BULK IDENTITY THEFT
Identity theft is one of the most common and damaging forms of hack. For both innovative online brands and established “brick and clicks” brand names with a significant online business, protection of customer credentials is paramount. From financial institutions providing on-line account access, to on-line retailing and gaming, store and loyalty cards and multiple other scenarios, there is a long list of companies who need to store, manage and transact with sensitive customer data.
Typically web servers are hacked over the internet, and credentials are stolen from databases and other password stores. Hackers know its easier and faster to steal passwords at rest from a single location than it is to infect large numbers of client computers or capture credentials in transit. It can take less than a minute to steal a million passwords.
Stolen identities are routinely advertised on the dark web for $1 to $5 per record. Credentials originating from banks are advertised for $7 or more per record. With many customers re-using passwords across multiple websites and services, password theft compromises not only your service but others as well. That’s why password repositories are a honeypot for hackers.
TIME TO STEAL ONE MILLION PASSWORDS
It takes years to capture and decipher one million active passwords in transit, days to capture them from clients or web servers, and only seconds to steal them from a password repository. This is why the database is a favourite target for hackers.
Existing countermeasures such as hashing and salting passwords can mitigate against theft. But the development of techniques such as hash chains and rainbow tables, combined with the availability of cheap computer processing power, has severely degraded the protection of these techniques.
Strong encryption does not prevent identity theft, it just makes it much harder to de-cypher data after it has been stolen. Theft of encrypted data still triggers an expensive and disruptive remediation process. Regulatory bodies need to be informed, customers must be warned and passwords have to be changed as a precaution.
Two-factor and multi-factor alternatives to passwords enhance identification of the customer and make impersonation harder at the client end. But this approach also comprises a password element, even if only to manage registration and deregistration of the second factor device. And passwords still need to be stored securely at the business end.
THE COSTS OF RECOVERY
There have been numerous high profile bulk password thefts in recent years. Loss of identity data results in huge inconvenience to both companies and their customers, and there are significant financial implications for breached organisations.
Remediation costs can include but are not limited to:
- Significant reputational damage, loss of customer trust and brand erosion
- Financial losses stemming from disruption to trading
- Costs associated with cleaning up, restoring or rebuilding affected systems
- Regulatory sanctions such as the new European Commission Data Protection Regulation Directive 95/46/EC, with up to 2% of turnover levied in fines
- Possible compensation claims, threat of litigation or class action
The UK Cyber Security Strategy Review 2013 estimated the cost of remediating a security breach for a UK Enterprise is up to £850k. Recent research from CSID places the figure much higher at $5.3m or $188 per record.
A STANDARD ARCHITECTURE
The IT industry uses the same industry standard architecture, otherwise known as the PC, for everything. It provides economies of scale with an inexpensive solution to most problems, but also common vulnerabilities across all classes of products, including supposedly secure products. The fundamentals of this architecture are:
- A processor vulnerable to Malware attack: a PC executing the common x86 instruction set is both high performing and highly vulnerable to code injection attacks, infecting a computer with malicious programs posing as data.
- A software platform too big to trust: operating systems and applications software such as web servers and databases comprise millions of lines of code requiring a vast software code base for security.
- Permissions-based security: Administrators are afforded special access to manage identities. But if a permissions escalation attack is successful or the administrator password is stolen then security is instantly breached.
This architecture currently has tens of thousands of known security vulnerabilities, and more are discovered daily. According to cyber-security firm McAfee Inc, there are currently 130 million malicious programs available to steal identity information. Can you afford to take the risk that your company will be the next target?