Identity Theft Prophylaxis

or… You are going to get screwed, so let’s minimize the repercussions

There are lots of guides on the Internet on how to safeguard your personal information as a means of preventing Identity Theft. This is not one of those guides. That horse has left the barn, and you are well and truly screwed. Between the breaches at Anthem[1], Equifax[2], US Office of Personnel Management[3], Alteryx (Experian contractor)[4], and countless other small companies who haven’t realized or reported being hacked, your personal information is out there. It’s far too late to keep your SSN, job history, medical history, and recent credit reports off of ‘dark web’ information trading sites. If your information hasn’t already been sold for $2, it will be. If you have kids, their information is available for $300[5]. There is nothing you, the US government, or I, can do to stop that. But you’ve got free credit monitoring as a result of a breach, right? Damn near useless, as I’ll explain below.

It sucks. No doubt about it. If there is any comfort to be had, it is that this is not your fault. The way the privacy laws work in the US, there is no way you could have prevented these companies from amassing so much personal data about you. The penalties for having lost control of that information are laughable; therefore, few companies are investing in Security the way you rationally expect them to. Once you’ve let the fallout from that knowledge bomb settle, we can get on to the business of making that information less useful to fraudsters. There are a few common attacks that a fraudster will engage in to make the most of your details:

  1. Applying for credit in your name. This could be credit cards, payday loans, a car, etc.
  2. Altering your existing accounts. By adding new names and addresses to your existing accounts, fraudsters can have duplicate cards issued to them.
  3. Hijack your cell phone account. By intercepting your text messages they can get past Multi-Factor-Authentication that you have on your accounts.
  4. File a tax return in your name. Submit a return with inflated income, but just enough real data to pass the basic checks.

Remember: Your information is out there. The attacks are coming. Do not wait until you are under attack to go on the defensive. Following the instructions below will save you countless hours cleaning up after a successful identity theft!

Attack: Applying for credit in your name
This is by far the easiest, and probably the first thing the fraudster is going to try. They can use your details to apply for credit on-line, safely away from pesky human interaction. They will apply at every company that targets high-risk applicants, because they know those companies already turn a blind eye towards questionable credit histories. This approach increases their chance of success even when the victim has poor credit. They will also target banks where you already have accounts, hoping the bank will fast track the application of an existing customer. Then all the fraudster has to do is wait for the cards in the mail. Well, they won’t be waiting for your cards… They will have a patsy on the hook for that. More on that below.

Defense: Credit freeze and fraud alerts
The nuclear option is to place a “Credit Freeze” at all three major credit reporting companies. This will cost you $30 ($10 at each of the big three); because while it is your information they reserve the right to charge you money for cutting down on the profits they were going to make selling it. I call this the nuclear option because while completely effective at preventing a vendor from doing a ‘hard inquiry’[6] on your credit report, it makes your life more annoying in the future when you want to take out credit in your name. You will have to temporarily remove the freeze whenever you want to buy a car, house, etc; and then remember to put it back. That said, you should definitely launch this nuke.

Update (2018-09-15):  Credit Freezes for consumers are about to become free.  You have no excuse for not locking down your report!

You can place a freeze by clicking the links, or calling the numbers, below. Personally, I found getting through the process on the websites to be less annoying than going through the automated telephone systems:

Call, or visit the websites, yourself and retain confirmation numbers for your freezes.  Don’t trust ‘an app’ do to it for you.

Whatever you do, save the PINs you set up for the freeze! These PIN numbers will be useful when you need to remove that freeze to apply for credit. Use an encrypted data-store like 1Password. Not only is it useful as encrypted local storage for website passwords, but it can also store free-form notes. It’s perfect for keeping track of things like unlock PINs, and you can sync it with your smart phone so you have that information with you wherever you need it.

But wait, there’s more! You can also put a fraud alert on your credit files. This is free. It is less of a sure thing than going full nuclear if done alone, but it also provides a mechanism by which a company is supposed to contact you before issuing credit in your name. Fraud alerts come in three flavors: 90 day, seven year, and active duty military. The initial 90 day alert can be done with a phone call to one of the above numbers, or via web page. You only need to do this at one agency, and they are responsible for alerting the others. There is no reason not to do this in addition to placing freezes on your reports.

