Comments on: 676,000 accounts stolen at multiple banks http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/ entertaining hundreds of millions of eyeball atoms every day Sun, 12 Aug 2012 17:06:22 -0400 http://wordpress.org/?v=2.8.4 hourly 1 By: Emmanuel Pirsch http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-340 Emmanuel Pirsch Wed, 25 May 2005 17:12:02 +0000 /?p=755#comment-340 In the past years, I've been working on projects for many financial institutions (banks and insurance companies) in Canada. What I've seen is that most of the time, their security departement is very good at protecting networks... They are fond of encryption... But they have no or little clue about protecting applications. That was not a very big problem before the opening of the Internet and online banking application. Most of their applications were running on secured networks. But today, they have to open more and more of their application to the online world. They are pressured to do it in really short time and spend almost no time in testing that an application is not vulnerable to common attacks. They seem to think that because they use SSL and passwords, they are secure... But they do not worry about cross-site scripting... Some application are still relying only on client-side validation. As of recently, they're still putting the burden of proving that a transaction is illicit on the customer. In Canada, we see sign that they start to wake up, CIBC has now fishing alerts on their login page... Probably things are going to get better, but we still have many years before banks, and other financial institutions, will be able to live to our expectations. Maybe it's going to take a few lawsuits before it becomes a real priority. In the past years, I’ve been working on projects for many financial institutions (banks and insurance companies) in Canada.

What I’ve seen is that most of the time, their security departement is very good at protecting networks… They are fond of encryption… But they have no or little clue about protecting applications. That was not a very big problem before the opening of the Internet and online banking application. Most of their applications were running on secured networks.

But today, they have to open more and more of their application to the online world. They are pressured to do it in really short time and spend almost no time in testing that an application is not vulnerable to common attacks. They seem to think that because they use SSL and passwords, they are secure… But they do not worry about cross-site scripting… Some application are still relying only on client-side validation.

As of recently, they’re still putting the burden of proving that a transaction is illicit on the customer.

In Canada, we see sign that they start to wake up, CIBC has now fishing alerts on their login page… Probably things are going to get better, but we still have many years before banks, and other financial institutions, will be able to live to our expectations. Maybe it’s going to take a few lawsuits before it becomes a real priority.

]]>
By: Schneier on Security http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-339 Schneier on Security Wed, 25 May 2005 15:44:14 +0000 /?p=755#comment-339 <strong>Massive Data Theft</strong> During a time when large thefts of personal data are dime-a-dozen, this one stands out. What is thought to be the largest U.S. banking security breach in history has gotten even bigger. The number of bank accounts accessed illegally by... Massive Data Theft
During a time when large thefts of personal data are dime-a-dozen, this one stands out. What is thought to be the largest U.S. banking security breach in history has gotten even bigger. The number of bank accounts accessed illegally by…

]]>
By: adam http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-334 adam Tue, 24 May 2005 16:15:59 +0000 /?p=755#comment-334 Well, step one is "admit you have a problem", right? I'd like my pony in black, please. Well, step one is “admit you have a problem”, right?

I’d like my pony in black, please.

]]>
By: James Wetterau http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-333 James Wetterau Tue, 24 May 2005 16:10:41 +0000 /?p=755#comment-333 OK then -- all we have to do is a) get the laws changed to favor privacy. b) get the average consumer and bank staff to wake up. Maybe we can get flying ponies to take us to and from the bank, too. :-) OK then — all we have to do is a) get the laws changed to favor privacy.
b) get the average consumer and bank staff to wake up.

