Identity Theft Prophylaxis

or… You are going to get screwed, so let’s minimize the repercussions

There are lots of guides on the Internet on how to safeguard your personal information as a means of preventing Identity Theft. This is not one of those guides. That horse has left the barn, and you are well and truly screwed. Between the breaches at Anthem[1], Equifax[2], US Office of Personnel Management[3], Alteryx (Experian contractor)[4], and countless other small companies who haven’t realized or reported being hacked, your personal information is out there. It’s far too late to keep your SSN, job history, medical history, and recent credit reports off of ‘dark web’ information trading sites. If your information hasn’t already been sold for $2, it will be. If you have kids, their information is available for $300[5]. There is nothing you, the US government, or I, can do to stop that. But you’ve got free credit monitoring as a result of a breach, right? Damn near useless, as I’ll explain below.

It sucks. No doubt about it. If there is any comfort to be had, it is that this is not your fault. The way the privacy laws work in the US, there is no way you could have prevented these companies from amassing so much personal data about you. The penalties for having lost control of that information are laughable; therefore, few companies are investing in Security the way you rationally expect them to. Once you’ve let the fallout from that knowledge bomb settle, we can get on to the business of making that information less useful to fraudsters. There are a few common attacks that a fraudster will engage in to make the most of your details:

  1. Applying for credit in your name. This could be credit cards, payday loans, a car, etc.
  2. Altering your existing accounts. By adding new names and addresses to your existing accounts, fraudsters can have duplicate cards issued to them.
  3. Hijack your cell phone account. By intercepting your text messages they can get past Multi-Factor-Authentication that you have on your accounts.
  4. File a tax return in your name. Submit a return with inflated income, but just enough real data to pass the basic checks.

Remember: Your information is out there. The attacks are coming. Do not wait until you are under attack to go on the defensive. Following the instructions below will save you countless hours cleaning up after a successful identity theft!

Attack: Applying for credit in your name
This is by far the easiest, and probably the first thing the fraudster is going to try. They can use your details to apply for credit on-line, safely away from pesky human interaction. They will apply at every company that targets high-risk applicants, because they know those companies already turn a blind eye towards questionable credit histories. This approach increases their chance of success even when the victim has poor credit. They will also target banks where you already have accounts, hoping the bank will fast track the application of an existing customer. Then all the fraudster has to do is wait for the cards in the mail. Well, they won’t be waiting for your cards… They will have a patsy on the hook for that. More on that below.

Defense: Credit freeze and fraud alerts
The nuclear option is to place a “Credit Freeze” at all three major credit reporting companies. This will cost you $30 ($10 at each of the big three); because while it is your information they reserve the right to charge you money for cutting down on the profits they were going to make selling it. I call this the nuclear option because while completely effective at preventing a vendor from doing a ‘hard inquiry’[6] on your credit report, it makes your life more annoying in the future when you want to take out credit in your name. You will have to temporarily remove the freeze whenever you want to buy a car, house, etc; and then remember to put it back. That said, you should definitely launch this nuke.

Update (2018-09-15):  Credit Freezes for consumers are about to become free.  You have no excuse for not locking down your report!

You can place a freeze by clicking the links, or calling the numbers, below. Personally, I found getting through the process on the websites to be less annoying than going through the automated telephone systems:

Call, or visit the websites, yourself and retain confirmation numbers for your freezes.  Don’t trust ‘an app’ do to it for you.

Whatever you do, save the PINs you set up for the freeze! These PIN numbers will be useful when you need to remove that freeze to apply for credit. Use an encrypted data-store like 1Password. Not only is it useful as encrypted local storage for website passwords, but it can also store free-form notes. It’s perfect for keeping track of things like unlock PINs, and you can sync it with your smart phone so you have that information with you wherever you need it.

