Breached Companies Must get Ahead of Attacks and Provide Security that Protects Victims Before they are Victimized Again
We have all seen this story play out so many times: A company suffers a massive breach exposing thousands or millions of their customer’s personal information, which effectively compromises trust in the organization and their established security methods. The company responds by talking about how incredibly sophisticated the attackers were, and then they offer identity or credit monitoring services to the victims. Providing this service makes the company look like it is taking care of its customers, but it is really just a cheap PR ploy with little effect. I rant and rave in my cubicle every time this happens.
First, we all know that the company’s information was actually taken by a basic phishing attack using well-known exploits. Second, we know, and they know, that the protection the company is offering will do almost nothing to help their affected customers. The public should demand more.
Consider what these monitoring services actually do. While there are many different vendors, they all provide the same basic set of services: monitoring and insurance. In some cases, they partner with major security companies to provide the same protection that you can usually get for free elsewhere.
To help detect a criminal using the stolen information for some nefarious purpose, a monitoring service will watch credit reports and public records for changes. If the criminal applies for a new credit card or takes out a loan, it will show up. Similarly, if a new address appears in the public records, it will trigger an alert. Regardless, at this point, the victim has already been defrauded, and the damage has been inflicted. The victim will need to start the work of unwinding these changes and trying to protect and restore their credit ratings. While many of these monitoring services come with insurance to cover the actual costs of recovery, most never actually make up for the inconvenience and trouble.
The real problem is that credit-based attacks are infrequent when compared to other crimes following a major breach. Use of stolen credit cards, phishing, and account takeover are far more prevalent, yet, are essentially invisible from the monitoring program.
In some cases, the problem is even worse and the stolen information can be used in much more dangerous ways. The OPM breach is a perfect example of this. Very sensitive information about millions of highly cleared government workers was stolen, probably by a team associated with the Chinese government. The people who were exposed are extremely vulnerable to being targeted in attacks against our national security. Anyone with access to this data could create fantastically effective spear phishing campaigns and would know the connections and relationships that could best be exploited to access the information and organizations they want.
What did the government provide to these victims to protect them from sophisticated nation state attackers with strategic intent? Identity theft protection.
This will not do.
Victims deserve a response that will actually make them safe. Organizations need to offer tools and services that provide real protection against likely damages. I see three protections that would be of real help to people after a breach.
Replacing stolen credit card information is painful and, currently, there are no services to really help people update their information with every merchant that has it. As new forms of payment are deployed this may become easier, but for now, it is crying out for a good solution.
Protecting against account hijacking is also difficult, but increasing numbers of businesses support multi-factor authentication, particularly ones of high importance like banks and brokerages. With multi-factor, simply stealing the username and password is not enough to access the account. An additional factor like a token generator on your phone or an SMS messages, need to be involved. Attackers get around this by using a phishing attack to hijack your accounts right from your computer. Phishing attacks are the key to getting it all. Attackers use the stolen data to send a very believable message to the victim with a link to a web page. That page will typically install malware on the user’s computer which allows passwords to many websites to be stolen and real time hijacking of all their sessions.
Often, security professionals blame users for clicking on these links, but especially in the case of breach victims these are untrained individuals who are largely unaware of the possibility of being attacked. These attacks can be very hard to detect because the attackers have access to enough information to make the phishing emails look very realistic.
This is the area where breached organizations can provide real value to their customers who have been exposed. Next generation tools that are effective at stopping malware can make a great difference. Even better are solutions that ensure hostile websites are unable to breach the user’s computer at all. Effective isolation solutions would insulate victims from a large fraction of the consequences of a breach, which is much better than being told that your personal information has been used in a credit fraud months after the fact.
In addition to basic credit monitoring, breached companies need to get ahead of the attacks and start providing security solutions that actually protect the victims before they are victimized again.