Maybe we can get flying ponies to take us to and from the bank, too. :-)

]]>
By: adam http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-332 adam Tue, 24 May 2005 14:34:54 +0000 /?p=755#comment-332 I'll take those in reverse order. 3) As I pointed out, there seems to be little reason that the way you identify yourself to your bank is the same as they way they identify you. Laziness, maybe. The loose authentication doesn't seem to really be the problem in the real world, though - it's that the data is all together, and very very difficult to protect in all of its various forms. A lot of the problem has been with stolen laptops and backup tapes. Encryption is often touted as the solution to this, but I'm not convinced that's a good answer - from my experience, encrypted tapes are much easier to corrupt (perfect security is less useful if you can't get the data back yourself when you need it). 2) This is interesting because in the past few years, privacy regulations have been "tightened up" at hospitals. Anecdotally, I've heard that this largely has the dual effects of not protecting patient privacy any better and making it more difficult for both hospitals and relatives to actually get the information that they need when they need it. I don't know that this is necessarily a good example of a working system. 1) This, I completely agree with. There's obviously something very broken in the way that banks are approaching data privacy (with respect to both the data they're given and the data they generate), driven at least partially by the various laws that apply to them. I’ll take those in reverse order.

3) As I pointed out, there seems to be little reason that the way you identify yourself to your bank is the same as they way they identify you. Laziness, maybe. The loose authentication doesn’t seem to really be the problem in the real world, though – it’s that the data is all together, and very very difficult to protect in all of its various forms. A lot of the problem has been with stolen laptops and backup tapes. Encryption is often touted as the solution to this, but I’m not convinced that’s a good answer – from my experience, encrypted tapes are much easier to corrupt (perfect security is less useful if you can’t get the data back yourself when you need it).

2) This is interesting because in the past few years, privacy regulations have been “tightened up” at hospitals. Anecdotally, I’ve heard that this largely has the dual effects of not protecting patient privacy any better and making it more difficult for both hospitals and relatives to actually get the information that they need when they need it. I don’t know that this is necessarily a good example of a working system.

1) This, I completely agree with. There’s obviously something very broken in the way that banks are approaching data privacy (with respect to both the data they’re given and the data they generate), driven at least partially by the various laws that apply to them.

]]>
By: James Wetterau http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-331 James Wetterau Tue, 24 May 2005 14:10:24 +0000 /?p=755#comment-331 I agree with your last point. But I was trying to suggest that the average employer, lawyer and/or hospital quite possibly does a better job than the average retail banking operation at keeping private information private. In other words, banks, rather than being the paragon of security, are rather bad at it. If I'm right, we can look at how those other entities work as a clue to what's wrong with banks. I don't think it's just decentralization working for the average employer, law office or hospital -- I think banks are actually substantially worse than those other types of businesses at privacy. My guess as to why is that in a very simple-minded and lazy way banks have aimed for making information accessible. I suspect this is because they've lost a privacy mindset. They've not done the obvious thing you suggest of separating the identity information from the transaction information (probably out of sheer laziness but possibly due to other pressures). I can think of two or three reasons why this might be: 1) Regulations requiring banks to "know their customers" require carefully tracking all transactions by any personal information associated to the account and reporting frequently to the Federal government if the banks even remotely suspect wrongdoing or if taxes are to be collected. This is almost the opposite of the way that lawyers and doctors have privileged interactions with clients and patients that in many cases they are legally forbidden to tell government officials about. Banks have become used to being snitches and snoops. 2) I don't know for sure, but I believe law firms and hospitals are forbidden by law to give out information casually in a way that simply doesn't apply to banks. That is, the hospital has to be careful about the exact procedures used to handle your records. By contrast, banks mainly have to worry about the financial liability if your account is robbed. 3) Customers expect more convenient access to their bank records than other private data, so they put some pressure on the banks to make it easy to identify themselves with pretty loose authentication. I agree with your last point. But I was trying to suggest that the average employer, lawyer and/or hospital quite possibly does a better job than the average retail banking operation at keeping private information private. In other words, banks, rather than being the paragon of security, are rather bad at it. If I’m right, we can look at how those other entities work as a clue to what’s wrong with banks. I don’t think it’s just decentralization working for the average employer, law office or hospital — I think banks are actually substantially worse than those other types of businesses at privacy.

