How Your Data Get into the Wrong Hands
Chris Vickery, director of cyber-risk research for UpGuard in California, warned NPR listeners recently about a situation in which another high-technology company allowed 198 million voters’ personal information to become publicly accessible online.
When our non-financial information gets loose on the Internet, it can cause financial damage: “If a bad guy has your phone number and can get your PIN, they can, at 3 in the morning, get a code sent to your phone, listen to your voicemails, log in to your bank account and drain all your money,” Vickery said. “Phone numbers are more important than people realize.”
Squared Away asked him to expand on what occurs when we freely hand over our personal data to retailers, financial institutions, and credit rating agencies, which then sell it to other companies or “data brokers” that buy and resell data.
Q. Is the dangerous situation you mentioned involving voters’ personal information still present, and has any financial fraud resulted from its release?
Vickery. I don’t know of any specific frauds that came out of that situation, but voter data in general – the more we make it available, the more fraud that is bound to come of it. It’s not a good idea.
Q. It has become routine to share our email address, as we’re required to do when we conduct business or buy things online. Is this a bad idea?
Vickery. Knowing that you use a particular email can be very useful to a bad guy. But the fact of the matter is there are a lot of people being careless with their emails. Getting mad at your best friend who gives your email address to an airline to share your arrival time might be a little unreasonable, but I don’t think it’s unreasonable to expect the companies to treat them more carefully than they have been. Companies that buy and sell your data create risks for you. For example, have you heard of the concept of a “data base of ruin”? That is the concept whereby a dataset is created – maybe not all in one place – a healthcare breach here, a supermarket breach there – and this is all being brought together in one form where a malicious actor can search anybody and, based on one email address that you have authenticated, can get everything on everybody. This data base of ruin is starting to emerge. There are people seeking to do this, and there are already data sets commercially available that are scary in the level of detail they go into. The more we can protect data and make those things unlikely to be used, the better off we will be.
Q. A 2013 Senate report found that data brokers buying and selling personal information sort people into various categories based on their financial circumstance – in essence there is a profile of every one of us, and it can be used for fraudulent purposes. How do these profiles get compiled?
Vickery. The roots of this stuff probably existed before I was born in 1984. I can’t tell you exactly where it all came from, but things like voter data bases get rolled into these commercial purposes. Everything you buy at the grocery store with your special discount card gets rolled into these data bases. Anybody you provide data to is turning around and selling it to somebody.
Q. What do you know about the financial profiles highlighted in the Senate report?
Vickery. Experian calls this their Mosaic data base. It’s a lifestyle segmentation of people into groups that are labeled to describe their economic circumstances. The names of some top-level categories are “power elite,” “flourishing families,” “booming with confidence,” “suburban style,” “rising boomers,” promising families.” Categories at the bottom, in terms of individuals’ economic circumstances, are “economic challenges,” “aspirational fusion,” “golden year guardians,” “striving forward,” and “urban survivors.”
Those names are from a list of about 100 groups that Experian put out that was updated sometime after 2013. I’m concerned about the growing – this is my personal opinion – big brother mentality of all of this data that’s being gathered on every individual. It has the potential to be used for very good things, but it has the potential to be used for negative things. You get to a point where it’s a little creepy. Where do you draw the line there? To tie it back to finances, imagine an insurance company denying somebody coverage based on this information – it’s not so hard to imagine a situation like that. You might be profiled because you happen to withdraw money from ATMs late at night or you do business with thrifts shops, and your insurance company feels you’re a risk. It goes into those dangerous areas.
But it gets a lot scarier than that. Let me give you some categories in Consumer View, which is a data base that you can buy if you have enough money. They have household categories – and I’m reading from the data – such as Asian only, black only, population-18 plus, households with Spanish speaking, voting codes, dwelling types, living unit IDs. Other interesting categories: whether you are a gardener, a farmer, a magazine buyer, a cook, a collector of special foods, a photographer, religious – all of this is broken down and cross-sectioned for virtually every American household. We need to realize that if this gets into the wrong hands, fraudsters are going to have a field day. There is a very thin line between legitimate marketing data which is staying in the hands of good people who are going to use it for well-meaning marketing and commercial purposes, and data seeping into the hands of bad guys.
Q. Can this be stopped?
Vickery. There is very little regulation protecting all of this intense data. Let’s say you are running a scam where you try to get elderly people to purchase unnecessary or even fake magazine subscriptions. Having a list of everyone over 70 in Florida would be very advantageous – with all their phone numbers and indicating whether they buy magazines. That would give you a very targeted attack. That’s when these things become dangerous. The range of possible scams – it’s only up to your imagination.
Q. Do regular people – say, your family and non-tech friends – have a good understanding of how vulnerable our financial information is?
Vickery. People have no clue how vulnerable everybody is.
Q. I sense that relinquishing our privacy and financial security becomes increasingly inevitable as companies get smarter about extracting our personal information as a requirement for getting service or buying products. Do you agree?
Vickery. It’s definitely coming together more easily. It’s death by 1,000 cuts. Everybody takes their tiny chunk of your data. It’s very hard to stand up as an individual and resist if everybody’s doing it.
Q. It’s surprising that personal information that is not financial in nature can unlock bank accounts and create other financial risks. What about those personal questions asking for our mother’s maiden name or childhood address? Is that useful to people with ill intentions, and how does that work?
