Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Open SSL Heartbleed vulnerability affects much more than just websites

by Avivah Litan  |  April 9, 2014  |  6 Comments

As we all know by now, this is mega-serious and affects all users of Open SSL 1.0.1 through 1.01.f – so those who kept their Open SSL code up to date were in effect penalized.

For information on the vulnerability, see kb.cert.org

I’m just trying to understand why all the news reports are focused on individual communications with websites. SSL protocols, including Open SSL, are used in most ‘trusted’ machine to machine communications. This bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications.

See list of affected companies here kb.cert.com

What this means is any trusted communications traffic using this protocol is ultimately not trustworthy – it goes way beyond individuals’ ‘handshakes’ and communications with websites. Forget having to plant back doors in encryption libraries, as the NSA allegedly did. The backdoors are already built in. So criminals and other naysayers can essentially eavesdrop on any sensitive communications using Open SSL 1.0.1 such as payment processing, file sharing and more, (although as my colleague Erik Heidt pointed out – this would require a compound attack since Heartbleed enables an attacker to recover anything being processed in memory on the server – rather than a direct attack against in-transit communications).

We’ve all been acclimated to the fact that our sensitive data is no longer well protected while it is at rest. We’ve also learned over the years that retailers, financial services companies, ecommerce providers and others who accept our sensitive transactions can’t always stay ahead of criminal exploits that steal the information.

Now we need to get used to the fact that we can’t trust some of the implementations of the protocols that secure data in transit over public and private internet networks. Until now that was the one area that looked relatively safe, at least to me.

6 Comments »

Category: Uncategorized     Tags:

Class Action Suit against Target Assessor is a wake up call for PCI

by Avivah Litan  |  March 26, 2014  |  15 Comments

Two U.S. banks are suing Target’s Qualified Security Assessor, Trustwave, for damages incurred during the holiday season breach at Target, accusing the company of failing to identity security issues. The suit also claims that Trustwave’s round the clock monitoring services for Target failed to detect the intrusion into Target’s network for a full three weeks. See computerworld.com

Trustwave was just let off the hook from a similar class action suit filed by a former state senator against the South Carolina Department of Revenue, Trustwave and other parties for a database breach at the revenue department which was using Trustwave to monitor its systems. See postandcourier.com for more information.

Many headline breaches have occurred at companies certified as PCI compliant, but this is the first time that the fingers are pointing to the assessor. Gartner has long argued that PCI qualified security assessors like Trustwave should not be allowed to sell remediation and ongoing security services as Trustwave did for Target, according to the lawsuit. This has the effect of potentially destroying the integrity and independence of the assessment process.

Indeed as we wrote in a November 20, 2008 research note titled “PCI Quality Assurance Program Does Not Go Far Enough” – “The most significant enterprise complaint about PCI compliance practices is that many assessors also offer products and services that can be used to meet DSS requirements and ensure compliance to the audit. The PCI takes the same self-regulating approach to this issue that is widely regarded as having failed in the financial auditing industry and having led to the separation of consulting and accounting audit services. Gartner believes that the only truly effective approach is for the PCI to prohibit QSAs from performing remediation services for enterprises they are assessing.”

Nothing has changed on this front since 2008. In fact the situation has been exacerbated. It’s extremely difficult to find independent assessors who are not selling security services. (In fact I only know of two among the hundreds out there– I would appreciate referrals if you know of more). And the QSAs keep adding to the litany of security services that they offer.

Points to consider:

a) PCI compliance has become a big money making enterprise for the QSAs selling remediation and security services and their customers have been lulled into a false sense of security – at least in the C-level suite.

b) PCI assessor contracts generally state that the assessors have no liability if their customers are breached. But shouldn’t they be responsible for their assessments, at least for that point in time?

c) The PCI Council’s typical response to a PCI compliant entity that has been breached has been that the entity may have been compliant at the time of the ROC (report of compliance) but since became non-compliant after the report was filed. Therefore you can’t blame the assessor.

1. This argument loses validity when the assessor provides continual security monitoring services after the PCI audit.

2. Further, when the assessors offer security services, they are auditing themselves. You don’t have to be a security specialist to see that is a conflict of interest!

So what exactly is the point of PCI compliance? Sure no one can argue with good solid security standards and a lot of smart people have put some good thoughts into the PCI standard.