To place a seven year extended alert you need to send a request by postal mail, and include documentation including a copy of your ID and an identity theft report. (Un)Fortunately, just about anyone in the United States can visit and file a report thanks to the various breaches I mentioned in the first paragraph. This report can then be used to activate a seven year fraud alert. You can find more information about how to file for the extended fraud, or active military, alert at the links immediately above.

Attack: Alterations to exiting accounts
This attack takes a little more personal effort, because the fraudster needs to convincingly play you on the phone with a support agent. And by more effort, I mean only slightly more than no effort at all, since the attacker is armed with your credit history and whatever else was part of the ‘dox package’ they purchased. Most customer support agents love to get a happy customer, who seems ashamed they don’t remember their account number, and might have to be asked easier verification questions. That kind of customer is much nicer than the screams they have to put up with when the real customer calls in later. The best part about this attack, for the fraudster, is that when they fail a question they make a note to look up that answer and they just call back and get another call center worker. Once the fraudster gets past the security questions, they put a new email address, phone number, postal address, and name on the account. The next day they call and ask for new cards to be mailed to their patsy. They claim the originals were damaged, not stolen, so they don’t trigger the deactivation of the real account holder’s cards. This kind of attack can go undetected until the real customer sees their next statement, especially if the fraudster made their phone number the point of contact for the fraud department’s calls about a sudden change in spending habits.

Visit the websites for all your financial institutions and turn on every alert available in the communication preferences. You want to be alerted when your contact information is updated, when new names are added to the account, etc. This is your early-warning system in case a fraudster manages to impersonate you on the phone.

Add verbal passwords to your accounts. You will likely need to call customer service for this, but it is worth the hassle. This is a password you have to give to an agent before they will discuss your account with you. Never use your mother’s maiden name, or your first girlfriend, or anything you’ve ever seen asked in one of those silly social media quizzes. Use something unique for each bank. Use something immediate and random, like the last book you read, or the last store you shopped at; and then store this password in the password manager you are using for your credit freeze PINs.

Have flags put on your account so that changes can only be made in person. This is the most drastic option, and only works if your bank has a local branch. If you can do this, and your bank honors it, it is worth it. It stops fraudsters in their tracks, for this particular type of attack.

Add Multi-Factor-Authentication (MFA) to all your accounts. Multi-factor is typically ‘something you know’ like a password, and ‘something you have’ like a key-fob or cell phone that has an authenticator app or can receive text messages. That way, if an attacker can guess your on-line account passwords from information in your credit history they are still thwarted when they try to get into your on-line banking.

Avoid SMS MFA where possible, to protect against cell number hijacking attacks.  Time-based rotating MFA codes (TOTP) that you generate locally are more secure.  There are multiple smartphone apps that can be used as MFA providers for websites that support it.  Some of the popular ones are:

Attack: Hijack your cell phone account.
While it is commendable that many companies have added MFA to customer accounts, the reliance on cell phones and text messages is a dangerous trade-off between security and convenience. An attacker could get your phone number transferred to another phone, or use an SS7[7] hack to route your text messages to them. Too many companies will offer to text you a one time code if you fail security questions, and then the attacker can bypass account passwords and PINs.

Call your cellular carrier and have an additional password put on your account. This will prevent changes to your account, including transferring your number to a new phone.

If T-Mobile is your cellular provider, call them up and have them enable NOPORT on your account.  With this setting on your account, someone needs to show up in person in a T-Mobile store and present ID in order to make changes to your account, including getting a new SIM issued.

I don’t have any easy answers on preventing a SS7 attack; sorry.

Krebs on Security has also posted a fantastic article on defending against number porting attacks.  You can read it here.

Attack: Filing a tax return in your name.
This attack involves the fraudster using the information they have on you to file a fraudulent tax return in your name. In 2015 the state of Minnesota detected a high number of fraudulent tax returns being filed, which led to TurboTax temporarily halting electronic submissions of state returns[8]. It is easy to infer that if there were a large number of fraudulent state returns being filed, there were likely fake federal returns being filed as well. This attack works particularly well because the default mode of operation at the IRS is to process all tax returns as submitted, and then go after fraud when suspected. That worked well enough when the primary concern was people trying to cheat on their own taxes, but it falls flat when a fraudster is submitting fraudulent returns using the information of real people.

