Consumers Fighting Identity Theft Need To Demand Data Breach Protection

March 13, 2012   Adam Quart   2 Comments
identity theft protection

Are you one of the millions affected by identity theft? Even if you are not, 2011 was the year of the data breach with over 36 million affected by breaches. Javelin Strategy and Research says that people whose information was stolen in a data breach are almost 10 times more at risk of identity theft or fraud. If your information has been stolen or compromised, you very well could be the next victim of identity theft or fraud.

Data breach protection can provide a solution for lowering the risk of identity theft. In 2010, 8.6 million households were involved in identity theft incidents as reported by the U.S. Bureau of Justice. With the 36 million breaches occurring in 2011, the number of identity theft incidents last year must be through the roof however they are still being accounted for.

It is plain to see that identity theft is one of the biggest problems we are facing today because it can destroy credit score ratings and cause financial ruin for victims. Recently, Schield Family Brands employees have become victims of tax fraud which was an identity theft based attack. Over a hundred employees of the window and door manufacturing company were left without a tax return, were charged fees, and their credit scores could have been affected as well by fraudulent activity. By using the victim’s identities, thieves were able to receive false tax returns through the victim’s social security numbers. To make things even worse, the victims did not know about the fraud until they were notified that their returns had already been filed.

Although data breach protection is perceived to be the responsibility of corporations, there are precautions that can be take on the consumer end to ensure better safety. In a recent report by Javelin, some shocking information was published about online social network behaviors. It was found that 68% of public profiles contained birth date information while 63% contained high school information. This type of confidential data could be used in a social network engineering attack for identity fraud. It is important to keep personal information like this private in order to prevent from these types of attacks.

Forbes recently posted info about 6 mistakes most people are already making online which can lead to becoming a victim of cyber crime:
1. Displaying a full birth date on a Facebook profile
2. Participating in online quizzes
3. Mobile devices without password protection
4. Tweeting plans including destinations and vacations
5. Leaving geotagging on which displays location
6. Using weak email passwords and never changing them

By avoiding these mistakes online people can do their part in protecting their identities, but it is also the responsibility of the organizations to keep user’s information secure. This is why consumers, employees and even the government should fight for remote access security which defends against hackers utilizing data breach information to commit fraud. Utilizing a two-factor authentication solution could add a layer of protection that removes a piece of the identification process from the criminals and places power back in the hands of the individual, literally.

By utilizing an SMS text message for transmission of a one-time password, not only is access more protected, but the user receives notice of authentication and access of information. Even if an attacker were to gain information from data breaches or they used social engineering to try and gain access, this added layer of security could prevent the attack. It is both an effective and efficient solution which does not take much time to put into place.

Read More

How to Remove Responsibility While Avoiding Data Breaches in Healthcare

February 28, 2012   Adam Quart   No comments
hhs data breach report infographic

If you are in the healthcare industry then you are familiar with privacy and how important it is to keep confidential data secure. Not only are you under the scrutiny of government regulatory compliance, you are also responsible for your patient’s personal data and ultimately their identity. In healthcare accountability has become an important part of compliance requiring data breaches affecting over 500 individuals to be reported and posted on the HHS.gov website. Now under pressure of hefty fines and being placed in the spotlight will we start to see the amount of breaches reduced or better yet higher security put in place?

Taking a look at information on the U.S. Department of Health & Human Services website we have put together some facts about healthcare data breaches. Although these are only the reported incidents it is alarming to find that the majority of the issue has to do with unsecure digital data. By removing the responsibility from physicians it would seem that hospitals and other healthcare facilities could have avoided many of the reported data breaches.

Loss and theft have played the largest role in healthcare data breaches with over 265 breaches involving 15,039,697 individuals’ records. That is over 67% of the total amount of reported breaches and an almost sickening, pardon my pun, 78% of the total stolen records. In the defense of lost and stolen information I would like to add that not all incidents involve a computer or digital form of data. However it is still extremely daunting that 92% of computer related data breaches are through theft or loss.

hhs data breach report infographic

Government regulatory compliance like the HIPAA Security Rule and HITECH Act require more security for healthcare data. However by still allowing physicians and other healthcare employees to transmit confidential patient data the problem will continue to be an issue. As the facts point out that although accountability is present and fines are hefty this cannot protect us against human nature. By losing computers or other portable devices, whether to theft or carelessness we put privacy at risk. However restricting healthcare from downloading and storing the confidential data relieves the situation.

