have to find the right bar, AND when you sit at the table to chat, they have to know you, trust you, and decide they want to share information with you.  

Now some of these bars are listed in the phone book, and some aren't and you have to get a referral to find them. 

This is where it becomes IMPOSSIBLE to guarantee that a service can tell you if your data has been exposed.  So when marketing folks tell you that you can sleep tight, they have clearly committed an ethical fraud.   

PART 3:  Dark web

This is the funniest one.  Everyone uses this term to inspire fear and misunderstanding.  History has shown us many times how fear can be used to sell snake oils, and magical cures, and this is no different.

The dark web is an isolated network.

The dark web is similar to the deep web, some listings exists, but all the good stuff is not listed.  That is the point of the dark web.  So not only do you not know all the addresses for these bars you want to visit, but you most definitely need an invite to get into the good stuff.

Bottomline, it remains an impossible objective to infiltrate even a small number of actual dark web ecosystems that would yield results.

The best you could do, is manually navigate SilkRoad3 (the eBay of the darkweb) and maybe get lucky.  But this is not where the REAL exchanges of sensitive information takes place.

PART 4:  Cyber criminals
Yes folks, there is a part four......  The fact is, your information might be out in the criminal world and NEVER touch any of these "sites".  

You see, cybercriminals are smarter than you think.  If they have valuable information, they hang on to it, they share information behind closed doors, and they may never leak the information because of an espionnage golden rule.

"A tactic known is a tactic blown".  Your information looses value quickly once it is known.   Lets face it, once a data breach is published, people normally change their passwords.

So lets go back to these "services" that will allow you to sleep good at night because they checked the "Dark Web" cough cough for you.

Surely you have heard of these emails people get, that tells them their computer has been hacked and shows them a password they are familiar with.  They then ask you to pay a ransom in bitcoins or they will publish videos recorded from your laptops camera.  Now I have had people call me in a panic that didn't even have a built in camera on their computer.  So these tactics work.

These passwords are taken from LEAKED password databases.

There are tons of these sites.  RAIDFORUMS is one.  Several terabytes of leaked data.

But, you can also check for yourself for free at HAVE I BEEN PAWNED to see if your email address or domain name has been exposed in the past.

So just like these fraudulent emails, these "services" that claim to check the dark web only check the most basic of elements.... leaked password databases.

Now... how do you test this.

Well, it is actually quite simple:
  • You create a leak of false data representing a new and fictitious enterprise.
  • You insert it into several EASY places found on the Internet
  • You insert it into several known, but closed forums
  • You insert it into Silkroad3 (the darkweb market place)
  • You insert it into one or two REAL underground sites

And then you test the service.

You know what will come up.

Nothing.

And if you read the disclaimer on these services you are subscribing to, the legal wording makes it clear that you have no guarantees and it may become clear that they are not catching much.  I have read a dozen disclaimers from carious sites, and non of them made me feel good about the service.

So it's a great way to drive the uneducated and unqualified to your sales pipeline.  Great way to sell them something else after you have established a relationship.   But for many qualified security professional, this is unethical and immoral since the client perceives that their are somehow protected.

Lately, some articles have been published that in Quebec alone we have over 17,000 security resources.

No, we have less than a 1,000 in my view, and less then 100 in the highly qualified portion.  

This type of marketing proves that point.

Security is about maturity and about perception.  The fact that you add the word security in your marketing literature does not make you a valued security partner.

A false sense of security is what resulted in the sinking of a 46,328 ton vessel called the Titanic.

Now, to the journalists and websites that cover these less then ideal services and push referrals to them and actually help these snake oil salesmen sell more magic dust, please... please... validate your stories with vetted security professionals and make sure to explain the limits of these services.




_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies










Friday, February 21, 2020

DNA sequencing computer attacks - The large security gap chasm that enterprises face

I was having a discussion with a friend who works in a three letter agency about the large gap that most enterprises have in their security and overall maturity.

Overall, maturity across most enterprises remains low when you look at the full width of what would be expected of a secure enterprise.

In a humorous text message, my friend sent me an really cool conference on DNA sequencing used to attack a computer system.

Here I am arguing 

  • about the value of isolating a compromised workstation even if it is the CEO's laptop.
  • that Winter2019 is a terrible password 
  • that the user who changed his password when told it was a bad password, from Summer2019 to Winter2019 lack computer security competency
  • that if performing a simple vulnerability scan across your network causes major issues it means your systems are at the bottom end of the quality scale

.... and in a lab somewhere in Washington, they hacked a computer using DNA.