But wait, there’s more! You can also put a fraud alert on your credit files. This is free. It is less of a sure thing than going full nuclear if done alone, but it also provides a mechanism by which a company is supposed to contact you before issuing credit in your name. Fraud alerts come in three flavors: 90 day, seven year, and active duty military. The initial 90 day alert can be done with a phone call to one of the above numbers, or via web page. You only need to do this at one agency, and they are responsible for alerting the others. There is no reason not to do this in addition to placing freezes on your reports.

To place a seven year extended alert you need to send a request by postal mail, and include documentation including a copy of your ID and an identity theft report. (Un)Fortunately, just about anyone in the United States can visit identitytheft.gov and file a report thanks to the various breaches I mentioned in the first paragraph. This report can then be used to activate a seven year fraud alert. You can find more information about how to file for the extended fraud, or active military, alert at the links immediately above.

Attack: Alterations to exiting accounts
This attack takes a little more personal effort, because the fraudster needs to convincingly play you on the phone with a support agent. And by more effort, I mean only slightly more than no effort at all, since the attacker is armed with your credit history and whatever else was part of the ‘dox package’ they purchased. Most customer support agents love to get a happy customer, who seems ashamed they don’t remember their account number, and might have to be asked easier verification questions. That kind of customer is much nicer than the screams they have to put up with when the real customer calls in later. The best part about this attack, for the fraudster, is that when they fail a question they make a note to look up that answer and they just call back and get another call center worker. Once the fraudster gets past the security questions, they put a new email address, phone number, postal address, and name on the account. The next day they call and ask for new cards to be mailed to their patsy. They claim the originals were damaged, not stolen, so they don’t trigger the deactivation of the real account holder’s cards. This kind of attack can go undetected until the real customer sees their next statement, especially if the fraudster made their phone number the point of contact for the fraud department’s calls about a sudden change in spending habits.

Defense:
Visit the websites for all your financial institutions and turn on every alert available in the communication preferences. You want to be alerted when your contact information is updated, when new names are added to the account, etc. This is your early-warning system in case a fraudster manages to impersonate you on the phone.

Add verbal passwords to your accounts. You will likely need to call customer service for this, but it is worth the hassle. This is a password you have to give to an agent before they will discuss your account with you. Never use your mother’s maiden name, or your first girlfriend, or anything you’ve ever seen asked in one of those silly social media quizzes. Use something unique for each bank. Use something immediate and random, like the last book you read, or the last store you shopped at; and then store this password in the password manager you are using for your credit freeze PINs.

Have flags put on your account so that changes can only be made in person. This is the most drastic option, and only works if your bank has a local branch. If you can do this, and your bank honors it, it is worth it. It stops fraudsters in their tracks, for this particular type of attack.

Add Multi-Factor-Authentication (MFA) to all your accounts. Multi-factor is typically ‘something you know’ like a password, and ‘something you have’ like a key-fob or cell phone that has an authenticator app or can receive text messages. That way, if an attacker can guess your on-line account passwords from information in your credit history they are still thwarted when they try to get into your on-line banking.

Avoid SMS MFA where possible, to protect against cell number hijacking attacks.  Time-based rotating MFA codes (TOTP) that you generate locally are more secure.  There are multiple smartphone apps that can be used as MFA providers for websites that support it.  Some of the popular ones are:

Attack: Hijack your cell phone account.
While it is commendable that many companies have added MFA to customer accounts, the reliance on cell phones and text messages is a dangerous trade-off between security and convenience. An attacker could get your phone number transferred to another phone, or use an SS7[7] hack to route your text messages to them. Too many companies will offer to text you a one time code if you fail security questions, and then the attacker can bypass account passwords and PINs.

Defense:
Call your cellular carrier and have an additional password put on your account. This will prevent changes to your account, including transferring your number to a new phone.

If T-Mobile is your cellular provider, call them up and have them enable NOPORT on your account.  With this setting on your account, someone needs to show up in person in a T-Mobile store and present ID in order to make changes to your account, including getting a new SIM issued.