If remote access of patient data can protect against 92% of computer related breaches then why is it not being implemented? By placing accountability on a single location and utilizing zero footprint technology data can be accessed through any device without information being left behind. Furthermore two-factor authentication allows for protection through an added layer of security that fights against fraudulent access.

The future is here now, there is no better time than present to remove trust from physicians and place it in the hands of IT security. By utilizing secure remote access through two-factor authentication and a one-time password we can improve privacy without hindering healthcare professional.

Read More

Verizon Reports Data Breach Count Rises While Records Breached Falls

February 16, 2012   Adam Quart   No comments
verizon data breach report

With the number of data breaches on the rise why are the amount of records stolen dropping?

Verizon recently released a report called the 2011 Data Breach Investigations Report (DBIR) in which it combines caseload information with the United States Secret Service. Although the number of records breached has dropped from a record high of 361 million in 2008 to 144 million in 2009 and even lower to only 4 million in 2010 the fact is that the total number of breaches occurring is rising. This could mean that smaller businesses are being targeted through different vulnerabilities than recent years.

Criminals Behind Bars Cause Others to Hide
Some would say that because many criminals were recently placed behind bars, including 1200 suspects arrested in ’10, we are much safer. While others, mainly those involved in security, are thinking the reduction in records stolen is a combination of higher security but mainly a greater desire to remain out of jail. Many large scale cyber criminals have recently been placed behind bars, including Albert Gonzalez and Maksym Yastremskiy who were responsible for the 2010 payment card data breaches. With these spectacles of the law being known by hackers everywhere it may be that criminals are laying low.

Rather than targeting the higher risk companies who have more security and investigative power, cyber criminals seem to be targeting low hanging fruit. The statistics from Verizon’s report show organizations with 11 to 100 employees have been breached more in 2010 than other company sizes. Approximately 436 breaches took place in this size bracket compared to the 323 breaches that took place in all other employee size brackets combined. This is most likely due to the fact that the level of security utilized by these institutions is much less extensive than that of larger corporations.

2011 verizon data breach protection

External Threats and Remote Access Security
It is great to know that employees and competitors are not the direct cause for data breaches. However with 98% of breaches originating from organized criminal groups and unaffiliated persons it is plain to see that remote access security is a dilemma. The top 4 types of attacks resulted from hacking and malware. Although mobile devices have been seen as the source of evil lately in essence it is the server that has been the target. This is not to say that mobile devices will not haunt our future security woes as they may soon become the target of cyber thieves.

In order to secure our privacy the problem lies in authenticating remote users. Anyone accessing the server should be an authorized user to prevent further deployment of malware. Furthermore with hackers creating programs for less skilled script kiddies to easily maneuver through security the need for remote access security will rise. These attacks that we have recently seen may just be groundwork that is being made for later attacks. By utilizing information from data breaches a hacker could create easy to use programs in which they can control many unskilled attackers from many locations to pull off a much larger breach of records.

By utilizing a two-factor authentication method to identify user’s many hacking attempts would be thwarted. However in order to completely secure remote access the need for out-of-band authentication from a one-time password is rising greatly. With over 50% of breaches resulting from malware an out-of-band solution allows for authentication to take place without chance of being breached malicious software.

With new reports by Verizon and other companies being released constantly we can view the change and evolution of attacks. More importantly we can see trends which may lead to future attacks and prevent data breaches through preventative security measures.

Read More

Are Password Failures at the Forefront of Data Privacy and Protection?

February 07, 2012   Adam Quart   1 Comment
password failure

As the battle between “good and evil” wages forth bills like SOPA and PIPA along with government regulations seem to be big news. Also on the frontier of data privacy and protection we are seeing hacktivism through malicious attacks exposing confidential information. At the forefront of this mess it is not hard to see that password failures along with an overall lack of security knowledge are what got us here.

Government Regulatory Compliance and Bills

With data breaches becoming more common, information technology security is starting to be seen as a necessity. Government regulatory compliance such as HIPAA, FFIEC and PCI DSS is already focusing on protection of confidential financial and healthcare data which is being transmitted or accessed through a network. In these cases strong authentication is required to identify a user requesting access to confidential networks.

Recently legislation has been trying to move more to data protection matters as well. SOPA and PIPA, 2 government bills which would allow the federal government to police the internet, were shot down by the public recently. The bills would make it possible for the FBI to shut down websites which may be dealing in pirated data. However there is a gray area that exists between what is and what is not “personal data or information”.  That is why many websites, including Google and Wikipedia, protested the bill in order to protect freedom of speech. Hactivist groups also took a stand against the new legistlation with a series of DDOS attacks and possibly data breaches for later attacks.