Yes, you read that right.

If you want to expand your views of the complexities enterprises face in defending against malicious attacks, listen to this 29 minute talk.




Summary (extract):
A group of researchers from the University of Washington has shown for the first time that it's possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.

Thats right folks, as security professionals, we have to test users for weak passwords, test computers for malware, and test software for out of band attacks coming in through DNA.

I thought this was a really cool image that is being painted about how wide protecting enterprises against attacks can be.

We have to explain to management that Winter2019 is a bad password AND we have to explain that software in an embedded system could be exploited by a DNA sample.  If they do not even understand the first one..... that second one is going to be a hard sell.

The reality is that attackers invest all their time in finding weaknesses that they can exploit.  Enterprises still struggle to have enough budget just to keep systems updated. 

Lets just say that breaches will continue to happen, and sites like databreachtoday.com might have to change their names soon to data breach this hour . com


So if you are competent in cyber security... job security is probably ensured.

This week, our local government announced yet another data breach where a user account was used to log in and steals the personal information of 360,000 employees (TVA Nouvelle - Ministère de l'Éducation).   

A single user account that can suck out all the records over the Internet.

What a wide chasm we indeed are facing.


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Friday, January 31, 2020

Laurentienne bank ATM attack - Engineering 101 Failure

Laurentienne bank ATM attack - Engineering 101 Failure




Earlier this week, I was contacted by a journalist who had gathered some very high level details about the loss of funds at Laurentienne bank.

At that time, all we knew was that a few ATM had been targeted and the losses totalled $55k.

I explained to the journalist the various attacks that are possible on an ATM including attacks that take over the ATM, and the most probable scenario that remained appeared to be a simple card skimming/cloning attack.  Even though these attacks are less and less popular, I couldn't imagine that the actual ATM in a bank (not one in a corner store somewhere) would be victim to an actual jackpotting attack.  Original article.

Many years ago (15+) , I was in charge of ATM selection for a large bank and these attack vectors had already been examined, and the ATM solutions selected had to meet certain physical security characteristics to be considered for purchase.

Well, I think everyone is a little stunned to hear that the attack that was demonstrated 10 years ago at Defcon18 and BlackHat 2010 appears to be the attack that took place on a commercial grade ATM directly in several bank branches.  

I know that I am flabbergasted (to use the term of a colleague).

There is a significant difference between true commercial grade systems and the little ATM systems found in various stores.... or at least there should be.

Turns out, we are faced with a problem which we could call a SECURITY ENGINEERING FAILURE.

News report state with a large exaggeration that these ATMs spat out $200,000 in a minute, which mechanically they simply cannot do, but a significant engineering failure is still present.

Older ATMs from reputable vendors have a modification available that blocks this attack.

To recap, accessing the inside of the ATM and perhaps connecting to a service port (USB port anyone...) can grant access to the operating system either directly or through a vulnerability.  Since the software controls the cash dispenser, you can simply inject code that asks the cash dispenser to dispense.  

Emptying $100,000 in 20 dollar bills means spitting out 5000 bills.  This does take time, but if it is 1 am, perhaps no one would notice.


So how is this a failure of engineering ?



The cash dispenser can be equipped with an electronic circuit (with no computing intelligence) that simply counts how many bills have been dispersed in a given sequence or time period.


Most banks will let you take out a maximum of $500 per transaction, so if the electronic circuit detects 26 bills leaving the cartridge within say 3 minutes, the circuit could initiate a shutdown of the ATM, ring an alarm, call its mommy, or do whatever... resulting in the attack being uncovered, and the losses contained to $520 buckazoids.   Thats right folks... a space quest reference on a Friday!

So essentially, we have a series of commercial grade (cough cough) systems that have been engineering without security engineering in mind.

The electrical modifications to actually simply block this attack is actually relatively simplistic and therefor "cheap".

For the Laurentienne Bank, it seems it may have cost them a little shy of a million dollars in losses, that I am certain their insurance will cover with a smile.

Well... maybe not with a smile.

If you have never seen the original attack demonstrate at DefCon18 (2010) by Barnaby Jack, the link is here.

These types of engineering failures happen more frequently than one would think.




Debit card processing machines that allow you to configure the device with your banking information yet retains the default administrator password of "12345".  An attacker can simply get to the admin panel, and credit their debit card, walking out the door with amounts as high as $5000 a shot.
ENGINEERING FAILURE !




