Like Stealing Candy from a Baby
Personal information is very easy to steal.Names, addresses, dates of birth, credit card numbers, social securitynumbers - they’re all easy to find using the Internet. Once thatinformation is in the hands of criminals, it’s very easy for them touse. They can wipe out your bank account, run up your credit cards, andsteal your identity.
How easy is it to steal personal information? A recent studyconducted to test the security of wireless perimeters of stores inmajor malls across the globe revealed that 25% of the stores werecompletely insecure and 85% would have been easy to crack. Even thoughthe attackers in the TJX breachused insecurities in the wireless networks to obtain millions ofpersonal data and that this breach has cost TJX millions of dollars in settlements, stores are still mishandling the security of people’s personal information.
Also, remote-exploit.org and DreamLab members succeeded in intercepting transmissionsfrom 27 MHz wireless keyboards to computers from a distance of as muchas 10m and even through walls. Although these transmissions areencrypted, the members were able to crack the weak encryption and logall the keystrokes made. An attacker can take full advantage of anyinstitution that uses this technology and handles sensitive informationlike, say a bank. With a sensor in their briefcase, the attacker couldwait in line, conduct regular business and leave with a log of all thekeystrokes, including bank account numbers.
Personal information is a valuable commodity on underground economyservers because it is very easy to use. I can count on one hand thenumber of times a cashier has checked my signature or asked foridentification when making a credit card purchase. Phone and onlinepurchases have been made to be very fast and easy for shoppers sincemost only require a credit card number, expiry date and creditverification values. But this simplicity also means it’s easier forcriminals to use stolen information. The nine digits of mygovernment-issued identification number are the only things thatseparate an attacker from my entire life’s history.
Single-factor authentication is no longer secure in this day and agewhere personal information is so readily obtainable. It’s not about oneperson keeping their own information secure; it’s about trustingeveryone that you’ve ever done business with. Large scale breaches suchas TJX (over 100 million credit card numbers stolen), HMRC (25 million identities exposed), stolen laptops containing millions of social security numbers, and TD Ameritrade(personal information on 6.3 million customers stolen) have shown howeasy it is to have one’s information exposed. With a population of justover 60 million, over 40% of the identities in the United Kingdom wereexposed from just the HMRC loss alone.
Companies need to improve the authentication process for day-to-daytransactions to lower the value of stolen information. If all creditcard purchases required one-time codes (issued by the bank),government-issued identification, and fingerprint scanning toauthenticate, it is unlikely that criminals will be able to replicateall of this and hence the underground value of credit cards would belikely to decrease.