Equifax Security Breach & Credit Freezes

By now, you’ve heard of the Equifax security breach. There’s plenty of coverage on it so I won’t go into detail here.

However, a friend asked me what I felt they should do next and I figured I’d share my recommendation (which really goes for any security breach that affects your personally identifiable information.)

We may all might was well do three things:

  1. Go to Equifax’s website to see if we might be victims of this latest breach: https://www.equifaxsecurity2017.com. They have a handy tool for you to check if you’re part of the breach.
  2. Sign up for the free credit monitoring that Equifax is providing (if available to you, on the same website)
  3. Consider signing up to freeze your credit report.

Its this last one I want to discuss in more detail. The Identify Theft Resource Center has some great info on the pros and cons of credit freezes. There’s often a cost associated with freezing (and thawing) your credit report for long periods of time and sometimes you have to be a victim of ID theft to start. Worse, the rules vary state to state. But it makes me wonder why this isn’t the default setting for all consumers?

Why isn’t our credit frozen automatically and easy to thaw (by the consumer) with minimal hassle? Especially since these credit companies are collecting information about us without our explicit consent, it seems that consumers should have better defense against ID theft than simple credit monitoring, which is generally clunky and temporary. Criminals have great patience and they know the monitoring only lasts one to two years.

If thawing one’s report to sign up for new credit was easy, there’s really no reason from a consumer perspective why we wouldn’t want to enable this fundamental and powerful privacy feature.

My Accidental Epiphany: Debit Card Two Step Verification

Two things happened to me yesterday almost at the same time that changed the way I will use my debit card forever.

First, some background: I have two different bank accounts. One has all my money and my loan info. I’ll call that my secret account. The other I set up because Amazon demands a bank account to auto-deposit (the very meager) proceeds of my book sales and I wasn’t about to give them the keys to my (admittedly tiny) kingdom. On the rare occasion I sell a book, Amazon puts the token payment in the second account and I manually transfer it to the first. Let’s call that my transaction account. Needless to say, the balance is usually zero, or close to it.

Now the first event: I got a new debit card in the mail. It came in the usual plain envelope from my bank. I immediately took it down to the local branch office to reset my pin number and turned in my old debit card for secure shredding. Here’s what I failed to realize: The debit card they sent me was for the transaction account. The card I gave to the bank to shred was for the secret one! I know, I know. I need to pay closer attention to the paperwork that comes with these dang cards.

The reason I found this out was because of the second event. I love to go almost every Sunday to the local farmer’s market and many vendors there don’t take credit cards. So I visited the local convenience store to take some money out of the ATM. When I inserted the debit card, it told me I could not withdraw money because I had insufficient funds. It was then I realized the mistake I made with the cards. Aw, man! Now, how would I get my fresh-squeezed juice?!

That’s when it hit me. I whipped out my handy smart phone and used the bank’s mobile app to transfer the money I needed from my secret account to the transactional account. Instantly, I was able to use the ATM to retrieve the money I needed and buy my yummy juice. That’s when my epiphany hit me: Why don’t I ALWAYS do my debit transactions this way? Some companies, like CostCo, don’t take credit cards, only debit cards. I always feel a twinge of insecurity when I use my secret debit card there. Security pros know that its always better to use credit cards online or in stores because if the card number is stolen, its better that the bad guys charge to your credit account (which you can then easily dispute and be refunded after signing an affidavit) than have your entire savings or checking account drained of your hard-earned cash and bounce a bunch of checks in the process. Messy. Very messy.

This epiphany, which is really just a play on the two-step verification process, is the answer! Of course, parents have been doing this for years with their college kids’ debit cards, but here’s the step-by-step procedure to set this up if you do a lot of business with your debit card:

  1. Assuming you already have a bank account (we will call that your secret account), set up a second one that will be used SOLEY for individual transactions. Deposit the minimum amount the bank requires and no more. Always try to leave this account empty (or with the minimum balance to avoid fees).
  2. Work with the bank to set up this transactional account so that you can transfer money between it and your secret one.
  3. Request a debit card for this new transactional account. Use ONLY this debit card when conducting business.
  4. Whenever you need to take money out of the ATM or want to make a payment using a debit card (thanks, Costco!), first use your bank’s mobile app to transfer the money you need from your secret account to your transactional account.
  5. Then use the transactional debit card to process the payment (or take out the money!) Easy peasy!
  6. If someone (like Amazon) ever needs to SEND you a payment using your bank account info (danger! danger! always be suspicious of such requests…Paypal may be a better option, but guess what? Paypal needs your account info too), give them the transactional bank account info. As soon as the payment arrives, transfer it to your secret account.

