Target breach – 40 Million Card Numbers can’t all come from POS machines….

Aaron Titus, Chief Privacy Officer at Identity Finder provided commentary on the breach reported on Dec 18th.

“Although skimmers (physical devices that steal track data from point-of-sale machines in stores) can collect track data, it is extremely unlikely that hackers could have installed skimmers in Target stores across the country. At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”

“Organizations that strictly follow PCI-DSS 2.0, and PCI-DSS 3.0 should be able to prevent most of these sorts of breaches, so I imagine Target has already begun the process of locking down, analyzing and securing their systems,” Identity Finder’s Titus said. “The first step to PCI-DSS 2.0 and 3.0 compliance is data sensitive data management through discovery and classification, which can help a company identify broken business processes and technology shortcomings.”

Additional expert commentary:

- Experts suggest its an inside job and not merely skimming POS devices at stores
- Experts suggest that better controls and processes would limit the risk and prevent a massive breach of this size

Article here

Identity Finder’s Sensitive Data Manager is a critical element to evaluate these controls, or refine these processes as Sensitive Data Manager is incredibly accurate and effective in discovering and classifying credit card data stored on the internal network

Identity Finder and Javelin new research draw correlation between data breaches and consumer identity theft

In a recent study by Javelin Research commissioned by Identity Finder, we show results that data breaches within healthcare and retail environments do correlate to identity theft. In plain English, it means that if a criminal is able to steal data from your healthcare provider, pharmacy or any merchant you do business with, that your identity is in jeopardy of fraud and theft.

The study shows that healthcare and retail are two business segments that are most likely sources for consumer identity theft. Here are some eye opening statistics from 2012:

  • 4.4 million Americans were both notified that their payment card information was compromised in a data breach and suffered fraud on their existing credit or debit cards.
  • 1.26 million Americans were both notified that their Social Security numbers (SSN) were compromised in a data breach and became victims of identity fraud.
  • 270 thousand Americans were both notified that their online banking credentials were compromised in a data breach and suffered fraud on their financial accounts, including checking and savings accounts.
  • 324 thousand Americans were both notified that their bank account numbers were compromised in a data breach and became victims of fraud incurred against their checking, savings, or other financial accounts.

Identity Finder recommends that businesses in these segments follow some basic steps to minimize chances of a data breach:

  • Locate and identify sensitive data. Sensitive data is any data that has value to the organization or can expose them to risk if compromised. Sensitive data should include consumer bank account information, payment card data, SSNs and other types of personally identifiable information (PII), as well as trade secrets.
  • Classify sensitive data accordingly. Categorize the information using a naming convention appropriate to the organization. This step can ease efforts to control the access, routing and storage of different types of data.
  • Secure data based on risk profile. Deploy security measures commensurate to the risks associated with the loss of respective categories of data.
  • Develop policies to mitigate future data management issues. Implement and enforce policies designed to prevent unprotected data from being stored outside of approved locations.

For complete findings and survey methodology, please download the research paper at: www.identityfinder.com/us/Files/JavelinDataRiskPart1.pdf

Forthcoming Identity Finder research shows correlation between business data breaches and consumer identity theft

In an upcoming study by Javelin Research commissioned by Identity Finder, we show results that data breaches within healthcare and retail environments do correlate to identity theft. In plain English, it means that if a criminal is able to steal data from your healthcare provider, pharmacy or any merchant you do business with, that your identity is in jeopardy of fraud and theft.

The complete study will be available on Oct 29

Leveraging technology to serve community needs

Here is a great post about disaster recovery at a real personal and community level. Identity Finder’s Counsel, Aaron Titus, put together a solution that empowers communities to effectively organize and clean up after a natural disaster. This feature is quite apropos as we are coming up upon the 1st anniversary of SuperStorm Sandy.

We’re proud to be associated with you Aaron.


How would you coordinate 30,000 volunteers in 5,000 locations across an arc 500 miles long in just eight weeks?
That was the challenge Aaron Titus faced in the wake of Superstorm Sandy. Undaunted, he went to work. Realizing he couldn’t do it alone, he focused on building a solution that decentralized the coordination process, worked across agencies, and empowered leaders in the field. He succeeded…

Read more at CSOOnline blog

Identity Finder Discovers Google Chrome Users Are Vulnerable to Sensitive Data Theft

Last week, Identity Finder security researchers performed in-depth scans on several employee computers using the latest version of Sensitive Data Manager (SDM). During the scan, SDM pinpointed several Chrome SQLite and protocol buffers storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers.  SDM found similar data among all employees who consistently use Chrome as their primary browser.