My guess as to why is that in a very simple-minded and lazy way banks have aimed for making information accessible. I suspect this is because they’ve lost a privacy mindset. They’ve not done the obvious thing you suggest of separating the identity information from the transaction information (probably out of sheer laziness but possibly due to other pressures). I can think of two or three reasons why this might be:

1) Regulations requiring banks to “know their customers” require carefully tracking all transactions by any personal information associated to the account and reporting frequently to the Federal government if the banks even remotely suspect wrongdoing or if taxes are to be collected. This is almost the opposite of the way that lawyers and doctors have privileged interactions with clients and patients that in many cases they are legally forbidden to tell government officials about. Banks have become used to being snitches and snoops.

2) I don’t know for sure, but I believe law firms and hospitals are forbidden by law to give out information casually in a way that simply doesn’t apply to banks. That is, the hospital has to be careful about the exact procedures used to handle your records. By contrast, banks mainly have to worry about the financial liability if your account is robbed.

3) Customers expect more convenient access to their bank records than other private data, so they put some pressure on the banks to make it easy to identify themselves with pretty loose authentication.

]]>
By: adam http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-330 adam Tue, 24 May 2005 13:47:40 +0000 /?p=755#comment-330 I think I wasn't clear. The two main points I was trying to make are: 1) Banks spend a lot of money on security, and they're currently badly failing to protect this information. Yes, hospitals, lawyers, and employers are all required to collect a lot of information, but I have lower expectations of their security practices to begin with. I'd assume if the large-scale banks can't do it, none of those other entities can either, although, as you said, the decentralization helps them out by making them less concetrated targets. 2) Currently, your bank stores all of your transaction history with a whole bunch of information that can be used to, say, open another account. Why? There's no reason for it? Transaction history is one thing, identifying information is another. The information you use to open an account is never used again, except maybe for reporting taxes, in which case maybe that's done offline in a high-security area. Maybe I'm badly underestimating the actual practices of the banking industry, but it seems to me that putting all of this information together increases convenience for the banks, not the customers, at the cost of having a lot of very sensitive and unneeded information tied to the information that you actually want on a day to day basis. I think I wasn’t clear. The two main points I was trying to make are:

1) Banks spend a lot of money on security, and they’re currently badly failing to protect this information. Yes, hospitals, lawyers, and employers are all required to collect a lot of information, but I have lower expectations of their security practices to begin with. I’d assume if the large-scale banks can’t do it, none of those other entities can either, although, as you said, the decentralization helps them out by making them less concetrated targets.

2) Currently, your bank stores all of your transaction history with a whole bunch of information that can be used to, say, open another account. Why? There’s no reason for it? Transaction history is one thing, identifying information is another. The information you use to open an account is never used again, except maybe for reporting taxes, in which case maybe that’s done offline in a high-security area. Maybe I’m badly underestimating the actual practices of the banking industry, but it seems to me that putting all of this information together increases convenience for the banks, not the customers, at the cost of having a lot of very sensitive and unneeded information tied to the information that you actually want on a day to day basis.