The IRS issues a PIN you can use to authenticate your electronic filings. It’s not universally available, so you will want to check with them to see if you can get one at the below URL. The bad news is that even if you have a PIN, it only prevents someone else from electronically filing a fraudulent return in your name; they can still send one in by mail.

To further protect yourself against negative consequences of this type of attack, be sure to keep all records related to your tax filings. While this has always been the recommendation in case of an audit, you now may need them to prove your return was the real one should the IRS come knocking.

The patsy:
Who is this patsy I keep mentioning? This is a person involved in the enterprise of identity theft who is possibly ignorant of the fact that they are involved in a crime. Their involvement frequently starts when they answer an email or on-line ad promising a work-at-home job as a shipping agent or buyer for an international company[9]. The pitch is that they need someone to locally source computers, and other high-ticket items, because that is cheaper than a business account with some vendors. The company says they will issue corporate credit cards that are to be used for the purchases, and then the merchandise is shipped to a different patsy in the fraud chain. If the police investigate the credit card fraud, the person they find is far removed from the person orchestrating the scheme. The patsy’s plausible deniability starts to fall apart when they’ve received a dozen ‘corporate cards’, that don’t have a company name on them, and they only work for a short while before starting to be declined.

Credit monitoring, and why it’s not a cure-all:
This is the participation award given to consumers when their private information walks out the front door. We get this near worthless salve, presented as a cure-all, while we bleed out from the damage caused by companies that face no lasting repercussions for the careless way they handle the information that could ruin our lives. Anthem paid a $115 million dollar fine for their breach[10]. Seems like a lot, but there were 80 million people who had their information stolen. The loss of our data was calculated to be worth $1.44 per person. Doesn’t seem like much now, does it? We’ll see what happens with Equifax, but as far as I am concerned any penalty they can survive is not harsh enough.  As of this update, it looks like Equifax is going to avoid major penalties for their lax security and oversight regarding your precious data[11].

Update 2019-07-21 – The verdict is in, and Equifax barely got a slap on the wrist.  The FTC penalties they face are $700M[12].  $700M might seem like a lot of money to us mere humans, but let’s put that into perspective.  $700M is:

  • $4.67 per person affected by the breach.  (Data exposed for 150M people.)
  • A mere 20% of their $3.412 Billion in earnings for 2018.
  • A minuscule 4% of their current market capitalization.

So, what does that measly year of free credit reporting get you? At best, it will let you know after someone has opened a new line of credit in your name. You are still stuck with the work of cleaning that mess up. Credit monitoring doesn’t look for address additions and new cards issued on your accounts, and it certainly doesn’t prevent someone from filing a fraudulent income tax claim in your name. It’s little more than an inexpensive way for companies to look like they care about their customers.

By all means, accept any free credit monitoring you are offered, as long as it doesn’t come with strings like giving up your right to sue, or having it turn into recurring billing when the free period ends.  Just be aware of the limitations so you are not surprised when it fails you.

I know this sounds bleak, but following the above guidelines will go a long way towards securing yourself against these types of identity theft. Fraudsters are looking for an easy return on their investment when they buy your data. Every obstacle you throw in their way makes them more likely to scrap their attack on you and move on to the next victim.













Making sense of the Kiwiburn map. :)

Having never been there, and having no frame of reference, you wouldn’t believe how much time we all spent trying to figure out how the town map fit against what we saw in Google Maps. It didn’t help that the Town Plan map was rotated 90 degrees, and that Google Maps shows the address on Cooks Road fairly far away from where it really is. Now it all makes sense. 🙂

Nebula: The Zero Trust Networking Tool You Didn’t Know You Needed

I first became aware of Nebula a few days ago, thanks to two excellent write-ups at Ars Technica. (here and here) It’s an open source product freely given to the world by the folks at Slack. (Best known for making billions putting a fresh skin on IRC.). While those two write-ups at Ars Technica do a decent job at introducing Nebula, I feel like a use case for Nebula that hasn’t been fully explained.