Personally, I think the standard is very good and thorough. It’s the enforcement process I have issues with. It’s a process rife with conflict of interests between assessors and payment processors, assessors with themselves, and even assessors with at least one card brand.

Unfortunately, I imagine that this particular lawsuit will be settled out of court, with all the documents sealed from public view. The last thing the PCI industry wants to do is have all these conflicts aired and scrutinized in court.

But maybe – and this is highly doubtful– the PCI machine will take its queue from the financial services auditing industry and voluntarily end the conflict of interests. Just as the big accounting firms had to split their auditing and consulting practices, so should the PCI assessment firms split their auditing and security services.

If nothing else changes, at least companies who have to comply with PCI will likely spend more time looking for independent security assessors. That’s just basic common sense.

15 Comments »

Category: Uncategorized     Tags:

Reflections on RSA and the need for Retailer Information Sharing

by Avivah Litan  |  March 4, 2014  |  3 Comments

Just got back from the 2014 RSA Security conference where I had lots of stimulating conversations with colleagues in the security industry. What stood out the most to me was the dearth of information sharing in the retail payment card industry. You’d think that the PCI Security Council would promote information sharing on threats and POS malware to help retailers prevent breaches against their systems. But instead that task has fallen largely to well-known security blogger Brian Krebs who has to sleuth his way around the underworld and the opaque payments industry to uncover the truth about breaches against retailers. See krebsonsecurity.com

Big buzz at the RSA conference – Who will be or already is the next Target? Which retailer got hacked this time? And what solutions can prevent this madness?

Information sharing is not easy in Retail Payments. I have colleagues who would like to share specific information on the behavior of malware attacking retailers but are shut down by lawyers for retailers, POS software vendors, insurance companies and more. This makes no sense to me when information sharing that provides safe harbor for those who disclose and confidentiality for the victims is exactly what is needed to help stop future attacks.

The legal issues are thorny and complex.

But at least there is progress being made on structuring threat intelligence information so that information that is shared can be read by machines as well as humans. At least one threat intel firm, Fox IT, is working with the Mitre Corporation on structuring the presentation and dissemination of threat intelligence to commercial entities using standard protocols. Mitre has been a major player in developing the STIX and TAXII standard protocols for threat intel in the government.

But what good are these standards if the lawyers stop the information from getting out? What ever happened to Obama’s Executive Order to promote threat intelligence and give safe harbor to those who provide it? Progress is slow in the government although things are moving. See
nist.gov/cyberframework

I’m not optimistic that the situation will substantially change in the near future so until then, the only ones who win are the criminals. And the only ones who disseminate the threat information are journalists like Brian Krebs who have to go to extraordinary lengths to get the information in the first place. And they do so without any safe harbor. In fact if I were Brian I’d be more worried about the lawyers than the criminals.

3 Comments »

Category: Uncategorized     Tags:

Target and the EMV aftermath

by Avivah Litan  |  February 11, 2014  |  4 Comments

Target boldly told Congress and the world that it was escalating its $100 million EMV upgrade program and would implement it before the October 2015 deadline. Target is absolutely correct when it says that payment system security is a responsibility that needs to be shared across all players in the payment ecosystem – i.e. issuing and acquiring banks, card networks, processors, retailers and other card acceptors.

EMV will definitely help secure the card present payment systems, although estimates are it will take about 6 years to roll out across the U.S. to the point where U.S. card issuers can stop producing cards with magnetic stripes on them. In the interim we can expect card-present in-country fraud rates to decline commensurate with the pace of EMV adoption. Eventually (but not before 6 or more years), the criminals will be unable to use mag stripe data that they steal so they will be dis-incented from breaching companies like Target who accept payment card transactions.

That’s a very long time to wait and now that POS malware is rampant in the underground, it’s safe to assume the card data breaches and the arms race to secure vulnerable payment systems will continue.