The benefits of this two-step method is that if your debit card info is ever lost by the people or places you do business with it, evil hackers will have access to…an empty bank account. Ha! Take that, villains! I’m kidding guys. Please don’t hurt me. It could also be useful to help manage your money by performing all transactions through a single transactional account.

Anyways. I was thinking about calling my bank to request a new debit card for my secret account. Now I’m thinking I might not need it. Oh, and if more people buy my books, I won’t have to transfer money at all. I could just live off the proceeds of their generosity. Get on it, book fans! 😉

Thanks for reading.

The Three Laws of Privacy in the Internet of Things

Internet-of-ThingsLet’s say that tomorrow they invented the flying car and anyone could afford one. What would you see in your town by this weekend? A portion of your neighbors–the technology-driven–would already have one and be bumping into trees and power lines while they tried to park their new rides. A larger portion, let’s call them the technology-mindfuls, might be considering how such a car will fit into their lifestyle, and might be taking advantage of public transportation that flies already. Finally, there would be the technology-humbugs that simply would not have anything to do with these new-fangled flying machines.

Imagine the chaos of all these new flying cars in the air. What would be the new rules of the road? Could cars fly over each other? Would they need to follow existing streets? Where are flying cars allowed to park? How do we decide who is at fault when accidents occur? How long would it take legislators to battle out a new set of laws and policies regarding the use of flying cars? How long would it take security folks to develop defenses to protect lives and property from so many objects whizzing around in the sky?

What’s happening now with the Internet of Things feels a little bit like flying cars. We are seeing a multitude of new and generally affordable technologies that people are learning how to use–and misuse. We have technology-driven consumers buying the latest gadgets without fully understanding how to protect themselves while using them. We have companies developing these technologies without fully understanding how to protect the devices or the consumers that use them.

Now that International Privacy Day is over, I reflect on how far the technologies we’ve come to rely on provide us convenience and weigh the risks to our privacy and security by enabling them.

Security is concerned with protecting data: Access controls, encryption…basically making sure data’s confidentiality, integrity and availability cannot be compromised. Privacy is concerned about these things too. However, privacy also examines transparency–giving consumers more information about an organization’s practices regarding the collection and use of their data; and choice, empowering users to make decisions about what data is collected about them, about with whom it is shared, and about what is done with the data…and even how long it is stored.

I was reminded of one of my favorite movies based loosely on a story by one of my favorite authors: I, Robot by Issac Asimov. In the story, society is introduced to a fantastic new technology that promises to benefit all.

Aware that people tend to be afraid of the unknown and that this new technology may be viewed with suspicion, the manufacturer derives a set of Three Laws with the intent of assuring a nervous public that they have nothing to worry about.

The Three Laws of Robotics went something like this:

  1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.

  2. A robot must obey the orders given it by human beings, except where such orders would conflict with the First Law.

  3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

Quite predictably, when the Three Laws are violated, panic ensues.

In a way, the Internet of Things is much like the robots of the story. We have thousands of fantastic new technologies, all promising great benefits, each carrying the risk of making consumers afraid about how these technologies will affect them.

So I got to thinking, what if the Internet of Things had its own version of the Three Laws…the Three Privacy Laws of the IOT…rooted in Privacy By Design? They might read a little something like this:

  • An organization shall not collect data in a manner that causes injury to a person, or through unintended consequences, allows a person to come to harm.
  • An organization shall not collect more data than it needs to service a person and shall protect the data it collects at all times.
  • An organization collecting data about a person shall give that person visibility and control regarding the collection, retention and sharing of their data so long as it does not conflict with the Second Law.

