Sunday, April 01, 2007
When you see news stories breaking claiming that over 45 million people have had their credit card details stolen, a reasonable first reaction would be to ask why you bother protecting your data on your home PC if some faceless corporate is going to make it available to anyone who checks in. We might as well all change our banking passwords to "slartibartfast" and be done with it. When that many people find their finances suddenly put at risk, in one go, there's bound to be news coverage. Google is carrying over 1,000 reports on the problem. Mainstream newspapers all over the world are reporting. It's not helped when the company spokesperson says “These figures only relate to what we do know. There is a lot more we do not know and may never know. We have identified two [computer] files that were removed from our UK system but we still do not know precisely what was in them" - otherwise known as "we haven't a clue." The BBC was told "that 100 files were moved from its UK computer system in 2003, and two files were later stolen." Even when the information, whatever it was, was stolen is less than clear: The company confirmed that information had been stolen from 45.6 million cards used in Britain and North America between December 31, 2002, and November 23, 2003. It did not know how many had been stolen for transactions made between November 24, 2003 and June 28, 2004. (both quotes sourced from the Times Online. According to the comapany's own SEC filing, they're unable to say "whether there was one continuing intrusion or multiple, separate intrusions." Maybe the login details were put on warez.ebuy.com and made available to everyone? Yet, happily, they are able to say, with a degree of certainty that is out of line with their earlier uncertainty, "Of the details stolen in both Britain and America, 30.6m came from cards which had expired at the time of the breach, while 15m were unexpired. Of those still valid, 3.8m had "masked" or encrypted information but 11.2m had clearly accessible data." The banking industry will reassure us, of course, by saying that the new Chip and Pin technology prevents this information being useful any more - but that's why increasing amounts of cardholder not present fraud and overseas use of stolen credit cards are being seen. Such news is certainly enough to make you wonder whether the fuss over home PC security is worth it. The Anti-Phishing Working Group reports 280,179 known phishing attacks in the 12 months to January 2007 with average monthly growth of about 6%. This is, of course, "reported" attacks. Who knows how many go unreported? Perhaps a better piece of data is the number of actual phishing sites (i.e. illegitmate, say, banking sites masquerading as the real thing) which ran to over 27,000 in January, down from a peak of 37,000 in October, but still up three fold from the total a year ago. December saw the first government branded phishing attack with an email, supposedly from HM Revenue and Customs, suggesting that you were due a tax refund (of either £70 or £170, reports vary). Indeed, there may be another circulating today (although given the date I'm wary of anything published today) that offers a refund of "J140", however much that may be. When I was first shown a phishing demo by SimonF, sometime around mid-2001, I was stunned by both the brazenness and simplicity of the process. A spoof Government Gateway website, cloned from the HTML of our very own, type in your userid and password, see a failure message (your details have been captured somewhere in the background) and you're bounced back to the main Gateway site - where you enter your details again, this time on the real site. With government userid and password details being necessarily complicated (long story), mis-typing them is incredibly common - it probably happens 1 time in 3 even now (the stats are tracked but I can't remember the exact ratio). At the time it wasn't that important - government didn't pay money out via the web and we figured you were unlikely to want to file my tax return (there was some concern about the potential for de-stabilising e-government by harvesting lots of account details and then sending random tax returns, either to cause a denial of service attack or just to cause extra work behind the scenes, but it seemed unlikely). Since that early example, attacks have become far more sophisticated, notwithstanding that many still don't manage the basics of grammar. Digital certificates were one answer to this problem, although browser incompatibilities, issuance difficulties and stability problems prevented them being part of the solution then. Physical tokens - USB devices - were another but many of the problems that afflicted digital certificates were apparent: did the user have USB (at the time it wasn't as widespread as now), was the port accessible (the idea of ferreting behind a desktop PC in a library or internet cafe wasn't seen as part of the e-government experience), issuance and so on. Both are now viable but rarely used, at least at the consumer level, solutions. Instead many financial services companies have gone for simpler solutions - pull down menus with, say, letters 2 and 5 of your secret word, multiple challenge questions (what is your dog's name, what is your favourite film and so on) with any 2 of 6 picked to allow logon. Bigger banks with richer customers have opted for DES-gold style one time password (OTP) devices. The hackers will work through these and will find ways to get the information they need. It's easier to see how they work the latter than the former - if they can capture the OTP and then use it right away, perhaps they can make a transaction happen before the customer knows; challenge questions that only give part of the password would seem harder, perhaps requiring multiple passes (although doubtless some people if asked to enter the entire word will still do so). But can we Phorget Phishing? It seems unlikely. A google search for the single word "phishing" gives over 23,000,000 results. Wikipedia says that losses are large: It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims. In the United Kingdom losses from web banking fraud — mostly from phishing — almost doubled to £23.2m in 2005, from £12.2m in 2004, while 1 in 20 users claimed to have lost out to phishing in 2005. Getting accurate, current information is still challenging. But phorgetting phishing still seems out of the question - 6 years of questionable technology advance seems to have been matched by 6 years of better advance in the world of hackers, coupled with many, many more inexperienced users added to the internet mix. Technological, legal and educational responses will all have to work together to move this forward. At Simon Moores' e-Crime conference a year or so ago I challenged the security product industry to take a less technology and marketing centric view. I put up this slide (it's an ad from Wired magazine, probably December 2005 or January 2006) Firewall and security products always seem to be sold like this razor - 5 times more protection than you had before, 1 special new blade that chops out left-handed viruses with impunity, new breakthrough technology to do all sorts of things that you won't understand so we won't explain them to you. Product names have gone from version numbers (1.5, 2.0, 3.0) to annual updates (95,97,2000) to video game console lables (the new Norton 360 seems to have copied Microsoft's Xbox, though doubtless it means something clever like "all round protection", like some new kind of deodorant). What I want is to know that whatever product I have will "kill all known germs dead" - I don't care what they are, I just want to know that they're protected. And if I'm going to pay for daily, monthly or yearly updates, I'd like the vendor to take on some of the liability - if I get infected, whether for my own stupidity or because the product hasn't worked the way it's supposed to, then I'd like to be repaid for the damage. Insurance companies don't say, "sorry sir, you should have seen that the slope was steep and that the route was clearly marked as a black run and declined to descend; when you did and you broke your leg, you failed to comply with our policies". Why should I pay the fee but get no real coverage? Having seen, only a few weeks ago, a perfectly good (and accredited) up-to-date bit of virus protection software get tricked by a particularly malicious bit of trickery causing widespread damage, it does happen. Sadly, even Domestos has had to abandon its 50 year old slogan "kills all known germs dead" to say that it kills only "99 per cent of known germs". That will be advertising standards for you. At the rate of technology change, we need kills "all germs dead, known or unknown". But, in the meantime, with Vista vulnerabilities reportedlly being sold on the internet for $50,000 and up, we're going to have to pay more than a little bit of extra attention.
Posted by Alan at Sunday, April 01, 2007