So where does that leave merchants like Target:

a) They still have to secure their cardholder data environment and comply with PCI

b) They have to spend money upgrading their POS terminals to accept contact and contactless EMV chip payments.

c) As of October 2015, if they don’t upgrade their terminals and a physical chip card is presented to them, they have to eat any fraud that occurs as a result of that transaction (even though I’d expect the fraudulent transactions from chip cards to be minimal).

d) Significantly, merchants don’t get the liability shift if it’s a mobile contactless EMV payment.

e) That means that merchants may encourage consumers to use Mobile contactless EMV payments, the Visa and MasterCard standard for mobile payments.

f) Card issuers will also likely be inclined to issue EMV payment functionality by provisioning it to consumer mobile devices rather than issue a physical chip card (although they may do both). This way they keep their card production costs down and start ingratiating themselves with consumers and their mobile digital wallets.

g) Merchants again become ‘hostage’ to the large market grip of Visa and MasterCard when it comes to mobile payments – and lose one of their last holdout hopes of a channel they can control and so that they can avoid paying relatively high Visa and MasterCard merchant fees.

h) As EMV takes hold in the U.S. the fraud will shift to Card Not Present fraud as has happened in other countries. Merchants are already responsible for CNP fraud and will have to spend more money beefing up their CNP fraud detection systems in the future, in anticipation of this fraud migration.

i) And finally rates – I know there is a debate underway in the U.S. on whether or not the EMV Chip program here will be PIN or Signature based. Merchants prefer PIN; banks prefer Signatures. I’m guessing banks prefer signatures because it is advantageous to them – and disadvantageous to the merchants – economically. My guess is that the banks will win this debate even though PIN with Chip is more secure than just signature Chip.

So all in all – the banks come out ‘ahead’ and the retailers come out ‘behind’.

a) The U.S. gets a more secure in-store payment system, i.e. EMV

b) The retailers pay more money in fraud costs, mobile payment fees, and EMV related fees.

c) Visa and MasterCard and their card issuing banks dominate mobile NFC payments, lessening the chances for competitors with competitive rates to succeed.

I suppose that – other than squelching mobile payment competition which is a bad thing for the economy – this is a wash for U.S. consumers. What consumers lose in terms of having to pay higher prices from retailers (who have to cover their costs) – is equal to what they likely gain in terms of loyalty programs and other financial and customer service benefits from payment card issuers.

Would you rather pay more for laundry detergent if you got double frequent flyer points for buying it?

4 Comments »

Category: Uncategorized     Tags:

Chip and PIN is alive and well in Europe

by Avivah Litan  |  January 30, 2014  |  3 Comments

I’m just finishing a trip overseas, now in Holland where I’ve been meeting with banks and other Gartner clients. The verdict is in – Chip cards are in fact working to substantially reduce losses from counterfeit cards. Some of the banks I met also instituted geo-blocking to stop the cards’ magnetic stripe from being accepted in certain countries. One major bank told me EMV chip combined with geo-blocking has brought their card present fraud down as low as possible.

I think most of us know this already but it’s always good to hear it again. Yes, the fraud shifts to ecommerce channels when chip cards are implemented, but thankfully there’s plenty of good technology out there to stop ecommerce fraud as well.

By the way, I understand that the financial institutions and the retailers in the U.S. are now debating whether the U.S. should implement Chip and Signature or Chip and PIN. Supposedly, the rates will be the same on each (I’m not sure but that’s what I hear), but I imagine it comes down to who eats the fraud if it occurs. With PIN, banks will likely eat the fraud – with Signature the retailers are more likely to because the issuer can always claim the retailer didn’t check the signature properly.

The rest of the world has implemented Chip and PIN. Handicapped people who can’t enter their PIN are accommodated with special cards that don’t require one.

Frankly, I prefer entering my PIN over signing my name. It’s much faster.

3 Comments »

Category: Uncategorized     Tags:

How PCI failed Target and U.S. Consumers

by Avivah Litan  |  January 20, 2014  |  17 Comments

The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history. Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches.

The payment card industry failed to face up to major security problems when there was still time to do something back in 2005 after the first major card breach at Card Systems International, when 40 million cards were compromised. At that time, the card issuing banks and the card networks (Visa, Mastercard) came up with the PCI security standard as their answer for stronger card security, when Congress took them to the mat during congressional hearings.

Visa, MasterCard and the banks they represent thought that with PCI they could enforce adequate security at retailers and payment processors, while letting them bear major security burdens and costs. This was much easier and less costly for the U.S. banks, who are the last major holdouts in the world to upgrade to much more secure EMV Chip cards. None of them wanted to pay for those costly chip upgrades unitl now, when it’s almost too late.

If anyone was looking at the situation clearly back in 2005, they would have been able to forecast the trajectory we are now on – which is more and more devastating card breaches (ala TJX, Heartland Payment Systems) executed by more organized crime rings who know how to cash out the cards very quickly. A happy ending to this trajectory is far from sight. Indeed, why should the criminals stop when arrests are so far and few between, and when they typically enjoy immunity in their Eastern European countries of residence?