Hacktivist Groups

Leading the data breach headlines are groups like Anonymous who participate in hacktivism to take a stand. In recent news Anonymous has claimed responsibility for shutting down the FBI and Department of Justice websites in protest to SOPA and PIPA. In the past year Anonymous and other hactivist groups like Lulz Security have been responsible for shutting down websites through DDOS attacks but more importantly for data breaches which have a longer lasting effect.

Data breaches like the Stratfor hack lead by Anonymous have leaked confidential intelligence and personal data. Coordinated with Lulz Sec, Anonymous also breached private data of over 77 million Sony Playstation Network accounts. Many of these attacks spawn from the lack of strong passwords and network security.

Passwords and Authentication

It is clear to see that data is where the power lies in the future, government wages war against hackers who are not only fighting for privacy but are the same ones leaking it confidential data. It would seem that everyone believes creating stronger passwords will prevent future data breaches however the problem lies in accountability as well.

Passwords are too easy to forget, lose, crack, hack and just do not work. That is why password failure is at the forefront of data privacy and protection. All of this along with the fact that our personal passwords are being leaked through data breaches leads to the reality that passwords, no matter how strong, are old news and not considered secure anymore. Through strong authentication however, everyone can forget their passwords, relying on the added layer of protection along with notifications to fight accountability.

Two-Factor Authentication is Strong Authentication

In order to protect against password failure we have to get rid of passwords all together. How can we do that though? Two-factor authentication through an out-of-band one-time password allows users to use almost any password because the authentication process relies on “something you have” to identify a user. An OTP is sent to a separate network than the original point of access, usually through SMS text message since the network is out-of-band, cost effective and efficient. By utilizing a mobile phone you also gain notification whenever someone requests access to the account.

The new frontier of data privacy and protection relies on authenticated access for remote users. Not only does this prevent from data breach but it allows users to leave passwords behind. Placing accountability back into the hands of security.

Read More

Hackers Make Unauthorized Trades in Online Brokering Accounts

January 25, 2012   Adam Quart   No comments
hacked-online-trading

In recent news, some clients of online stockbrokers in Australia have had their accounts compromised and they have been advised to change their user passwords.  Investigations are currently being conducted by the Australian Securities and Investments Commission.  The ASIC believe that the hacking attacks were organized, but they haven’t determined how client passwords are being compromised as of yet.  Hacking attacks like these could have been prevented if proper security measures were in place for the broker’s clients and their systems.  Using layered security measures such as multi factor authentication dramatically reduces the likelihood of online user accounts being compromised.

According to the ASIC, the hackers used the accounts to engage in trades that lost the clients money.  About a dozen share-trading accounts have been hacked across several brokers and the ASIC is cooperating with international authorities to trace proceeds reaped by the other party in each transaction.  The ASIC has also said that the attacks are not believed to be associated with the attacks that shut down online brokers E*TRADE and Directshares.

Representatives at E*TRADE and Directshares have recommended that their users who have online brokerage accounts keep their anti-virus and anti-malware software up to date on their PC devices.  E*TRADE was targeted by hackers late in 2011 to access a small number of online broking accounts to make unauthorized trades.  E*TRADE has stated that their systems was not the source of their security systems, but rather the user’s accounts were compromised.  E*TRADE has recommended users to change their account passwords and also to check their computers to make sure there is no malicious software that logs their keystrokes.  Users that have online brokerage accounts should also check their transaction history for unusual trades and to report any unauthorized trades to the authorities and their broker.

The user accounts that were hacked could have been protected from unauthorized persons accessing their account if stronger authentication measures were used to authenticate the users accessing the account.  Layered security such as multi factor authentication identifies users using multiple methods.  Two factor authentication is a form of multi factor authentication and could have been used to thwart the hacking attacks.  If two factor authentication were used to authenticate the broker’s online clients, the chance of the hackers accessing the data would minimal.  A user’s login, or something they know, and a user’s mobile phone, or something they have, are two factors that can be used to authenticate them.  The most secure way of authenticating someone through their mobile phone is to send a one-time password to the mobile phone because the user has the phone on them and is able to enter the one time password along with the login credentials to verify them.  In the case of the broker’s client’s accounts being hacked, the hackers would only have the login credentials and the access would have been prevented because they wouldn’t be able to receive the one time password sent through the mobile phone.  This type of authentication is a standard in industries such as banking and healthcare.  The best way to prevent these type of hacking attacks is to scan your computer for viruses, malware, and to incorporate two factor authentication as an additional layer of security to protect against unauthorized access.

Read More