I don’t have any easy answers on preventing a SS7 attack; sorry.

Krebs on Security has also posted a fantastic article on defending against number porting attacks.  You can read it here.

Attack: Filing a tax return in your name.
This attack involves the fraudster using the information they have on you to file a fraudulent tax return in your name. In 2015 the state of Minnesota detected a high number of fraudulent tax returns being filed, which led to TurboTax temporarily halting electronic submissions of state returns[8]. It is easy to infer that if there were a large number of fraudulent state returns being filed, there were likely fake federal returns being filed as well. This attack works particularly well because the default mode of operation at the IRS is to process all tax returns as submitted, and then go after fraud when suspected. That worked well enough when the primary concern was people trying to cheat on their own taxes, but it falls flat when a fraudster is submitting fraudulent returns using the information of real people.

Defense:
The IRS issues a PIN you can use to authenticate your electronic filings. It’s not universally available, so you will want to check with them to see if you can get one at the below URL. The bad news is that even if you have a PIN, it only prevents someone else from electronically filing a fraudulent return in your name; they can still send one in by mail.

https://www.irs.gov/identity-theft-fraud-scams/the-identity-protection-pin-ip-pin

To further protect yourself against negative consequences of this type of attack, be sure to keep all records related to your tax filings. While this has always been the recommendation in case of an audit, you now may need them to prove your return was the real one should the IRS come knocking.

The patsy:
Who is this patsy I keep mentioning? This is a person involved in the enterprise of identity theft who is possibly ignorant of the fact that they are involved in a crime. Their involvement frequently starts when they answer an email or on-line ad promising a work-at-home job as a shipping agent or buyer for an international company[9]. The pitch is that they need someone to locally source computers, and other high-ticket items, because that is cheaper than a business account with some vendors. The company says they will issue corporate credit cards that are to be used for the purchases, and then the merchandise is shipped to a different patsy in the fraud chain. If the police investigate the credit card fraud, the person they find is far removed from the person orchestrating the scheme. The patsy’s plausible deniability starts to fall apart when they’ve received a dozen ‘corporate cards’, that don’t have a company name on them, and they only work for a short while before starting to be declined.

Credit monitoring, and why it’s not a cure-all:
This is the participation award given to consumers when their private information walks out the front door. We get this near worthless salve, presented as a cure-all, while we bleed out from the damage caused by companies that face no lasting repercussions for the careless way they handle the information that could ruin our lives. Anthem paid a $115 million dollar fine for their breach[10]. Seems like a lot, but there were 80 million people who had their information stolen. The loss of our data was calculated to be worth $1.44 per person. Doesn’t seem like much now, does it? We’ll see what happens with Equifax, but as far as I am concerned any penalty they can survive is not harsh enough.  As of this update, it looks like Equifax is going to avoid major penalties for their lax security and oversight regarding your precious data[11].

Update 2019-07-21 – The verdict is in, and Equifax barely got a slap on the wrist.  The FTC penalties they face are $700M[12].  $700M might seem like a lot of money to us mere humans, but let’s put that into perspective.  $700M is:

  • $4.67 per person affected by the breach.  (Data exposed for 150M people.)
  • A mere 20% of their $3.412 Billion in earnings for 2018.
  • A minuscule 4% of their current market capitalization.

So, what does that measly year of free credit reporting get you? At best, it will let you know after someone has opened a new line of credit in your name. You are still stuck with the work of cleaning that mess up. Credit monitoring doesn’t look for address additions and new cards issued on your accounts, and it certainly doesn’t prevent someone from filing a fraudulent income tax claim in your name. It’s little more than an inexpensive way for companies to look like they care about their customers.

By all means, accept any free credit monitoring you are offered, as long as it doesn’t come with strings like giving up your right to sue, or having it turn into recurring billing when the free period ends.  Just be aware of the limitations so you are not surprised when it fails you.

