Wednesday, August 7, 2019

Yes another data breach today. Lets fix this. When is enough...enough.

If I hear one more expert tell the people to monitor their credit I'm going to have an aneurism.




It is like people do not realize that being told you lost a kidney doesn't change the fact that you lost a kidney.  Are we all in kindergarten or do we actually want to improve the situation?


Do we all realize we have websites called DATABREACHTODAY.com

Not Data Breach Quarterly....  or data breach this month....  Data breach TODAY.

The Quebec Revenue Agency just "lost" 28,000 records, and in the meantime, after the provinces biggest series of data breaches, BMO decides that it is a good time to send off pre-authorized credit card applications.... via email...

Banks should not EVER send off anything asking you to click on something... but here we are.  BMO.... you are acting irresponsibly.    

Check out the email.....  Pre-authorized for $4000 awesome ! 


  

So what is the problem...  simple, it looks like a phishing email, but turns out to be legitimate.  So how do we train users now.  Don't click unless it looks legitimate !  The bad guys know how to make them look legitimate.


Banks (specifically Equifax) say they aren’t conformable enough to trust our physical address on file to alert us if a new credit entry is made to our file, but they are comfortable sending off clear text (unencrypted) emails across large population groups giving out pre-authorized credit cards and sending them to….. whatever address they have on file…..

Bare with me...


It will be worth it I promise....


A bright man once said that a mind expanded can never go back to it's original size.  So lets push to expand the minds of everyone who can make a difference.


Let's actually roadmap the fix to the ongoing identity theft & credit fiasco that is before us.


No more prolonging it because "there is money in taking our time".


The root of the problem is that birthdates and social insurance numbers still have huge value, mostly because actions that we do in our day to day lives still rely on this archaic form of "authentication"... and we allow it!


We hand out credit cards in airport lounges or department store waiting lines by someone paid a commission to process the most credit applications.  Do we really think the authentication process for these credit card application forms are going to be of high quality?


SO WHAT DO WE NEED....


Digital Identity - Can be done, we have the technology.  If we can make little blue pills, I'm certain we ca put two smart guys on this and figure it out.  Some countries have been doing it for a long time.  In North America, specifically in the US, they want nothing to do with true digital ID because it would modulate the way they manipulate votes through hackable voting processes.  

In Canada, let's not be like our neighbours, because we have a real chance to make a difference since we have a limited amount of banks and could regulate all this with some basic legal changes.


First off, almost everyone has a cell phone, the small quantity that do not can be handled through a secondary process.  And since they are a small group compared to the masses, attackers don't flock to them.  Attackers like volume.


And everyone has to have a bank account somewhere at some financial institution.


Tighter Legal ControlsLets make "messing" with anyones identity a personally liable crime (you participate in any way, you pay significant personal penalties and if criminal intente, you go to jail).  Lets also make it illegal for a bank to NOT prosecute criminal behaviour within their employees.  Because you would fall off your chair if you knew how many employees get fired every year from any of the big banks, but the banks don't press charges because they don't want any bad press.  The people they fire go to work in the next bank with the added wisdom of how they got caught.

So now, with these new rules, when someone opens an account at a bank, how tight do you think that authentication process would now be....


Centralized data When someone opens a bank account and the data they are supplying to the clerk gets pushed up to a shared centralized Identity processing service... and any form of collision or error happens, you have a mandated manual investigation prior to account creation that involves the centralize service.

Not for profit Credit bureau Throw in a centralize credit bureau that is operated by the government (no more Equifax and TransUnion who are there to make money off of your information) and things are really starting to rock.

Subsidize this centralized service with credit inquiry fees paid directly by the banks.  They want to hand out credit cards in an airport lounge, they pay for every request to the central service.  


Add some alerting -  With a centralized and government run identity and credit bureau, you can easily add alerting.  Anyone pulls from your personal file, an alert can be sent to your phone or a letter can be mailed to your home or your employer.  This should already be a law and the current credit bureaus should be forced to do this.


Add some authorization to the alerting - Make it a legal requirement that any financial transaction that can damage ones life, say above a given threshold ( $1500?) gets pushed to your phone and requires you to confirm.  Anything above $15,000 requires multiple types of confirmations.   This could be as simple as having to pre-authorize the purchase with a well defined and controlled mechanism.  Don't get tied down by thinking these things are hugely complexe, they are not.  We have the technology, we lack the political desire. One of my credit cards messages me any transaction the instant it happens.  I haven't even grabbed the bag for my purchase and I get the SMS.


Do you really think someone is going to mind having to confirm that they are buying a car?  Transferring their mortgage?  Selling their property?   No, everyone would be fine with that.

TRANSFER RESPONSIBILITY TO THE BANKS -  You let a transaction through without the appropriate confirmation level, the bank is fully liable and they are not legally allowed to place it on a persons credit file.   No clean up required, they screwed up, their problem.


Address the easy credit trend -   You mess up someones credit, you become liable to clean it all up.  I'm not talking offering free credit monitoring services. 


I'm talking "you take charge". the victim doesn't have to do anything, you clean up the entire mess and have all traces of the mess you contributed towards sanitized.  And, you also have to pay a significant penalty to the victim.   If this becomes law, no banks would hand out credit applications in waiting lines.  

Isn't that a good thing...  as a society don't we actually all want this? 

Now in Canada, we only have two handfuls of banks to deal with, so putting laws or regulations in place that would row the boat in these directions is actually very attainable.  No single bank is going to do it, because they all love handing out credit cards to anyone who wants one.  It is their business model because it is allowed.  Change the rules, and all the banks have to adapt their business model.  


Some of these things the banks would benefit from, for instance enhanced authentication and autorisation for large transactions would reduce losses (fraud).  Anyone looking at the big picture and looking at long term goals is going to love having these discussions.  

The problem is we are plagued by many senior position individuals who favour short term goals because their short term bottom line is directly impacted. 

Keep giving out bonuses based on short term objectives....  and you will continue to get these terrible results. 

As a society, we are the problem.  We tolerate things that clearly should not be tolerated.  We will flip out if someone messes up our fries at McDonalds, but sit idle for items of significantly more importance.



So one last thing -   Personal liability to senior executives when the enterprise they manage is negligent.  This is a complex one that lawyers will absolutely love.  But who cares how complexe it is if it sets the bar higher than what it is today.  

Realize that today, a CEO making 20 million in salary does not actually care all that much.  When large penalties are imposed, it is the shareholders that take the hit.  Two months later, the share price has re-stabilized and business goes on.  On a very very rare occasion, the CEO gets swapped out but still gets a golden parachute and life is actually awesome because after a few weeks in the Bahamas, they move on to the next gig and don't even have to clean up the previous mess. 

Start taking money out of the pockets of the senior executives and watch how fast things change and security gets placed on the short list.  

We as a society do not seem to realize the sad joke when banks call us their clients.  We are an ingredient in a money making scheme, very far from what the essence of the title "client" is meant to mean.  Even Equifax refers to us as their clients when it is absurdly clear that we are their product!

We must stop trying to address the symptoms and start tackling the root causes.   If we do this, DOB and SIN numbers become worthless.  And that would be a great win since they have all been leaked so many times.  

The leaks will also continue since we cannot possibly secure all the places that this information resides.  We don't even know all the places that "hold" our sensitive data.  And there will always be legitimate users that can access our data, and if they choose to act criminally, they can.

Lets start putting pressure on our governments to take concrete actions to change our current posture, which is in dire need of a chiropractic adjustment.



_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com





Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...