Chrome's History Provider Cache contained SSNs, bank account information, addresses, email, and a bunch of other stuff you'd want to keep to yourself.

Chrome’s History Provider Cache contained SSNs, bank account information, addresses, email, and a bunch of other stuff you’d want to keep to yourself.

We confirmed with each employee that sensitive data, such as social security and bank account numbers, were only entered on secure, reputable websites. Despite employees having entered this information on secure websites, Chrome saved copies of this data in the History Provider Cache. Other SQLite databases of interest include “Web Data” and “History.”  On Windows machines, these files are located at %localappdata%\Google\Chrome\User Data\Default\.

Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware. There are dozens of well-known exploits to access payload data and locally stored files. To see whether Chrome data was at risk of theft, Identity Finder researchers created a small proof-of-concept exploit that would upload Chrome cache data to a third party site (See screenshot below). In this attack scenario, an attacker would only have to trick a user into permitting access to their file system. Attackers could acquire vast amounts of personal information without requiring users to enter anyting into a form, or system credentials.

In addition, someone with access to a hard drive, for example after a computer is sold on Craigslist, would have access to all of this information, even if it is deleted.

In this scenario, an attacker creates a fake, trustworthy-looking website, and convinces a user to allow heightened access. As soon as the user clicks “Yes,” all of the data is transmitted to a third party.

Strictly speaking, these Chrome vulnerabilities aren’t “new” or completely unknown to technologists. However, Identity Finder is the first security company to demonstrate real-world, non-theoretical risks to sensitive information stored by the Chrome browser. By connecting the dots, we hope to educate all Chrome users that Chrome stores sensitive data unencrypted, alert users of the risks of stored Chrome data, and encourage individuals and enterprises to engage in sensitive data management best practices.

Summary

Chrome Sensitive Data Risks

Infographic. Click to enlarge.

We notified Google of the risk, but have not yet heard back.

As of now, Chrome is the only browser we have analyzed in-depth. We may analyze other browsers in the near future. But the fact that these risks have been around since version 2.0 of Chrome, or that similar vulnerabilities may be shared by other browsers, only adds to the urgency for browser makers to secure all stored browser data.

We’ve taken the liberty of compiling a quick infographic illustrating one potential attack vector, and why it’s vital for individuals and enterprises to engage in sensitive data management practices.

Protecting Yourself

Employees, employers, and consumers can easily protect themselves by following good sensitive data management practices. Anytime you enter a credit card number or other PII into a form, be sure to “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history” from the past hour and the information you typed will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data.

Open Chrome, click “Customize and control Google Chrome”, then Settings, then scroll down to “Show advanced settings” then click “Clear browsing data…”. Once the Clear browsing data dialog popup appears, enable the checkmark for “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history”. Configure the time setting to include when you typed sensitive data such as “the past hour” then click the button on bottom right: “Clear browsing data”. Finally, restart Google Chrome:

step1

step2

step3

Remediation

Daniel Tosh: Please Change Your Credit Card in the Next 30 Minutes!

Identity Finder Warns Comedian that Identity Theft is no Laughing Matter

On Monday, September 3rd, Daniel Tosh of Comedy Central’s TOSH.O show issued a challenge the Identity Finder team couldn’t resist:

(Courtesy Comedy Central)

(Courtesy Comedy Central)

Daniel Tosh offered to retweet the first person to get the right answer. That night he retweeted:

While 40,320 is the mathematically correct number of permutations of 8 digits in 8 places, it is the wrong answer to the question, “What is the maximum number of guesses it would take before you could live the good life?” In less than one second, Identity Finder found the answer: It’s actually just 144. If he owns a Discover Card there are only 129 possibilities, and if owns a MasterCard, Identity Finder narrowed it down to just 36 guesses. In short, Daniel, even if it took 10 seconds to try each one, your credit card could be hacked in less than a half hour.

The Identity Finder team started with a list of all 40,320 possible permutations, but it took Identity Finder’s Sensitive Data Manager 7.0 just one second to narrow the list to 472 possibilities:

It took just 1 second for Sensitive Data Manager to eliminate 99.6% of the false positive results.

It took just 1 second for Sensitive Data Manager to eliminate 99.6% of the false positive results.