Vickery. I have personally found many data breaches in which those security questions are present – both the questions and the answers. A malicious actor can get ahold of those answers. Or, through social engineering or basic research, there are a million ways to figure out your maiden name or the name of your first dog. Someone might put it on a Facebook page, for example. Here’s where this becomes dangerous: when you have publicly available resources that aren’t necessarily supposed to be public, a bad guy can collect it, bring it all together, and build a profile on the targeted individual and use what they know to gain more information, say, by sending probing questions to one of the target’s friends or by using the personal information they know to authenticate the services or the bank that person uses. They don’t even have to get all the way in – if they can elicit a little bit of information that is about that person, then it makes the next attempt to break into a bank account, for example, more effective.
Q. Is the 4-number PIN easy to hack. Why?
Vickery. The idea of a PIN is when a financial company stores sensitive data they can do it in a hash format where it’s not the actual data but a representation of the data. If you’re hashing only 4 digits, however, there are only a certain number of combinations of those digits – 10,000 or whatever – that have to be iterated before someone can figure it out. This won’t work, of course, if you call up a bank – you can’t tell the bank operator 10,000 numbers. Best practices online for those services is to have a limiter so the bad guy can try only so many of the combinations to figure out your pin number before he’s locked out. But there are plenty of data breaches where PIN numbers are presented in plain text. Another problem with using just four-digit PINs is that a lot of people are going to choose common combinations like 1010 or the year they were born – a PIN is not the strongest method of authentication.
Q. Yet the financial industry relies on these PINs?
Vickery. Yes. People don’t necessarily realize that if you are specifically targeted as an individual, there is almost nothing you can do to defend yourself against a well-funded adversary who has time on their hands. They will get your stuff. The amount of techniques that can be used to impersonate scams, as well as the amount of data we have exposed, is just too large. What you can do is make yourself a less-likely target by not putting out extraneous information. You should also expect more from financial and other institutions that are supposed to be safeguarding your data, and you should elect people who put regulations into place to hold them accountable.
Q. Do bad things happen when people use the same password to make dinner reservations on OpenTable.com as they use to access their bank accounts?
Vickery. It’s not advised certainly. The concept is that if one data set is compromised, and you reuse the same password you used on that website somewhere else, then the bad guys who learn your one password can test to see if that password works on your bank account. Or if they know your email address and your password from some random forum you were posting on that didn’t have very good security, they can go to every banking website and try your email address and that password. A certain percentage of people will undoubtedly reuse passwords. Even if you use a single password that is complicated on a dozen websites, and one of the sites gets breached, even that complicated password is also known and can be used. It’s more important to not reuse a password than it is to have a complex and humongous one.
Q. Do you go to extraordinary lengths, personally, to protect your information?
Vickery. I wouldn’t say I go to extraordinary lengths, but I am protective. I haven’t pulled my money out of the bank and buried it in the backyard. Also, you get to a certain level where your family, your spouse, your significant other can be tied to you financially, and it’s hard to tell them you need to not do this or not give out that information online because that’s too dangerous. It becomes a social situation. You can protect yourself to a certain degree, but then you’re just being weird if you ask too much – even if it is warranted.
Q. What can us regular folks do to protect our money?
Vickery. I’m pragmatic about it. Here’s what I normally tell people. I know that people will reuse passwords and don’t want to deal with browser extensions, which are programs that attach to and run in your browser. If you absolutely have to reuse passwords, at least memorize three good ones and use them in a tiered fashion. For your banking stuff, use the one that’s the highest-quality one that you can remember. Use a second-tier one for your emails. Use the lowest-level one for the throwaway stuff. A lot of security professionals say no to this, that password reuse of any kind is bad.
If everybody would do what I suggest we’d be better off. That way someone will not go to their Twitter account and reuse the same password they use for Chase Bank. Now if one of those higher-tiered sites get breached, you’re still going to want to change the passwords. But at least you’re not using the same thing at Wal-mart.com as you’re using at Bank of America. You want to limit the high-level password’s usage. That’s a piece of advice you won’t hear people give. It’s not best practice but it is realistic for my grandparents, for example.
Q. How secure are password managers that generate random passwords that they remember for your use?
Vickery. Overall, what I’ve read is, yes they’re good. But, again, if you’re targeted by a state actor with unlimited funds and manpower, it’s still probably not going to be your saving grace. But we would probably be better off as a society if more people would use them. They have problems, but it’s still better than everybody using 1-2-3-4-5-6 as their password. People are still doing that, because every time there’s a new breach, that’s one of the most common passwords that people have used.
Q. What a good question about online financial security that I haven’t asked?
Vickery. Here’s an interesting question a lot of people don’t think about that gets their minds cranking. People think biometrics are going to be our saving grace, but how often can you change your fingerprints if they get compromised. People never think of that. In the Office of Personnel Management breach two years ago, they got away with fingerprint data that is used when people are authenticated by the government or to work with the government or to be licensed with the government. The hackers got fingerprint data, and you can’t change your fingerprints.
Squared Away writer Kim Blanton invites you to follow us on Twitter @SquaredAwayBC. To stay current on our blog, please join our free email list. You’ll receive just one email each week – with links to the two new posts for that week – when you sign up here.