Airplanes not allowing system updates through a circuit that cuts the power to the USB service ports unless there is weight on the wheels....
ENGINEERING SUCCESS !







Having a USB port front facing or "easily" accessible on a public ATM 
ENGINEERING FAILURE !









Here are links to two interviews I just did on this subject.

FM 98.5 (French):  The general topic of the breach

QUB RADIO (French): The general topic & the engineering aspect



Keep in mind that these ATM systems probably needed some serious software updates and might even be running Windows XP, the once gold standard of ATM controllers. ;-)

Minimally, from an engineering perspective, having a USB port that you can get to from the front of the ATM, also seems obviously like a bad idea to a typical guy like me.

But.... I ain't no engineer. ;-)


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Tuesday, January 14, 2020

Scaring grandma - A vicious news cycle of incompetence

As someone pointed out, its been awhile since I published something to stimulate the mind and piss off someone in need of an attitude readjustment.

Well.... happy new year !  

The last months have been overwhelming for many enterprises, as breaches surface faster then grandpa's bubbles in the spa.

No lack of cases to pick at, and over the last month and a half, I was called into over 30 television and radio interviews for various screws up and potentially news worthy events.

This week, some news stories floated to the top, but as is often the case, the media misunderstands risks, and sometimes they call in technology experts that are not tuned to security and the results are messages that frighten everyone with no significant value.

Lets take this case:  Quebec hacker arrested for Sim Swapping and stealing millions in bitcoins.

https://www.lapresse.ca/actualites/justice-et-faits-divers/202001/12/01-5256560-un-presume-pirate-montrealais-aurait-vole-des-millions-en-cryptomonnaie.php

I was listening to one of my favourite talk show hosts... drive the car literally off the cliff.  I actually texted him while he was on the air with the word "STOP!".

His interviewée was going on about how SIM swapping takes over the persons phone.

First off, NO.  SIM swapping takes over the persons PHONE NUMBER.  It has very little to do with their emails on their phone or the other applications on that phone without numerous other attack vectors.

As the car drove off the cliff.... it accelerated.... going on about how emails and everything on the phone was compromised.....  once again... a stern and firm NO.

I'm all for scaring grandma.   But I prefer to use valid old school techniques like C4 or the right mixture of potassium nitrate, sulfur and carbon in her granny panties drawer with a drawstring and a hidden camera.

So lets make sure we break this down and understand.

If someone called your provider and had the right personal information, they could activate a new SIM on your current phone number.  Your phone would go mostly dead (no calls, no phone carrier internet), but if you are on wifi, you might not even notice until you try and make a call.

If that same someone, had access to even more personal information, like your banking information (bank name, account name, password) they could log into your bank account even if your bank uses SMS based MFA (Multifactor authentication).  They would simply login, when asked for the temporary secret code, they would receive it on their newly configured cell phone SIM card enabled device, and you wouldn't receive anything nor know that this happened.

So back to the bitcoins worth millions.

These victims are not the sharpest tools in the shed.

Sure they had MFA activated on their ONLINE WALLETS..... 

But these wallets are ONLINE and they had millions in them.

So not only did they trust the MFA (which is ok to do under most circumstances), but they also trusted a software system, hosted on the internet, to hold millions of dollars in bitcoins.

That is not a very smart move.

As a solid comparison, I have an electronic bitcoin wallet in an android phone.  This device is ONLY connected to the internet via wifi (no SIM card) when a bitcoin transaction is to be done.   I have the wallet secret key encrypted with a mechanism that only I know, and printed and placed in a physical vault.

So my risk is reduced to a window of time, equal to the moment I connect to the Internet to perform a transaction (a few minutes).

Ok sure, some additional risks exists.  Since I just mentioned that I have a paper version that only I can decrypt stored away in a vault somewhere.  So I'm now a potential kidnap victim.  On the positive side, I'm batshit crazy, heavily armed, ex-military, over 50 with a short fuse.  

That is called risk management.

And you won't hear me crying that someone stole my bitcoins anytime soon.

So all these people, rapidly moving with the technology are not aware even at the simplest level, of the risks they are taking.

Trusting a website to hold your bitcoins (or anything related to your wallet) to me, is as close to crazy as one can get.


So once again, everyone relying on technology would benefit from a lunch with a qualified security professional.

People, feed your nerds and geeks.