Hope:
I know this sounds bleak, but following the above guidelines will go a long way towards securing yourself against these types of identity theft. Fraudsters are looking for an easy return on their investment when they buy your data. Every obstacle you throw in their way makes them more likely to scrap their attack on you and move on to the next victim.


[1] https://en.wikipedia.org/wiki/Anthem_medical_data_breach

[2] https://en.wikipedia.org/wiki/Equifax#May%E2%80%93July_2017_data_breach

[3] https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

[4] https://en.wikipedia.org/wiki/Alteryx#Data_breach

[5] http://money.cnn.com/2018/01/22/technology/infant-data-dark-web-identity-theft/index.html

[6] https://www.nerdwallet.com/blog/finance/credit-report-soft-hard-pull-difference/

[7] https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

[8] https://www.forbes.com/sites/kellyphillipserb/2015/02/06/minnesota-stops-accepting-returns-filed-with-turbotax-cites-fraud-concerns/#678d6966c4ba

[9] https://postalinspectors.uspis.gov/radDocs/consumer/ReshippingScam.html

[10] https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML

[11] https://m.huffpost.com/us/entry/us_5a7814f6e4b06ee97af48f8f?ncid=inblnkushpmg00000009

[12] https://boingboing.net/2019/07/20/america-doxed-2.html

The Importance of Monitoring SSL Certs

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “swscan.apple.com” which could put your confidential information at risk.

As of  4:59 PM on 5/24/14, every Apple user is getting the same scary error.

Don’t worry, you are probably not the victim of a man in the middle attack.  It appears that the SSL cert for swscan.update.com, which is hosted at Akamai, has expired.  This was probably due to a gap in the monitoring and management of the SSL certs provided to Akamai.

It is certainly possible that Akamai has been hacked, and a compromised SSL cert was installed.  Not likely, though.  To be safe, just hold off on any updates until Apple and Akamai get the cert updated.  Alternatively, you can download updates directly instead of using the App Store.  You can download all major updates here, and this server uses a different SSL endpoint that has a valid certificate:  http://support.apple.com/downloads/

Pro tip for Apple’s security team:  Even though swscan.apple.com lives at Akamai, you should set up SSL cert checks in Nagios for all  exposed HTTPS end-points that are in the apple.com domain.  These are the sorts of things you want to get notified about 60 days in advance.  In the unlikely event that Akamai has been hacked and the cert replaced, this type of monitoring would have immediately alerted you.  Win-win.

Both Apple and Akamai should have been monitoring this SSL cert.  I do not think anyone should lose their job over this. If anyone does lose their job over this, that would be a failure of management, not the person or team responsible for SSL certs.  I think this should be seen as an opportunity for improving monitoring and business processes.

I tried sending an email to security@apple.com to let them know they had a critical SSL cert that has expired.  My email received an error in response: “Your message to jmet-si@group.apple.com could not be delivered for the following reason: This group does not accept external messages.”  

Update:  I received a response from Apple’s Security Team.  They obviously resolved the expired SSL certificate, and they’ve addressed the bounce issue I reported.  Fairly promptly, for a holiday weekend.

PHPPwner3000

PHPPwner3000 is the ultimate PHP exploit tool. Utilizing fundamental vulnerabilities in ALL versions of PHP, it is able to upload files, query databases, and even slurp shadow files no matter what user php is running as. Using stealth sql injection, it can even bypass the protections provided by prepare/execute structures.

PHPPwner3000 is also completely fictitious. It is a honeypot entry in a job posting.  I use it to determine if a candidate does sufficient recon and is capable of going the extra mile when they see a term with which they are unfamiliar.

If you have found this page because you saw an unfamiliar tool in a job posting, congratulations. You’ve just earned brownie points with one of the interviewers. It’s up to you to figure out which one.

I use Amazon affiliate links in some of my posts. I think it is fair to say my writing is not influenced by the $0.40 I earned in 2022.