The old adage goes, “there are only two certain things in life: death and taxes”. Increasingly, however, it looks like identity theft needs to get added to that list. Earlier this week, security blogger Brian Krebs reported that TALX, a division of Equifax (one of the “Big Three” credit bureaus), experienced a significant data breach of personally identifiable information (PII). As is often the case in mass data theft scenarios, TALX was unable to identify the exact number of records or the scope of PII compromised.
We often don’t think about the value of PII, because for the most part, it’s not regulated. Most organizations focus on protecting information such as cardholder data (regulated by PCI) and protected healthcare information (PHI, which is regulated by the HIPAA and HITECH Act laws), because not doing so can lead to substantial fines and other sanctions. PII, however – whether it’s information on employees, customers or business partners – is often considered less-critical when it comes to protecting confidentiality. While many individual states have data notification laws in the event that PII data is breached or otherwise unintentionally disclosed,
So, what kind of havoc can be wrought by compromising PII data? Plenty. For U.S. taxpayers, one of the most egregious examples is tax fraud. According to the U.S. Treasury, in 2015 over $490 million in fraudulent refund requests were made, many of which were requested due to the IRS’ own “Get Transcript” function. Stolen identity data can be used with public record sources to “fill in the blanks” of additional missing data, allowing criminals to establish enough digital identity to open revolving credit accounts, buy and sell property in the name of the victim and even use that information to compromise additional online accounts belonging to them. According to the U.S. Department of Justice, in 2014 alone the impact to victims of identity theft was over $15 billion.
In the case of TALX (and, interestingly, in the case of the IRS “Get Transcript” function) the technology culprit that allowed PII data to be breached was weak authentication. TALX relied on a combination of a static four-digit PIN code, coupled with a series of knowledge-based authentication (KBA) questions, also known as “challenge questions”. However, both authentication methods are subject to brute forcing, and with enough information about the target, many of the challenge questions (as well as PINs, which are often based on birthdays or other dates) can be derived even more quickly.
Of course, there are ways that individuals and organizations can protect themselves and reduce the likelihood that PII – whether it’s their own, or belongs to their customers or business partners – will be stolen:
- Use multi-factor authentication wherever possible. Multi-factor authentication is based on a combination of two or more of the following: what you know (like a password); what you have (like a mobile phone); and what you are (like a unique fingerprint). Many organizations simply rely on one of these factors several times, under the false notion that “more of the same thing is better”; for example, a password, a static PIN code and a series of challenge questions together are not multi-factor authentication, since they’re all simply variants of “what you know”. On the other hand, a website that requires a password and requires you to enter a four-digit code that is sent to your mobile phone as a text message definitely is multi-factor, since it requires both “what you know” (the password) and “what you have” (the physical mobile phone). Wherever an online service provides you with a true multi-factor authentication option, please use it. If you’re a service provider, then there is absolutely no excuse today to not have multi-factor authentication as an option (if not mandatory), especially if your application maintains PII.
- If you’re required to use KBA questions, use either qualitative or non-sequitur answers. For systems that require challenge questions (KBAs), if you have the option of choosing from a pool of questions always choose ones that have qualitative responses that could potentially change. For example, questions such as “in what city were you born?” or “what was the model year of your first car?” should be avoided, as their actual answers can often be derived from public records. On the other hand, questions such as “what’s your favorite color?” and “what’s the name of your favorite teacher?” have answers that are much more difficult to derive, since they’re not likely in public record sources. Of course, an even better option is to provide non-sequitur or completely nonsensical answers to these questions, as that can make it impossible for a fraudster to derive the answer. If the answer you provide to “what’s your favorite color?” is “potato”, it’s not likely that your questions will be hacked – but of course, don’t actually forget your responses!
- Use a password vault, and make your passwords as complex as possible. Most websites let you get really creative with passwords, and you should use this to your advantage by making them as complex as possible. What if you can’t remember 20 different passwords that all look like “C4a$vHoStvr@jb’FeeQprR#”? The easy answer is to use a password vault. Vaults automatically generate maximum-complexity passwords for you, store all of those passwords in an encrypted database (either locally on your system, or on the web), and in some cases, even handle authenticating to online apps for you, so that you never have to copy/paste or enter the password at all. Popular apps such as KeePass (which runs as an app) and Dashlane (which is a website) provide plenty of options for ensuring that your passwords are as complex as each website or application will allow.
- Change your static authenticators, and change them often. While passwords are not the most secure form of authentication, the fact is they’re not going away anytime soon. Because of that fact, it’s important to change your passwords on a regular basis. While it’s not likely that a complex password will be derived (i.e., cracked), it is very possible that the place where that password is stored online by the application may not be; just a few years ago, for example, security researcher Mark Burnett posted a publicly-available list of 10 million compromised usernames and passwords online. So, the need to change your passwords on a regular basis – we change ours at EiQ Networks monthly, and I change my personal account passwords on the same schedule – is acute. Fortunately, if you’re using a password vault, this becomes easier; these tools can automatically generate new, complex passwords for you, and in some cases, they can actually facilitate the password change with the target application.
While we’re many years away from an authentication panacea in which users’ data is safe from attackers, the reality is that by implementing a reasonable set of authentication controls, users and organizations entrusted with their PII data can minimize the potential threat of identity theft.