It can save you millions . ;-)

And as for the media, it would be nice if they would gradually learn to stop calling an 18 year old "hacker" a computer genius simply because he had the patience to exploit a series of people who where totally useless and careless in their protection of valued assets.

Just to be clear, because someone knows more about something than you do, does not by default make them a genius.

And also, how many people actually have millions in bitcoins protected by their phones.....

---

On a second note, big news today about various social media being caught selling your shit again.  How this is new news is beyond me, since all experts keep saying that if it is free, you're the product.

Ok, in this case, these services are not ALL free ( Tinder & Grindr ), but some features are, and lets face is, companies are there to make money, not offer a quality service as a primary objective.






Now I'm not saying that quality isn't important to them and that all social media and dating apps are bad, I'm saying that most will sell any data they can to make more money because companies prioritize profites over quality of service.

What we do not know at this exact moment are the exact data elements sold.  Is it just statistical data (so many men looking for XYZ in this geographic area).  But either way, are we really surprised that they package usage data and sell it..... come on now.  Grow up.

So, back to basics:

1) If it is free (or mostly free) you are the product or part of the product
2) If it is extremely valuable, it shouldn't be on anything connected to the Internet

Paris Hilton and many other famous people learnt that the hard way (no pun intended).


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com





Wednesday, August 7, 2019

Yes another data breach today. Lets fix this. When is enough...enough.

If I hear one more expert tell the people to monitor their credit I'm going to have an aneurism.




It is like people do not realize that being told you lost a kidney doesn't change the fact that you lost a kidney.  Are we all in kindergarten or do we actually want to improve the situation?


Do we all realize we have websites called DATABREACHTODAY.com

Not Data Breach Quarterly....  or data breach this month....  Data breach TODAY.

The Quebec Revenue Agency just "lost" 28,000 records, and in the meantime, after the provinces biggest series of data breaches, BMO decides that it is a good time to send off pre-authorized credit card applications.... via email...

Banks should not EVER send off anything asking you to click on something... but here we are.  BMO.... you are acting irresponsibly.    

Check out the email.....  Pre-authorized for $4000 awesome ! 


  

So what is the problem...  simple, it looks like a phishing email, but turns out to be legitimate.  So how do we train users now.  Don't click unless it looks legitimate !  The bad guys know how to make them look legitimate.


Banks (specifically Equifax) say they aren’t conformable enough to trust our physical address on file to alert us if a new credit entry is made to our file, but they are comfortable sending off clear text (unencrypted) emails across large population groups giving out pre-authorized credit cards and sending them to….. whatever address they have on file…..

Bare with me...


It will be worth it I promise....


A bright man once said that a mind expanded can never go back to it's original size.  So lets push to expand the minds of everyone who can make a difference.


Let's actually roadmap the fix to the ongoing identity theft & credit fiasco that is before us.


No more prolonging it because "there is money in taking our time".


The root of the problem is that birthdates and social insurance numbers still have huge value, mostly because actions that we do in our day to day lives still rely on this archaic form of "authentication"... and we allow it!


We hand out credit cards in airport lounges or department store waiting lines by someone paid a commission to process the most credit applications.  Do we really think the authentication process for these credit card application forms are going to be of high quality?


SO WHAT DO WE NEED....


Digital Identity - Can be done, we have the technology.  If we can make little blue pills, I'm certain we ca put two smart guys on this and figure it out.  Some countries have been doing it for a long time.  In North America, specifically in the US, they want nothing to do with true digital ID because it would modulate the way they manipulate votes through hackable voting processes.  

In Canada, let's not be like our neighbours, because we have a real chance to make a difference since we have a limited amount of banks and could regulate all this with some basic legal changes.


First off, almost everyone has a cell phone, the small quantity that do not can be handled through a secondary process.  And since they are a small group compared to the masses, attackers don't flock to them.  Attackers like volume.


And everyone has to have a bank account somewhere at some financial institution.


Tighter Legal ControlsLets make "messing" with anyones identity a personally liable crime (you participate in any way, you pay significant personal penalties and if criminal intente, you go to jail).  Lets also make it illegal for a bank to NOT prosecute criminal behaviour within their employees.  Because you would fall off your chair if you knew how many employees get fired every year from any of the big banks, but the banks don't press charges because they don't want any bad press.  The people they fire go to work in the next bank with the added wisdom of how they got caught.

So now, with these new rules, when someone opens an account at a bank, how tight do you think that authentication process would now be....


