Breaches are commonplace today. Usernames and passwords, names and addresses, email addresses, questions and answers for password reset, and more are stolen on a regular basis. Sometimes even more information is included: IP address, download history and so on. One example of this is the recent Vtech breach, but I’m not picking on them: Ashley Madison, Adobe, Target, Anthem, JPMorgan, eBay, Home Depot, Nasdaq, US Office of Personnel Management, and the list goes on.
What is the damage done in these breaches? Should we really care and why? Most of the conversation is around credit card numbers and social security numbers. At first sight, this makes sense. If you steal my credit card number, then you can buy things in my name. If I don’t catch it in time, I can be in trouble, and even if I do – I have to prove my innocence. If the breach was published, then it’s easier for me to do this. But the really scary thing is that many breaches go undetected! Having said all of this, a stolen credit card number is easy to fix – cancel the card and get a new one. (It’s not a great solution, but at least it is a solution.)
What about stolen social security numbers? The damage here is less direct. However, in the current situation in the US where knowledge of an SSN is considered a proof of identity to some extent (amazing that this is still somewhat the case), SSN theft is the first step to identity theft. And we know that identity theft is a massive nightmare. A big problem here is that an SSN cannot be cancelled and replaced. So, once it’s stolen, it’s stolen. We can only hope that the US will make the transition quickly to understanding that an SSN is a great unique identifier for a person (since it cannot repeat, unlike their name), but should never be considered a type of authentication or proof of identity.
What about everything else? Companies tend to play down the loss of other types of information: email addresses, passwords, names and addresses, and so on. However, breaches that leak this information are actually really problematic for users. First, most users reuse passwords between websites. It’s nice for security experts to say “DON’T DO THAT!” but it’s just not realistic. Who can remember 25 different passwords? So, a stolen password from one website can mean breaking into the user’s account all over the place. Stealing their password from an HMO can give the attackers access to a bank account (especially if the user login is their email or name which is also stolen). Beyond passwords, information like names and addresses, questions and answers for password reset, and so on, are great sources for building a comprehensive profile for identity theft. It’s now possible to answer a whole series of questions about the user!
I’ll finish with one chilling thought. Not all attackers are after money. Some are targeting companies for industrial espionage, and some are foreign states aiming at even more. Employees of the target companies (or government branches) are an excellent way of getting in. So, a breach to something like Ashley Madison can actually be a threat to national security, using the ancient art of blackmail. However, it’s not just something as blatant as Ashley Madison. The ability to break into a target’s email, HMO, learn their download history and so on, can lead the attackers to potential ways to get at the target. It may sound like a James Bond movie, but James Bond’s technology was far less effective than the simple Internet.
In summary, breaches are a huge concern, and it’s not just credit card numbers. Organizations need to clean up their act and get serious about security, and users need to show that they care and demand good security practices from companies they work with. Otherwise, it will just get worse.