Clearly, PCI compliance is not working very well – despite billions of dollars spent by merchants and card processors in efforts to achieve it. For example, the standard hasn’t kept up with the latest attack vectors and retailers can’t be expected to know more than the security vendors do about detecting new forms of malware that evades conventional measures prescribed by PCI.

My understanding of the malware used in the latest round of breaches against Target and other retailers (allegedly there are many more that have not been announced) is that it attached itself in memory to the POS software (as opposed to being a memory scraping program as reported by others) and just captured the data as it went through the POS application. Like a worm, it had propogated itself to all the POS terminals throughout Target before attaching to the POS application. It aggregated the stolen data on a central Target server, and then double encrypted the data on the way out of the company so that the retailer IDS systems couldn’t detect it.

None of the conventional anti-malware applications on the market today look for this sort of program. And one question still not answered is how did it get inside the retailer network in the first place? Some security folks I spoke with said it got past POS whitelisting techniques used at retailers they work with – meaning perhaps somehow the supply chain was corrupted and the malware was attached to a routine POS software update.

Nothing I know of in the PCI standard could have caught this stuff. So I think it’s flat out wrong to blame this all on Target or on any of the other breached entities. The card issuing banks and the card networks (Visa. MasterCard, Amex, Discover) share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began.

At the least, they should have upgraded the payment systems infrastructure to support end (retailer) to end (issuer) encryption for card data much like PINs are managed today. They should have also started migrating to stronger cardholder authentication (ala EMV Chip cards) so that the magnetic stripe on the back of our cards can finally be eliminated.

While not perfect, these standardized measures would have gone a long way to preventing card data breaches. Instead the industry just keeps expecting retailers to patch a faulty and antiquated payment system via PCI compliance.

Of course, Visa, MasterCard and the qualified security assessors who perform the PCI audits have all covered themselves legally. That’s one area where they’ve been proactive. The assessor contracts that retailers and processors sign state that the assessor has no liability in the case of a breach. Further, when PCI first came out, Visa and MasterCard used to give merchants “safe harbor” from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach. When I asked Visa to explain, they told me “well the merchant must not have really been PCI compliant if they got breached. And perhaps they didn’t give their assessor all the information they needed to properly audit their systems.”

The banks and the card networks incorrectly assumed they could keep relying on the retailers and payment processors to lock down the payment system. That was shortsighted thinking that has unfortunately caught up with them as customer service costs mount and consumer confidence is shaken.

As for the merchants – they are still basically toast and not in an enviable position.

17 Comments »

Category: Uncategorized     Tags:

Target Saga continues – too much for Fraud Detection systems?

by Avivah Litan  |  December 23, 2013  |  1 Comment

Chase’s and Citi’s action of setting thresholds on cash withdrawals on debit cards as a result of the Target breach is unprecedented, as least as far as I remember. It’s a little frightening that the fraudsters can cause such havoc.

How is the Target Breach affecting Card Issuers’ Fraud Detection operations?

a) PIN Codes Stolen Target claims that PIN codes were not stolen during their heist. PIN codes are needed by a debit cardholder to authenticate for cash withdrawals at ATM machines or merchant registers – activities recently limited by Chase and Citi. Citi and Chase must have seen PIN fraud occurring on the cards stolen at Target in order to take such extreme actions.

By design, PINs are encrypted at the POS card readers and decrypted by card issuers, (although there were reports years ago of split microsecond systemic issues in PIN handoffs between processors when PINs were exposed in the clear during momentary decryption).

So we have to assume that if the PINs weren’t skimmed or photographed or otherwise copied at Target’s POS operations, they were stolen in a different heist at another time (stolen perhaps via phishing scams or hidden ATM cameras).

That being the case, the criminals likely linked the previously stolen PINs to the magnetic stripe card data stolen from Target, and used the two data sets in combination to create cloned debit cards and make cash withdrawals.