Thanks to a series of powerful validation algorithms that eliminate false positive results, Sensitive Data Manager is the fastest and most accurate solution for PCI and HIPAA compliance.

Next, many of those 472 are obsolete or older cards such as Diners Club. We know Tosh is way too young and cool for those, so Sensitive Data Manager automatically eliminated older and obsolete card types. That leaves us with a list of just 144:

Diner's Club Card for Tosh? No way...

Tosh Way too Cool for Diner’s Club


Of those 144, 129 are Discover and 36 are MasterCard. Especially knowing Daniel’s secret penchant for Discover Card, a hacker could be living the high life in less than 30 minutes, by testing each one (even if it took 10 seconds per try).

So, assuming that Daniel Tosh has a healthy line of credit, and his credit card isn’t maxed out, some identity thief could already be “living the good life.”

Thanks for helping us “get smarter, faster“, Mr. Tosh.

Sensitive Data Manager garners 5 Star Rating

SC Magazine, a leading voice in the security media community recently reviewed Identity Finder Sensitive Data Manager and found it a great value. Here are some quotes:

  • Identity Finder’s Sensitive Data Manager offers a lot of data loss prevention capability in an easy-to-configure package
  • We found this product to be an excellent value for the money
  • Sensitive Data Manager has a lot of bells and whistles
  • Very good value, especially considering its broad range of policy management
  • We found installation and setup of this tool to be easy and straightforward.
  • We found this suite to be fairly easy to work with and had little trouble.

This speaks clearly to the Sensitive Data Manager’s abilities to solve today’s problems – Data breach prevention, risk management and compliance. We are honored to garner this recognition.

Full details here: http://www.scmagazine.com//identity-finder-sensitive-data-manager/review/3969/#

VIDEO: Data-at-Rest vs. Data-in-Motion DLP

Despite massive security efforts in place today by large organizations, data breaches continue to occur and identity theft is on the rise. There are two primary prevention strategies to searching and securing sensitive information: Data-at-Rest and Data-in-Motion. This video describes the two methods and walks through how Data-at-Rest can help prevent data loss at the source.

VIDEO: Identity Finder Enterprise Architecture

Identity Finder’s architecture is flexible, and can be configured to adapt to your unique business needs. You have the option to centrally manage your deployment using the Identity Finder DLP Enterprise Console, and receive centralized reporting from all devices through your entire enterprise network.
If you wish to empower your end users to maintain their own systems, Identity Finder is installed on each laptop, desktop, PC, Mac, or server. You may configure the endpoints, and the results of Identity Finder searches and End Users’ actions are presented to the end user for remediation or reported back to the DLP Enterprise Console.
You can also search other computers, web servers, or database servers without installing Identity Finder, using Agentless Searching. From a single administrative workstation you can remotely search other desktops, file servers, or any network device with a hard drive, without installing Identity Finder on those machines. As always, the agentless search policies may be set, monitored, and controlled by the centralized DLP Enterprise Console.

Identity Finder Works to Eliminate SSNs from Public Documents

The open records organization, Public.Resource.org recently announced that the IRS posted thousands of SSNs on their website in form 990s. Earlier today John Mello wrote a follow-up article entitled, Who Needs Anonymous When You’ve Got the IRS?, which highlighted Identity Finder’s 2012 report on 472,866 social security numbers currently posted in IRS documents online.

“Thousands of Social Security Numbers were there for anyone to take,” he told TechNewsWorld. “If you’re an identity thief, you have a one in six chance of downloading a 990 from 2001 and getting a Social Security Number,” Feinman said. “Those are better odds than Vegas.”

Identity Finder is working with Public.Resource.org and has provided a copy of the report to Congressman Tom Latham, who recently sent a letter to the IRS requesting information on how such a breach could have occurred.

Key recommendations of the report include:

  • Donors should never share their social security number with charities.
  • Scholarship applicants should always require any organization to justify a request for his or her social security number and should not be afraid to decline to provide it.
  • Organizations should avoid placing personal information (especially SSNs) on public documents such as court documents.
  • Nonprofit organizations who learn they have published SSNs should warn those affected that their names and SSNs are part of a document on public record and that they may be at increased risk of identity fraud.
  • Tax preparers should review IRS forms they approve to ensure no personally identifiable information is unnecessarily disclosed.
  • The IRS and other sources of past 990 filings should only provide redacted copies of the forms.