]]>
By: James Wetterau http://www.aquick.org/blog/2005/05/23/676000-accounts-stolen-at-multiple-banks/comment-page-1/#comment-329 James Wetterau Tue, 24 May 2005 13:09:00 +0000 /?p=755#comment-329 Hospitals? Lawyers? Employers? Those are some other entities that hold terribly sensitive information that must not be allowed to leak out, and which are absolutely required by law to gather much of it. A big difference between those and your bank is that the bank gathers a bunhc of information about you and then tries hard to present it back to you in a simple interface, if you choose to look it up. You can dial your bank on the phone and get critical private data read back to you by a machine. That means that someone has gone to the trouble of ensuring that all the data at some point gets aggregated in one database or one system. You can later use some of that same information that machines can read to you as partial authentication to confirm your identity in a later transaction (e.g. amounts of two recent transactions, account numbers, etc.). By contrast, think of a hospital, or an employer. Yes, they have all kinds of intensly personal data about you in their files. But they don't necessarily make it possible for you to retrieve all that data remotely. As a result, anyone attacking the employer or the hospital will have a much harder job even figuring out where the personal data is, for starters. Some of it might only be in paper files, or in computer systems that aren't even networked. Moreover, how many huge banks are there in the U.S.? A couple of dozen? How many huge employers? Several thousand? The job of ripping the data off from several thousand employers is much harder than ripping data off from banks. Decentralization works to the advantage of privacy. It would be possible for banks to work more like employers holding employee records. Certain pieces of information could never be presented over the phone, e.g. your accounts could have temporary numbers that change from time to time in a semi-random way, as well as a permanent number that's never used over the phone. They could even call you by a pseudonym that changes from time to time for speaking to you on the phone. They could segment their internal networks into dozens of separate mini-networks with separate sets of servers so that breaking into one is not necessarily equal to breaking into all. Etc. But all those steps would be inconvenient, weird, and tremendously costly. Here's a thought experiment: Suppose a new bank opened up that offered no internet banking and no telephone banking. The only after-hours service available over the phone or internet would be emergency customer support from live humans to report fraud or errors (perhaps with an incident charge) but no access to your balances, transfers, establishing recurring payments, etc. In order to use this bank for ordinary transactions, you have two choices: come into a branch, or use an ATM. Once you get to the bank, you can use very sophisticated ATMs, but remote access is basically totally locked out. The goal is high security. Suppose further you had reason to believe that internally they made their network very secure and ensured that customer data essentially did not travel around the ordinary internal network. Would you be willing to use such a bank, accepting the huge inconvenience in return for the added security? Hospitals? Lawyers? Employers?

Those are some other entities that hold terribly sensitive information that must not be allowed to leak out, and which are absolutely required by law to gather much of it.

A big difference between those and your bank is that the bank gathers a bunhc of information about you and then tries hard to present it back to you in a simple interface, if you choose to look it up. You can dial your bank on the phone and get critical private data read back to you by a machine. That means that someone has gone to the trouble of ensuring that all the data at some point gets aggregated in one database or one system. You can later use some of that same information that machines can read to you as partial authentication to confirm your identity in a later transaction (e.g. amounts of two recent transactions, account numbers, etc.).

By contrast, think of a hospital, or an employer. Yes, they have all kinds of intensly personal data about you in their files. But they don’t necessarily make it possible for you to retrieve all that data remotely. As a result, anyone attacking the employer or the hospital will have a much harder job even figuring out where the personal data is, for starters. Some of it might only be in paper files, or in computer systems that aren’t even networked.

Moreover, how many huge banks are there in the U.S.? A couple of dozen? How many huge employers? Several thousand? The job of ripping the data off from several thousand employers is much harder than ripping data off from banks. Decentralization works to the advantage of privacy.

It would be possible for banks to work more like employers holding employee records. Certain pieces of information could never be presented over the phone, e.g. your accounts could have temporary numbers that change from time to time in a semi-random way, as well as a permanent number that’s never used over the phone. They could even call you by a pseudonym that changes from time to time for speaking to you on the phone.

They could segment their internal networks into dozens of separate mini-networks with separate sets of servers so that breaking into one is not necessarily equal to breaking into all. Etc.

But all those steps would be inconvenient, weird, and tremendously costly. Here’s a thought experiment:

Suppose a new bank opened up that offered no internet banking and no telephone banking. The only after-hours service available over the phone or internet would be emergency customer support from live humans to report fraud or errors (perhaps with an incident charge) but no access to your balances, transfers, establishing recurring payments, etc.

In order to use this bank for ordinary transactions, you have two choices: come into a branch, or use an ATM. Once you get to the bank, you can use very sophisticated ATMs, but remote access is basically totally locked out. The goal is high security. Suppose further you had reason to believe that internally they made their network very secure and ensured that customer data essentially did not travel around the ordinary internal network.

Would you be willing to use such a bank, accepting the huge inconvenience in return for the added security?

]]>