HUNTINGTON BEACH, CALIFORNIA — During a week when it was learned that hackers had gained access to 76 million JPMorgan customer accounts, Robert Siciliano’s presentation at the Mechanical Service Contractors of America convention here could not have been more timely.
A data breach like that affecting JPMorgan is the result of an irresponsible or malicious insider, or a third party fault, or loss, theft or burglary of a laptop, mobile device or flash drive, or from hackers, explained security expert Siciliano (robertsiciliano.com), a frequent guest on TV news shows talking about security issues.
In fact, a CONTRACTOR editor sitting in the front row saw the caller ID light up on Siciliano’s iPhone and it read “Nightline.” “Hello, Nightline?” Siciliano responded. “I’m in the middle of a presentation. Can you call me back in 15 minutes?”
When tens of millions of Target customers had their accounts compromised, hackers entered via Fazio Mechanical through its connection for remote billing and contract management, Siciliano said. The hackers implanted a password stealing bot called Citadel that probably entered Fazio’s system through an email phishing con.
(Siciliano reiterated that you should never, ever click on a link inside an email unless you’re expecting it because somebody you know told you it was coming. Even if it looks like an email from your bank, get out of the email and go directly to your bank’s website. Don’t click on the link in the email.)
Fazio was using a free version of Malwarebytes Anti-Malware, but the free version doesn’t offer real-time scans. You have to manually look for malware. Pay for the full version of anti-malware and anti-virus software, Siciliano said.
Target contractors have access to an external billing system called Ariba, so the bad guys got into the Ariba server and used that as a bridge to get into the server with the customer data. The servers were separate but obviously not separate enough. So far the breach has cost Target $200 million in fines, compensation and new software and consulting services.
Too few systems have two-factor or multi-factor authentication, he said, other than banks. You log in to a site and get an email with a one-time password or PIN that you can change. Your authentication may be biometric like your fingerprint. If the bank doesn’t recognize your device, the system will start asking you the usual security questions, like your mother’s maiden name or your high school or the name of your dog.
Amazon does not have two-factor authentication but they will after they get breached, Siciliano said. It’s only a matter of time. A lot of e-retailers shy away from two-factor authentication because they think it’ll bog down the shopping process. The only way to get them to adopt it would be for the Feds to mandate it, he said.
Siciliano showed a picture of Albert Gonzalez, who was caught with the records of 170 million credit accounts. Gonzalez is spending 20 years as a guest of the federal government.
As enterprise systems are hardened, hackers like Gonzalez go after unprotected networks that may be using an outdated browser or operating system. They look for credit card information, Social Security Numbers or anything else they can use to set up new or fake accounts. You can’t protect your Social, Siciliano pointed out; you’ve given it out thousands of times. They open accounts in your name or take over existing accounts. Hackers either buy stuff like restaurant meals or they buy merchandise that’s resold on Ebay or Craig’s List. They have thousands of “mules” reselling ill-gotten goods for cash.
Want a fake ID? They make really good ones in China.—Robert Siciliano
A new and booming form of fraud — up 700% since 2008 — is tax refund fraud. The bad guys pose as somebody else, create a fake W-2, and file for an income tax refund. There were two million fraudulent returns in 2011 and the government sent out $2 billion in tax refunds to fakers.
Half a million children have their identity stolen every year. In the mid-‘80s, the IRS started demanding that children get Social Security Numbers at birth because parents were making up non-existent children and using them as a tax write-off. Now that babies have Socials, their identity can be stolen and often the theft isn’t discovered until the child gets his first job.
Want a fake ID? They make really good ones in China, Siciliano noted, and who can tell the difference? There are 49 versions of Social Security Cards, 14,000 different birth certificates, 200 different types of driver’s licenses, and there are 14 states that don’t require a photo on a driver’s license or state ID.
The Government Accountability Office reported that 28% of public records, such as birth certificates, are available online. Siciliano found quit claim deed filings online for Jeb Bush, Colin Powell and former CIA Director Porter Goss that included their Social Security Numbers. If the CIA Director can’t protect his Social, who can?
Do not donate your personal device to charity because they can never be wiped completely clean. He advised taking a sledgehammer to them instead.
Do not use an independent ATM. Siciliano discovered that a bar was selling all of its fixtures, including an ATM, so he just had to have it. He and hacker friend dismantled the ATM in Siciliano’s garage and found a hard drive that contained records of a 1,000 credit and debit cards.
Thirty percent of fraud losses come from card-counterfeiting ATM skimmers that are installed on top of the card readers and keypads of ATMs. To counter that, Siciliano suggested going into your account settings at your bank website and ask to receive a text message for every transaction on your card.
Check your credit report annually and, preferably, three times a year. Dispute inaccuracies. Pay for credit monitoring. Lock your credit down with a credit freeze. When you plan a major purchase, unfreeze it a few days beforehand, and then refreeze it. Buy and install a locking mailbox. Buy a good crosscut shredder and shred everything. And, finally, Siciliano concluded, buy password manager software. Siciliano has more than 600 passwords, of which he can remember perhaps a dozen. A password manager handles that.
Twitter @bobmader