A tech maker of IoT devices could certify that they had met all the requirements of the Laws and when the certification process was complete, they could let their customers know that they were “Three Laws Ready” just like the company in the movie.

No matter what new article I read about privacy or the IoT, it always comes back to one thing: Trust. Trust is more than about good intentions, as we discovered in 2014, the year of the mega breach. As the people in Asimov’s story discovered, its also about executing transparency, choice and damn good security. Miss any one of these and don’t be surprised if panic ensues.

As a privacy advocate, I’m passionate about making sure we get it right. Whether its robots or flying cars, the technologies are advancing faster than some people’s ability to keep up. That doesn’t mean the makers of those technologies have any more right to violating our privacy. Assuming ignorance on the part of consumers may be a time-honored way of making money, but public or private organizations that operate in such a manner will eventually discover who actually holds the power. And in this age of social media connections and instant communications, Hell hath no fury like a consumer burned.

And this technology-mindful really want his flying car, so they better get it right the first time.

Infragard Social Media and Public Safety Event

Recently the San Diego chapter of Infragard invited me to speak at our “Social Media and Public Safety” event on May 23rd. The event was held at the beautiful Irwin Jacobs auditorium at Qualcomm’s headquarters. It’s a fantastic facility for such events.

I gave a talk on “Social Media 101” to explain some of the basics of common social media and why emergency and incident responders should be using it. It’s not often that information security professionals talk up the importance of using social media, mostly because we’re so busy preaching why they are so bad for security and privacy. But they are valuable tools that emergency responders can ignore only at their peril. My premise is that if we don’t understand how to use such tools ourselves, how can we help others protect themselves online?

SDG&E arrived to demonstrate their new Incident Command Trailer. Very cool.

My conclusion? Get involved! Use the tools. Learn the culture. Pick a topic you care about and aren’t worried about from a privacy perspective  (like fishing for example!) and post only about that. Anything is better than nothing and nothing is what the bad guys are hoping we will do.

While the event was going on, we used twitter hashtag #sdcssm which was trending locally in San Diego until at least 9pm that night. Take that, #songstogetlaidby!

For those interested in a copy of my presentation, I’ve made it available here.

Cyber security predictions for 2012

I’m no cyber security visionary…or am I? Everyone else has made their predictions. Here are my top five. Tell me I’m wrong! Does anyone make a living by doing this?

  1. Lots of security professionals will make annual predictions, most of which won’t come true, or will be so general as to be inevitable.
  2. Some organization will experience an insignificant hack which will cause an explosion of attention in the media.
  3. Some organization will experience a significant hack and most will never hear about it because it won’t be sexy.
  4. A security breach will cause a political candidate to change course.
  5. At least one organization will build a business continuity plan around the Mayan calendar.

Securing our eCity

Today I had lunch with the Mayor of San Diego, Jerry Sanders. Yeah, I had to name-drop. Its not every day a guy like me has lunch with the Mayor.

More importantly was the topic of discussion during the meal. Darin Andersen of ESET held a meeting for a program he calls “Securing our eCity.” This initial meeting sought to answer the question, “What does a cyber-secure city look like?”

The goal is to make San Diego better known as a cyber-security aware community. Its a little known fact that San Diego is home to a large (and growing) population of information security professionals. We’ve long wondered how we could tap that vast pool of expertise and Darin may have given us a way.

The attendees list included over 70 representatives from local businesses, federal, state and local government. Mark Weatherford, CISO of the State of California was there.

Enthusiasm was high. It will be good to see if we can collectively turn that energy into tangible benefit to the citizens of San Diego. I for one look forward to participating.

Here to help

I’m an information security professional with over 12 years experience. I needed a place to put some of the resources I’ve created to improve security and started this little site.

My specialty is in the human being, the weakest link in security. An organization can spend a million dollars on firewalls and anti-virus software and a human being–sometimes through no fault of their own–can negate all our security expensive technologies.

Don’t mistake me as an academic though: I’ve built and managed multiple incident response and vulnerability management programs. Also spent my share of time as a security engineer.

This site will provide ideas, tools and resources on how to minimize that risk. Some say there is no patch for stupidity. I have heard, and I agree, that there is however a patch for unawarenessless.