Nebula isn’t like the VPNs for which you are constantly bombarded with ads. It isn’t designed for you to hide your torrent traffic, or to mask your IP address. It is designed to secure communications between systems you control, and makes for an excellent building block in a Zero Trust implementation.

First off, what’s “Zero Trust”? It’s the idea that you can’t trust any of your infrastructure, any more than you could trust the Internet. It’s logical evolution of the old adage “never trust the client”. If you can’t trust the client, you can’t trust the network they are connected to either. Assume at all times:

  • There’s a compromised device on your network sniffing traffic.
  • All of those ‘Smart Appliances’ you got for Christmas are remotely hackable, if they weren’t flat out designed to attack your network from the inside.
  • Any machine can have zero-day malware that isn’t detectable yet.
  • The NSA has a tap on your AWS VPC (Virtual Private Cloud).
  • Any of the Five Eyes countries have taps on the switches/routers at your ISP.
  • The ‘free WiFi’ at the cafe is sniffing traffic to insert ads, or worse.
  • Your ISP is sniffing traffic for * reason.
  • Your SuperMicro server has the Magick Chip that sends data to China.
  • Your network gear has Huawei components.
  • One of your sysadmins didn’t get enough of a raise and has sold access to your network for fun and profit.
  • There are a thousand other risk factors not on this list.

The old paradigm was built around a division of realms: the trusted home/office/datacenter network and the wild west of the Internet, with firewalls in between. That paradigm is shifting with the acceptance of the reality that devices inside your trusted network are going to be compromised. By accepting that, and making design decisions with that in mind, the impact of your future compromise(s) just might be reduced.

Now that you are starting to embrace the appropriate level of paranoia, how does Nebula VPN help? Nebula lets you create a mesh VPN between the hosts in your network, whether or not they are on the same subnet or in the same VPC. It allows you to secure traffic that was otherwise difficult to secure, or that you wouldn’t normally consider securing because it takes place in a ‘trusted’ layer of your network. With Nebula it becomes trivial to encrypt MySQL, MongoDB, Redis, Memcache, etc, traffic; restricting access to hosts with the appropriate certificates installed while also limiting exposure if another instance in your infrastructure becomes compromised.

Unlike traditional hub and spoke VPNs, Nebula functions as something closer to a mesh. In a traditional VPN, two clients who want to talk to each other would have to route their traffic to the server and back. With Nebula, clients negotiate the best way to talk to each other, using the shortest route possible. This is a far more efficient use of bandwidth.

I spent a couple of hours adding a new column on my IP/subnet spreadsheet, creating certificates, and writing a Puppet module to deploy Nebula in my quirky infrastructure. I now have a virtual VPN subnet that spans systems across two continents, where I can now use the Nebula IP for a host to automagically encrypt traffic.

I haven’t used Nebula long enough to run into any gotchas, which means I’m still a novice. Despite that, I do feel secure in saying that it makes for a powerful tool in your Security toolbox.

If you want to give it a try, this write-up at Ars Techica will have you up and running in ten minutes or so.

The absurdity of YouTube’s Copyright Claim System

I recently found a bumblebee nest in my back yard. Friends on Facebook asked questions about it, and I decided to set up a GoPro and record a video of the bee’s activity. After assembling segments into a two hour video, I decided to add some music. Knowing that is a tricky proposition on YouTube, because of the insanity of illegitimate organizations making copyright claims on the tiniest sample they can suss out of a video, I came up with a strategy I thought would be foolproof:

  1. Pick my music: Flight of the Bumblebee, composed by Nikolai Rimsky-Korsakov sometime around 1899-1900. Long out of copyright.
  2. Find a MIDI file built from the score.
  3. Run the MIDI file through a computerized synth to get a mp3 file.
  4. ***
  5. No profit. (YouTube took away my ability to monetize.)