Centralized data When someone opens a bank account and the data they are supplying to the clerk gets pushed up to a shared centralized Identity processing service... and any form of collision or error happens, you have a mandated manual investigation prior to account creation that involves the centralize service.

Not for profit Credit bureau Throw in a centralize credit bureau that is operated by the government (no more Equifax and TransUnion who are there to make money off of your information) and things are really starting to rock.

Subsidize this centralized service with credit inquiry fees paid directly by the banks.  They want to hand out credit cards in an airport lounge, they pay for every request to the central service.  


Add some alerting -  With a centralized and government run identity and credit bureau, you can easily add alerting.  Anyone pulls from your personal file, an alert can be sent to your phone or a letter can be mailed to your home or your employer.  This should already be a law and the current credit bureaus should be forced to do this.


Add some authorization to the alerting - Make it a legal requirement that any financial transaction that can damage ones life, say above a given threshold ( $1500?) gets pushed to your phone and requires you to confirm.  Anything above $15,000 requires multiple types of confirmations.   This could be as simple as having to pre-authorize the purchase with a well defined and controlled mechanism.  Don't get tied down by thinking these things are hugely complexe, they are not.  We have the technology, we lack the political desire. One of my credit cards messages me any transaction the instant it happens.  I haven't even grabbed the bag for my purchase and I get the SMS.


Do you really think someone is going to mind having to confirm that they are buying a car?  Transferring their mortgage?  Selling their property?   No, everyone would be fine with that.

TRANSFER RESPONSIBILITY TO THE BANKS -  You let a transaction through without the appropriate confirmation level, the bank is fully liable and they are not legally allowed to place it on a persons credit file.   No clean up required, they screwed up, their problem.


Address the easy credit trend -   You mess up someones credit, you become liable to clean it all up.  I'm not talking offering free credit monitoring services. 


I'm talking "you take charge". the victim doesn't have to do anything, you clean up the entire mess and have all traces of the mess you contributed towards sanitized.  And, you also have to pay a significant penalty to the victim.   If this becomes law, no banks would hand out credit applications in waiting lines.  

Isn't that a good thing...  as a society don't we actually all want this? 

Now in Canada, we only have two handfuls of banks to deal with, so putting laws or regulations in place that would row the boat in these directions is actually very attainable.  No single bank is going to do it, because they all love handing out credit cards to anyone who wants one.  It is their business model because it is allowed.  Change the rules, and all the banks have to adapt their business model.  


Some of these things the banks would benefit from, for instance enhanced authentication and autorisation for large transactions would reduce losses (fraud).  Anyone looking at the big picture and looking at long term goals is going to love having these discussions.  

The problem is we are plagued by many senior position individuals who favour short term goals because their short term bottom line is directly impacted. 

Keep giving out bonuses based on short term objectives....  and you will continue to get these terrible results. 

As a society, we are the problem.  We tolerate things that clearly should not be tolerated.  We will flip out if someone messes up our fries at McDonalds, but sit idle for items of significantly more importance.



So one last thing -   Personal liability to senior executives when the enterprise they manage is negligent.  This is a complex one that lawyers will absolutely love.  But who cares how complexe it is if it sets the bar higher than what it is today.  

Realize that today, a CEO making 20 million in salary does not actually care all that much.  When large penalties are imposed, it is the shareholders that take the hit.  Two months later, the share price has re-stabilized and business goes on.  On a very very rare occasion, the CEO gets swapped out but still gets a golden parachute and life is actually awesome because after a few weeks in the Bahamas, they move on to the next gig and don't even have to clean up the previous mess. 

Start taking money out of the pockets of the senior executives and watch how fast things change and security gets placed on the short list.  

We as a society do not seem to realize the sad joke when banks call us their clients.  We are an ingredient in a money making scheme, very far from what the essence of the title "client" is meant to mean.  Even Equifax refers to us as their clients when it is absurdly clear that we are their product!

We must stop trying to address the symptoms and start tackling the root causes.   If we do this, DOB and SIN numbers become worthless.  And that would be a great win since they have all been leaked so many times.  

The leaks will also continue since we cannot possibly secure all the places that this information resides.  We don't even know all the places that "hold" our sensitive data.  And there will always be legitimate users that can access our data, and if they choose to act criminally, they can.

Lets start putting pressure on our governments to take concrete actions to change our current posture, which is in dire need of a chiropractic adjustment.



_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com





Zoom is being blamed for a Windows bug.

Journalist often paint outside of the lines looking for a punchy story. Zoom this week is being targeted by what almost looks like a coord...