Card issuers abhor ATM/Debit cash withdrawal fraud because they can’t reverse it to the merchant when it occurs. It’s just between them and the cardholder/consumer.

b) Geographically Smart Fraud The fraudsters are using cards at stores in or near the resident zipcodes of the cardholder for a stolen card. This easily defeats the geographic rules in the card fraud systems that score a transaction as risky if it occurs far away from the cardholder’s locale (unless it’s within a normal profile of the cardholder’s activity to travel frequently within a given timeframe).

c) Taxing Anomaly Detection The card companies’ fraud detection systems are very taxed by the Target breach. With so many active cards available for sale by the criminals, there are too many to put on a meaningful watch-list. After all, watching potentially a couple million cards becomes somewhat a meaningless exercise. Also, anomaly detection – which most card fraud detection systems rely on – fails when there are too many anomalies or outliers as the outliers all start looking normal.

Conclusion
When I first heard of this breach, I was hopeful that the banks’ and card companies fraud detection systems could handle staving off any potential fraud. But after speaking with a few issuers, I realized I was wrong. And after hearing about Chase and Citi’s moves I realized the fraudsters are finally getting the upper hand and disrupting our holiday season.

Thankfully there are some innovative and good technological solutions that can be implemented in the future to more strongly authenticate a card holder — if not EMV Chip cards used by the rest of the world which no one in the U.S. seems to want to pay for.

Of course, nothing is perfect, but almost anything provides stronger security than magnetic stripe cardholder authentication, technology which is over 50 years old. How much technology do you use that’s over 50 years old?

1 Comment »

Category: Uncategorized     Tags:

What can we learn from the Target Breach

by Avivah Litan  |  December 19, 2013  |  37 Comments

UPDATE: Shortly after this blog post was published, I received comments that questioned the veracity of one of the claims in it.  I have looked into the points raised and agree that what I heard from two secret service agents specifically concerning the 2009 security breach at Heartland Payment Systems is not independently verifiable.  In fact, Heartland has confirmed that “Gonzales has never been an employee of Heartland, nor would he have been able to download data to a USB as stated in the article.”
————————————————————————————————–

The recently reported Target breach, first uncovered by security blogger Brian Krebs, (see krebsonsecurity.com ) is the largest retailer breach that has surfaced since the original round of breaches undertaken by Albert Gonzalez began in 2005 which eventually involved many U.S. companies including; BJ’s, JC Penny, Heartland, Dave and Busters , TJX and even Target!

Who’s the real victim here?

The top victim in my opinion is Target itself. Target no doubt has spent a small fortune on payment card security and on becoming PCI compliant. It has tried to do “everything right” as far as I can tell, yet the theft still occurred. Now it will be a “victim” so to speak of the payment card industry, who will likely

a) Raise Target’s merchant fee that it pays Visa, Mastercard, Amex, and others on every transaction by a few basis points – which can add up to a significant amount of money

b) Fine Target for the breach

c) Fine Target for non-compliance with PCI (even though it was certified as compliant – Visa and Mastercard will determine that they really weren’t compliant since they had a breach)

d) Make Target pay back card issuers for any fraud that results from this breach.

Target may also face class action suits undertaken by hungry lawyers or state attorney generals’ offices. If the past is any indicator, any such suits will eventually be dismissed since there is very little direct damage to consumers who typically get any resulting charges reversed. Of course it’s a major hassle for consumers but they rarely lose any money from this (unless PINs were stolen with debit cards, and there is no evidence that this happened at Target).

In the end the actual fraud loss, which Target will have to pay for, is likely to be less than $25 million. But the fees it pays the banks may be twice that amount. If they get much higher Target may have to pass on these costs to consumers in the form of higher prices.

How did this Happen?

Given that Target has instituted so many security controls, I’d be very surprised if the breach occurred because malware was installed on POS devices or in local store systems. My guess is that the data was stolen from Target’s switching system for authorization and settlement.

But I’m not so sure it was due to a piece of malware inserted remotely by a clever hacker. I recently heard a couple of high placed secret service officers say that the Heartland Payment systems breach – the largest breach in history where 130 million payment cards were compromised – was actually executed by Albert Gonzales in a very low tech manner. These agents said Gonzales was working at Heartland as a call center employee and simply walked out with the sensitive payment card data every day on a USB drive. This apparently was AFTER he was arrested for the TJX breach and became a government informant.

————————————————————————————————–
UPDATE: Shortly after this blog post was published, I received comments that questioned the veracity of one of the claims in it.  I have looked into the points raised and agree that what I heard from two secret service agents specifically concerning the 2009 security breach at Heartland Payment Systems is not independently verifiable.  In fact, Heartland has confirmed that “Gonzales has never been an employee of Heartland, nor would he have been able to download data to a USB as stated in the article.”
————————————————————————————————–

If we’ve learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it’s that insiders can cause the most damage because some basic controls are not in place. I wouldn’t be surprised if that’s the case with the Target Breach – i.e. that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.