I even included this helpful message in the description:

**The musical accompaniment is a computer generated audio track created from a MIDI file transcribed from the original score. As the score itself is long out of copyright, and this is not a human performance, you would be blatantly abusing the Youtube copyright system if you attempt to file a claim against this video.**

As a computer generated rendering of a MIDI file of a public domain work, there should be no basis for a copyright claim. And yet… I got one within minutes of uploading my video. This had to gave been done by an automated system that scans all new videos on Youtube, for I do not have a popular channel. I’m reasonably sure my only subscribers are family members and the occasional random person who took pity on me. At my current rate of subscribers and views I should qualify for monetization right around the time we finish colonizing Mars.

A company called AdRev Publishing has filed a claim: “Monetized in some territories” What does that even mean? Monetized isn’t the same as copyrighted. There are people that ‘monetize’ Project Gutenberg public domain books by publishing them as ebooks on Amazon, but that doesn’t grant them rights.

They specifically filed a claim against the interval occurring between 16:59 and 19:04. That’s really odd, since I repeated the exact same piece of music approximately 60 times. If they have a claim, and its legitimate, why pick a specific interval in the middle? Why not the first iteration? Why not the whole video? I suspect they didn’t file against the whole video so that if I successfully dispute this they can just file again for a different time interval. Or maybe it’s even more evil… Maybe they only file against a small subset of people’s videos with the expectation that people won’t risk their account on a dispute for such a small slice of the ad revenue; and in that way make tiny slices of revenue from large numbers of creators.

AdRev didn’t demand I take my video down. Nooo… they leveraged YouTube’s system so that the video now shows ads and they get the money. What really makes this absurd is that I can’t show ads for revenue on my own videos, because YouTube changed their requirements and I no longer make the cut. So I make a video, AdRev swoops in and files a completely bogus claim against a computer generated rendition of a public domain piece of music, and AdRev gets to make money on my videos where I can not.

This is my response to the claim on Youtube:

The music in my video is Flight of the Bumblebee, composed by Nikolai Rimsky-Korsakov between 1899 and 1900; and it is in the public domain.

The specific orchestration of the piece used in my video is non-human; it was generated using a MIDI file made from the score and then run through a computer based synthesizer, so it can not be a copyrighted performance.

I respectfully ask that the claimant provide documentation for how they can be representing the rights of a Russian composer who has been dead for 111 years, or for the synthesizer used to render this piece.

It appears that AdRev has a history of filing illegitimate claims against Flight of the Bumblebee. Perhaps the existence of precedence could be used to block them from making similar future claims?

When the content reviewers at YouTube realize the absurdity of this claim, I ask that AdRev’s claim be rejected with prejudice; so that they don’t just keep re-filing for the other 59 instances that this same clip appeared in my video.

While filing my dispute to their claim I am presented with a dire warning that filing a fraudulent dispute can result in the termination of my account. This is a scary threat for some content creators, as they may be depending on income from their videos. This warning feels a bit one-sided to me, as AdRev has been filing claims against Flight of the Bumblebee since at least 2017 and in at least one case dropping the claim when it was disputed. Is there no penalty for a company filing fraudulent claims? How many times have they pulled this maneuver?

In another display of bias against the creators that made Youtube what it is, when a claim is filed it goes into effect immediately; but they then have thirty days to respond to your dispute. That’s thirty days where a creator is in limbo stressing about the fate of their monetization. I wonder how many claims are filed by automated systems and then left hanging for thirty days after they are disputed?

This is what YouTube has become: A platform where content creators upload videos and copyright trolls can file an illegitimate automated claim and steal any potential revenue, and where the threat of a lost account will deter people from disputing those claims.

UPDATE 2019/12/11 (NZT, of course!) – Thanks to Cory Doctorow’s awesome write-up at boingboing, and the sleuthing of Sluggo in the message boards, these two interesting tidbits have come to light:

UPDATE 2019/12/12 – I received an update from YouTube today that Adrev has deigned to release their illegitimate claim on my public domain music. YouTube considers this “Good news!” but I find it disturbing. My takeaway is that YouTube never reviewed my response, and instead allowed AdRev to self police. If that’s the process, then YouTube gets to remain blissfully ignorant of the abuses occurring on their platform.

Phase two of this experiment is coming soon…