Big company, crap security
Choicepoint, T-Mobile - oh dear, oh dear
I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of Wi-Fi. I find it a great way to take a break.
You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot - their internet connection must be down. I quickly fired up tcpdump and was surprised to see the screen light up with packets flowing back and forth. That's odd, I thought, so I opened a browser. But instead of my usual homepage I was greeted with a stern, legal warning. My wireless coffee shop was now all grown up.
At some point since my last visit, they had implemented a rather slick wireless authentication system. The homepage explained that people had been abusing the free access, doing all sorts of nefarious things. To combat this and to protect their customers, the owners were now requiring a username and password authentication that could be obtained from a barista. Hah - I thought, they must be handing out the same name and password to everyone. I was shocked again as the gentleman behind the counter confidently explained that they had implemented randomly generated combinations "for better security".
I wandered back to my seat, a little stunned and a little proud. People, businesses, even small coffee shops - they were finally starting to understand the value of security. I entered my randomly generated name and password, fired up my browser and began to catch up with the geek news I had fallen behind on.
With a tinge of irony, I read about three recent security breaches at large organizations who, at first glance, appear to be less secure than my neighborhood coffee shop.
Choicepoint, one of the nation's largest information aggregators, had mistakenly allowed criminals to access the private identity and credit information of thousands of individuals. Approximately 50 "fake" companies had a crack at the billions of records the company stores on almost every citizen in the US.
Bank of America announced that it had "lost" tapes containing information on over 1.2 million federal employee credit cards -- exposing the individuals involved and the government to fraud and misuse.
T-Mobile is in the news again with another celebrity cellphone hack. The cause of this breach remains unknown, but combined with other high profile leaks, one involving a Secret Service agent - T-Mobile's internal security is not looking good.
The irony of the situation has everything to do with size and resources. Here I sat in a small, local coffee shop that had just shelled out a decent chunk of change for someone to implement a relatively sophisticated authentication system that protects both themselves and their customers. Then I read about these massive companies, with almost endless resources and many years of security experience completely dropping the ball.
Each incident is troubling for different reasons. In the case of Choicepoint, their business is quite literally in information. Yet they have continually failed to protect our personal information, as this is certainly not their first security breach. Two things about this situation terrify me. First, we have no choice in our involvement with Choicepoint. If you have a credit card, have filled out credit forms and applied for credit, or bought something on credit - you're in their system. We're not customers to them, we are merely bits of information and records in their massive database. What incentive do they have to protect us? Secondly, the only reason Choicepoint was obligated to release this information on the security breach is due to a California law that requires a company to inform California residents that their identity might have been compromised. If that law did not exist would we have ever heard about this? It's doubtful.
Bank of America's data loss is alarming too. Certainly, as a bank they have experience in fraud and obviously understand how costly it can be. Perhaps this was a logistical error and the tapes will turn up in a few weeks. But look at it like this: let's assume someone did get hold of this information, say, 10 per cent of it. And of that 10 per cent (120k records), 10 per cent of those records get used in some sort of scam for a mere thousand dollars each, a very conservative estimate. That's 1.2m dollars in fraud. Let's compare this story to one where armed robbers intercepted a bank truck and made off with more than a million dollars. You can bet it would be headline news across the nation. Now, let's factor in the manpower and time lost for the individuals and companies involved - such a sum is nothing to scoff about. Identity theft is quickly becoming the modern criminal activity, with a low risk and high reward. I can confirm first hand how devastating this can be for the individuals involved. Time, money, reputations are lost or put on hold in definitely. And in this case we have a major company that accidentally loses 1.2 million credit profiles. That is simply unacceptable.
T-Mobile has had a security problem for several months. The press got wind of three high profile breaches recently, but how many more are there? And why have the problems not been fixed? Once again, we may not be getting the full story, and perhaps these hacks were the result of some rather low-tech errors. But if they aren't, how poorly does this reflect on T-Mobile and their reaction time?
Each company above has an obligation to protect our information while it is in their possession, but too many seem to be failing. What will it take for them to resolve their security issues? Drops in revenue, class action lawsuits or congressional regulation? Security, both for a company and its customers, is a necessity and a selling point in today's economy. We see normal people taking this into account everyday. I have neighbors calling me about spyware protection, relatives recognizing what SSL enabled websites are, clients requesting more security layers, and friends shredding their private mail. Why then is it so hard for the big companies to take security seriously? When will these companies "get it?"
Matthew Tanase is president of Qaddisin, a services company providing nationwide security consulting.