Bottom line: it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system.

37 Comments »

Category: Uncategorized     Tags:

How secure is healthcare.gov?

by Avivah Litan  |  October 31, 2013  |  2 Comments

A posting by blogger Ben Simo, a highly-experienced software tester, brings up many important and valid security issues with healthcare.gov. Ben has done a good job documenting some of the most egregious issues with healthcare.gov that are definitive proof of the fact that security will continue to be a major issue for the Obamacare website. See blog.isthereaproblem.com

More fundamentally, it’s important to note that this could very well be a security disaster in the making because of the following facts:

a) The marketplace healthcare.gov is run by an estimated 500 million lines of code which is about 10 times the lines of code in Windows XP. The mammoth code is managed by multiple system administrators and different components reside on separate servers, according to developer Gabriel Harrop who examined the software.

It’s simply too big a program to manage from a security perspective, given the level of expertise and coordination assigned to the project as we have come to know it. I’ve also been informed by developers who examined the application that it isn’t exactly a model of slick coding practices. For example, I was told that rather than build an array to compute 40 variables, someone cut and paste a program to repeat a task forty times.

b) We all know about the performance problems that have surfaced because of the multiple disjointed and uncoordinated groups of contractors who worked to create different components of healthcare.gov. As security vulnerabilities are discovered, it will be very difficult to push out patches to the marketplace and get them properly tested to ensure that all the disjointed parts work together securely. After all, even CMS admitted they didn’t have time to properly vet the security of the initial code set!

c) Healthcare.gov is surely a prime target for hackers. There is an abundance of sensitive personal information that is being submitted that hackers will want to steal. Based on issues already documented by Ben and others, this will be a much easier hacking target than banks, retailers, payment processors and other enterprises where the crooks are already succeeding, despite billions of dollars being spent on security in order to be compliant with government regulations and the rules of the payment card networks (e.g. PCI).

d) Finally we already know that the knowledge based authentication system that healthcare.gov is using to verify applicant identities has been systematically compromised by identity theft gangs. See krebsonsecurity.com

e) Who’s supervising and examining healthcare.gov? Are there any security standards set for this critically important and sensitive website?

Frankly, I think the Obama Administration should cut their losses and fess up and admit they need to get the system overhauled and rewritten. And that is not going to take one or two months, as they say. The best they will be able to do in that timeframe is fix the performance issues. The security issues are surely much more complex – you can’t just throw horsepower at them. You need intelligent software and layers of defense. That takes time to bake in.

You can be sure the Republicans are going to pounce on any bug they can find. Hopefully they won’t be able to find any really serious ones that compromise the confidentiality of Americans already struggling to get health care insurance.

2 Comments »

Category: Uncategorized     Tags:

The Death of KBA; Secret life questions fluster Obamacare applicants

by Avivah Litan  |  October 23, 2013  |  2 Comments

Just as we predicted (actually it didn’t take a rocket scientist to predict this), KBA (knowledge based authentication or secret questions based on life history to validate an identity) has been a flop on the Obamacare exchange websites, adding insult to injury. The topic even made it’s way to the human interest story on the front page of today’s Wall Street Journal, which documented how Americans needing health care insurance couldn’t satisfactorily answer the secret life history questions needed to pass the electronic application process. After all, who can remember the color of your first bicycle when you can’t even remember what you did two weeks ago, recounts an interviewee in the article.

KBA is on life support. It was already ineffective and now everyone knows its been compromised systematically by some of the most organized criminal gangs around. (See blogs.gartner.com and krebsonsecurity.com and krebsonsecurity.com )

Experian, LexusNexis, Kroll and Dunn and Bradstreet and other breached data brokers must be furiously trying to dig themselves out this hole. Frankly, I feel for them because securing the food chain of clients that have access to this sensitive data is a very tall task. And securing the systems against advanced threats is an equally tall task.

But at a minimum, they may want to stop selling identity theft protection services to consumers. It seems to be a conflict of interest, don’t you think?

As for the government and the healthcare exchanges, all they had to do was ask around and they could have easily avoided this latest disaster.

2 Comments »

Category: Uncategorized     Tags: