by Avivah Litan | October 31, 2013 | 2 Comments
A posting by blogger Ben Simo, a highly-experienced software tester, brings up many important and valid security issues with healthcare.gov. Ben has done a good job documenting some of the most egregious issues with healthcare.gov that are definitive proof of the fact that security will continue to be a major issue for the Obamacare website. See blog.isthereaproblem.com
More fundamentally, it’s important to note that this could very well be a security disaster in the making because of the following facts:
a) The marketplace healthcare.gov is run by an estimated 500 million lines of code which is about 10 times the lines of code in Windows XP. The mammoth code is managed by multiple system administrators and different components reside on separate servers, according to developer Gabriel Harrop who examined the software.
It’s simply too big a program to manage from a security perspective, given the level of expertise and coordination assigned to the project as we have come to know it. I’ve also been informed by developers who examined the application that it isn’t exactly a model of slick coding practices. For example, I was told that rather than build an array to compute 40 variables, someone cut and paste a program to repeat a task forty times.
b) We all know about the performance problems that have surfaced because of the multiple disjointed and uncoordinated groups of contractors who worked to create different components of healthcare.gov. As security vulnerabilities are discovered, it will be very difficult to push out patches to the marketplace and get them properly tested to ensure that all the disjointed parts work together securely. After all, even CMS admitted they didn’t have time to properly vet the security of the initial code set!
c) Healthcare.gov is surely a prime target for hackers. There is an abundance of sensitive personal information that is being submitted that hackers will want to steal. Based on issues already documented by Ben and others, this will be a much easier hacking target than banks, retailers, payment processors and other enterprises where the crooks are already succeeding, despite billions of dollars being spent on security in order to be compliant with government regulations and the rules of the payment card networks (e.g. PCI).
d) Finally we already know that the knowledge based authentication system that healthcare.gov is using to verify applicant identities has been systematically compromised by identity theft gangs. See krebsonsecurity.com
e) Who’s supervising and examining healthcare.gov? Are there any security standards set for this critically important and sensitive website?
Frankly, I think the Obama Administration should cut their losses and fess up and admit they need to get the system overhauled and rewritten. And that is not going to take one or two months, as they say. The best they will be able to do in that timeframe is fix the performance issues. The security issues are surely much more complex – you can’t just throw horsepower at them. You need intelligent software and layers of defense. That takes time to bake in.
You can be sure the Republicans are going to pounce on any bug they can find. Hopefully they won’t be able to find any really serious ones that compromise the confidentiality of Americans already struggling to get health care insurance.
Category: Uncategorized Tags:
by Avivah Litan | October 23, 2013 | 2 Comments
Just as we predicted (actually it didn’t take a rocket scientist to predict this), KBA (knowledge based authentication or secret questions based on life history to validate an identity) has been a flop on the Obamacare exchange websites, adding insult to injury. The topic even made it’s way to the human interest story on the front page of today’s Wall Street Journal, which documented how Americans needing health care insurance couldn’t satisfactorily answer the secret life history questions needed to pass the electronic application process. After all, who can remember the color of your first bicycle when you can’t even remember what you did two weeks ago, recounts an interviewee in the article.
KBA is on life support. It was already ineffective and now everyone knows its been compromised systematically by some of the most organized criminal gangs around. (See blogs.gartner.com and krebsonsecurity.com and krebsonsecurity.com )
Experian, LexusNexis, Kroll and Dunn and Bradstreet and other breached data brokers must be furiously trying to dig themselves out this hole. Frankly, I feel for them because securing the food chain of clients that have access to this sensitive data is a very tall task. And securing the systems against advanced threats is an equally tall task.
But at a minimum, they may want to stop selling identity theft protection services to consumers. It seems to be a conflict of interest, don’t you think?
As for the government and the healthcare exchanges, all they had to do was ask around and they could have easily avoided this latest disaster.
Category: Uncategorized Tags:
by Avivah Litan | October 21, 2013 | 6 Comments
More bad news on the data broker front. Security blogger Brian Krebs revealed today that Experian, a major U.S. credit bureau has been selling sensitive consumer PII data to a Vietnam-based identity theft service, albeit inadvertently. See krebsonsecurity.com
In March 2012, Experian acquired data broker firm Court Ventures that mistakenly and reportedly started the illicit relationship with the criminal who posed as a private investigator. According to Krebs’ investigation, Experian reportedly kept the relationship alive for a year after its acquisition. The Vietnamese criminal has since been arrested.
So what does all this mean for enterprises that rely on PII (Personally Identifiable Information) data and KBA (Knowledge Based Authentication) processes and for the rest of us mortals whose data are being collected?
a) Identity proofing and know-your-customer processes that depend on data aggregators’ mass troves of sensitive PII information to validate a prospect or customer’s identity are compromised and relatively easily beaten by criminals.
For a fee, determined criminals can electronically impersonate any one they want to at organizations that rely on data matching and knowledge based authentication served up by the credit bureaus or other data brokers/aggregators in this ecosystem.
b) Identity proofing processes used by the data brokers themselves are also fallible, as evidenced in this case. This means that clever criminals can pose as legitimate businesses and gain access to these most sensitive services. If the data brokers can’t prove identities properly, then who can?
c) As consumers, we just have to realize that there is no data privacy anymore. Our life history and records on major financial transactions are for sale in the underground.
d) Regulators and legislators are years away from getting on top of these leaky faucets. And given the dysfunction in Washington, they could be decades away.
What’s the alternative?
Frankly there is no easy alternative for identity proofing. We outline some of the steps that can be taken in G00239627 “The Four Layers of Identity Proofing Lead to Stronger Identity Verification” but this requires that enterprises stitch together several niche solutions. Most of the banks we speak with who are using data brokerage services for identity proofing are planning to wean themselves off these compromised services, especially the KBA processes whose systematic compromise was exposed by Krebs a few weeks ago. See our previous blog on the KBA breach and also krebsonsecurity.com
But because of the ‘no-easy-alternative’ situation, government agencies, financial services, health care and companies in other sectors are likely to continue to rely on data brokerage services, at least partially, for years to come – knowing full well that that this reliance may come back to bite them financially.
And what about us consumers? Should we just hope for the best? The truth is it’s beyond our control and all we can do is check our financial records as often as we can so that we can report a problem as quickly as possible before too much damage is done.
So let’s just keep our fingers crossed. And expect more such revelations of similar breaches in the years to come.
Category: Uncategorized Tags:
by Avivah Litan | October 3, 2013 | 1 Comment
Experian’s October 1 announcement that it acquired web fraud detection vendor The 41st Parameter for $324 million underscores the weakness of knowledge based authentication or KBA. Experian sells KBA to companies verifying identities of consumers conducting high-risk transactions. KBA systems are under siege and a systematic compromise of these applications was recently uncovered by security blogger Brian Krebs. See our previous blog on this as well as krebsonsecurity.com
Although Experian was not part of the uncovered botnet-based infiltration, the so called secret questions and answers used across most major KBA vendors such as Experian and LexisNexis are typically the same. As noted previously, KBA has — on average — a 10-15% failure rate which can go much higher and up to 30% in certain populations such as new immigrants or young students. Most KBA failures are legitimate individuals who can’t successfully answer the secret ‘out-of-wallet’ questions or for whom there is not enough data to ask any. At the same time, criminals who buy this information on the black market have no trouble answering them perfectly. (See our September 2012 research note G00237377 “When Knowledge-Based Authentication Fails, and What You Can Do About It”).
No doubt, Experian saw the handwriting on the wall and wanted to avert these systemic problems, especially after it won part of a $80 million contract to verify ObamaCare applicants using KBA. See bobsullivan.net By purchasing the 41st Parameter at a healthy multiple (the 41st’s 2012 revenues were just about $20 million), Experian acquires much needed technology to help screen new accounts and verify identities. The 41st Parameter pioneered the introduction of server-based device identification, which is used extensively by banks and online merchants, when it was founded in 2004. It also patented its “TDL” (time differential linking) technology that complements device identification by measuring the time differential between a server and a client device, an especially useful technique for identifying iOS mobile users where device ID is essentially useless.
Aside from device ID, the 41st has populated a database of linkages (scored for risk) across devices, email addresses, phone numbers, credit cards and other data used for ecommerce shopping, by leveraging information it already collects from its extensive ecommerce merchant base (See G00247632 ”Magic Quadrant on Web Fraud Detection”). Assuming the 41st’s customers keep this data up to date and relevant (for example by marking an attribute such as a device ID as associated with fraud), this database will be very useful for Experian when it comes to assessing the validity of an identity (see G00239627 “The Four Layers of Identity Proofing Lead to Stronger Identity Verification”). In theory it should go a long way to improving Experian’s ability to detect bad guys trying to disguise themselves as good ones, while simultaneously identifying the good ones and letting them in without too much hassle.
Of course none of these identity verification methods are foolproof – plus it’s important to note that technology from The 41st only works with online and mobile transactions and not with in-person or on-the-phone transactions.
Yesterday I heard a somewhat funny story from a banker colleague about criminals pretending to be deaf and therefore ‘forced’ to use a “Service for Handicapped individuals” to call their bank’s call center. The criminal was trying to impersonate a legitimate deaf user whose account he was trying to take over. The criminal communicated (via a keyboard) to the rep at the Handicap service, who then called the bank’s call center agent to convey his request to withdraw money from the target victim’s account. When the call center agent started trying to verify the requestor’s identity, the criminal couldn’t answer the KBA questions correctly (obviously he didn’t know how to buy the answers on the black market) so the agent would not honor his money transfer request. The fraudster then started cussing the agent out by typing messages to the Handicap service rep who then told the agent she was obligated by law to relay to the agent the four letter words being cited by her customer).
Buying The 41st won’t solve all of these identity proofing challenges, but all in all it is a good move for Experian. And of course happy days are finally here for The 41st Parameter’s shareholders who join the growing club of web fraud detection vendors earning hefty multiples by selling out to large acquiring companies. (See recent acquisitions of Silvertail Systems, Trusteer, and Versafe, all in less than a year). Let’s hope it’s a also a good move for Obamacare and Experian customers.
Category: Uncategorized Tags:
by Avivah Litan | September 25, 2013 | 6 Comments
Today’s blog post by Brian Krebs reveals serious automated compromises at some of the U.S.’ largest data aggregators of sensitive identity information for consumers and businesses – e.g. LexisNexis, Kroll Background America, Dun & Bradstreet. See krebsonsecurity.com Krebs’ investigation makes it crystal clear that we shouldn’t be relying on knowledge based authentication to verify an identity.
We’ve known for a long time that KBA is being beaten by the criminals and first wrote about well over three years ago. See blogs.gartner.com But at that time the compromises were not nearly as automated as they apparently are now, according to Krebs’ seven month investigation.
We’ve also known, from talking with lots of Gartner clients, that KBA failure rates in the U.S. are on average 10-15%, and can go as high as 30% for some populations, when they include many individuals who are either new to this country or young in age and therefore without a lot of public data built up on them. (For more information see our September 2012 research note G00237377 “When Knowledge-Based Authentication Fails, and What You Can Do About It”). Most failures are good people who can’t answer the questions while the bad guys who buy the stolen information have no problems answering them.
Our clients have been trying for a while to get around the failures of KBA by using other identity indicators and scoring information (see G00239627 “The Four Layers of Identity Proofing Lead to
Stronger Identity Verification”) but weaning themselves totally away from relying on KBA for identity verification has been difficult at best because there are no readily-available alternatives that work as technically easily as KBA does. (Biometrics anyone??)
Still it’s not smart to turn a blind eye to the fact that the criminals can get their hands on anyone’s KBA or identity information through the black market exchanges that Krebs writes about. Frankly, it’s another ominous and bad sign for Obamacare, since as I understand it, the new healthcare insurance exchanges will be using the same KBA to verify applicants for healthcare insurance. I imagine their failure rates will near 25-30% given the population of applicants, (while the bad guys should have no trouble getting new health care benefits at much lower rates than they presumably have to pay now). The likely results will be chaotic and troublesome, and will no doubt fuel the fire of Obamacare opponents.
And where are the regulators in all this? In fact and ironically the U.S. banking regulators (the FFIEC) recommended in their latest iteration of their Guidance for Internet Banking Authentication that banks use relatively costly KBA (average $1 an inquiry for most) based on external data from companies like LexisNexis to verify the identities of users requesting high risk transactions. I remember cringing when I read that recommendation. And in 2006 the FTC fined ChoicePoint – now part of Reed Elsevier which also owns LexisNexis – for a previous breach in 2004 (which only potentially affected 140,000 consumer records, which looks like pittance these days) and ordered them to conduct ‘rigorous’ and independent security audits for up to 20 years. (For more information see our research note published in September 2006 “Case Study: ChoicePoint Incident Leads to Improved Security, Others Must Follow” G00142771).
I know it’s tempting to turn a blind eye to Krebs’ findings and to ignore the profound implications for our most sensitive financial operations. But that’s a very bad idea that will surely catch up with those who do. It’s just a matter of time before the bad chickens come home to roost. The good news is that there are technical alternatives to KBA – albeit not as easy to implement.
Category: Uncategorized Tags:
by Avivah Litan | September 24, 2013 | Comments Off
On September 17, F5 Networks acquired Versafe, an Israeli security startup, for an undisclosed sum which I would bet is a small fraction of the $800 million plus that IBM just paid for its closest competitor Trusteer. Of course, Versafe doesn’t have the elite customer roster and healthy revenues that Trusteer does, but it does have reportedly very good technology according to customers I recently spoke with.
Frankly, I think Versafe would have given Trusteer a run for their money if they had been able to compete directly without IBM and F5 behind them. Versafe was started by boy security wonder Eyal Gruner who broke into his Israeli bank’s ATM network when his mother got him his first ATM card and later went on to ‘discreetly’ publish PII data belonging to Israeli army officers he was recruited to work for.
Versafe recently got its act together to beef up sales and marketing. Backed by Susquehanna International Group, a Philadelphia-based investment firm (who no doubt influenced the relatively fast acquisition here), Versafe was starting to catch on quickly with customers around the world who are experiencing nasty malware and phishing attacks against their customers. Their software really does work, and when integrated with F5 appliances, is easy to implement as it requires no client download. You can read more on their website.
So this makes the third acquisition in the past year where a big security company acquired a small web fraud detection/prevention start up. First came RSA’s acquisition of Silvertail for about $350M, then came IBM’s acquisition of Trusteer for $800M to $1 billion and now this one.
Is this good for the security and fraud market? Frankly, I think we were better off with the small innovators growing large on their own. I haven’t seen strong evidence that the security companies know how to handle these innovators. I’m not sure they will successfully bring their technology to the enterprise security market while enabling it to continue to thrive in the customer/consumer web fraud detection/prevention market.
It could be that F5/Versafe will be different in this case, only because they are smaller and have a focused solution that is easy to implement. Customers do like that and may be willing to pay for it – as long as the F5 sales reps remember to try and sell it. Time will tell of course.
Category: Uncategorized Tags:
by Avivah Litan | August 15, 2013 | Comments Off
IBM announced today its agreement to acquire Trusteer, an Israeli web fraud and malware detection vendor, for an undisclosed sum but which, according to the Israeli press, is estimated to be between a believable $800 million and $1 billion. See jta.org
This marks the second major acquisition by a major global U.S. based company of an innovative web fraud detection vendor in the past 12 months with RSA’s reportedly $350 million acquisition of SilverTail systems, first announced in October 2012, being the first. Indeed the most talked about web fraud detection vendors among Silicon Valley investors last year were these two firms, Silvertail Systems and Trusteer, and for good reason as experience has borne out.
This points out the innovation bed that the web fraud detection market has fostered, as these companies developed progressive products that beat the botnets and fraudsters attacking the financial services industry. This was a clear-cut use case that the companies went after, but their products could work equally well (with some tuning) in many other security and fraud markets.
Founded in 2006, Trusteer has done extremely well in growing its revenues to an estimated $50 million at the end of 2012, mainly by developing software that prevented bank Trojans such as Zeus from taking over and robbing customer accounts via wire or other types of money transfers. These malware variants bypassed the security protections afforded by mainstream endpoint protection vendors who could not keep up with the latest malware strains.
Trusteer took the intelligence it gathered on the malware from its desktop products and pioneered a server-based application that detected financial malware coming into to an enterprise (e.g. an online bank). Many clients found this method extremely appealing as it did not require loading software on customer desktops.
In my opinion, Trusteer sold out at its peak. According to some Gartner clients, it was and is becoming increasingly difficult to defeat financial malware using existing techniques. In the past year, Trusteer started pursuing the enterprise market for advanced threat protection with a new product line called Apex to broaden its portfolio and diversify its financial interests. It’s too early to know how successful that product set will be.
So what’s the future look like? As with most large company acquisitions of small start ups, the talented staff of the latter are likely to start leaving as soon as they either cash out (and many of them, especially the founders, will cash out big time) or as soon as the job isn’t fun anymore. It’s tough for large companies to attract and retain risk-taking innovative employees that seek the agility, creativity and potential for great wealth that small start ups afford.
We’ll keep our eyes on this one – but if it’s like all the others I’ve personally watched, I’d give it about a year or two at the most before the innovative spirit and creativity slowly fizzles out.
Category: Uncategorized Tags:
by Avivah Litan | August 12, 2013 | 21 Comments
DDoS attacks are an increasingly popular method for criminals to divert bank security staff attention while defrauding bank systems. Until recently, most illegal money transfers were accomplished via account takeover – of either customer or employee accounts when the fraudsters moved money from customer accounts to their mules and eventually their own accounts.
A new much more ominous attack type has emerged over the past few months – and uses DDoS as its cover. Once the DDoS is underway, this attack involves takeover of the payment switch (e.g. wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.
Considerable financial damage has resulted from these attacks. One rule that banks should institute is to slow down the money transfer system while under a DDoS attack. More generally, a layered fraud prevention and security approach is warranted. See our research on the Seven Dimensions of Context Aware Security and the Five Layers of Fraud Prevention.
Category: Uncategorized Tags:
by Avivah Litan | July 23, 2013 | Comments Off
I had two calls today with Gartner clients about enterprise fraud management, which is all about managing and preventing fraud or misuse across products and channels. I look at fraud prevention and management through the lens of a five layered approach (See Gartner Research Note “The Five Layers of Fraud Prevention”), and enterprise fraud management can be accomplished through Layers 4 or 5.
Layer 4 technology correlates fraud scoring for transactions across product lines and channels as they occur. It is implemented ‘inline’ to the transaction streams and as such requires a lot of system and data integration throughout the life of the changing applications.
Layer 5 enables big data analytics using different techniques such as entity link analysis, social network analysis, temporal or geospatial analysis and more. It basically integrates structured and unstructured data offline (outside the transaction streams) and therefore does not require modification to source systems. Layer 5 can generally be implemented much faster than Layer 4, especially in big enterprises with lots of legacy applications.
Enterprise users value speed and ease of implementation, along with flexibility and scalability. Layer 5 gets them there faster than Layer 4 when it comes to managing fraud across the enterprise. Of course, like everything else it’s no panacea. We outline the risks and pitfalls in our research note “Use Big Data Analytics to Solve Fraud and Security Problems.”
Enterprises will still need to implement Layers 1, 2 and 3 to protect users and accounts from intrusive and criminal activities as they occur.
But when it comes to looking across enterprise activities, Layer 5 will prevail over Layer 4 because of faster times to results, implementation ease and application flexibility. Both Layers 4 and 5 are complementary but we advise users to start with Layer 5 for the reasons stated above.
Category: Uncategorized Tags:
by Avivah Litan | May 14, 2013 | 7 Comments
The recently disclosed $45 million ATM worldwide cashout heist (see bankinfosecurity.com ) points to many practical business and technology issues that payment system participants face.
Here are just a few of them:
a) One of the more troubling issues of these breaches is the difficulty in determining the points of the network chain that were breached by the fraudsters. This makes it very difficult for card issuers to recover their lost funds because they don’t know who is liable for the breach.
b) From conversations I’ve had with various issuer clients regarding recent breaches, the card brands (Visa and MasterCard) are often not has helpful in helping card issuers recover funds as the issuers would like them to be, perhaps because the card brands don’t know where to assign the liability.
c) Frankly, from a holistic viewpoint, companies that accept or process card payments are in a no-win situation when it comes to a breach. They can do their best and spend lots of money and time becoming PCI certified, but this gives them no safe harbor from penalties that are incurred if they are still breached. And the auditors (qualified security assessors) that certify these eventually breached companies as PCI compliant have BIG disclaimers in their contracts that they take NO responsibility if in fact their clients are breached.
d) There are so many parties in the payment chain that it is very difficult to assign blame in these types of breaches. For example, there can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.
e) A point-the-finger and assign-blame approach is in the end, a dead-end approach and a lose-lose for all parties concerned. A win-win approach would be to strengthen the security of the card payment system through stronger user authentication and more secure media used to request payments or cash withdrawals (e.g. CHIP and PIN based on the EMV standard).
f) Until then, we will continue to try to keep a leaky insecure payment system secure. It reminds me of the little Dutch boy who stuck his finger in the dyke and successfully stopped the sea water from flooding his home town. He was successful because he stopped the leak when it was very small. I think we are too late when it comes to our global card payment systems. We probably need at the least, a major cyber-army, in this instance.
Category: Uncategorized Tags: