E*Trade, Dow Jones: 7 Breach LessonsWhy Fraudsters Target Personally Identifiable Information
Two more firms in the financial services sector - E*Trade Financial and Dow Jones - have announced that they suffered data breaches that appeared to target not payment card data, but rather contact details for their customers or subscribers (see E*Trade, Dow Jones Issue Breach Alerts).
What's concerning - beyond attackers targeting and successfully stealing PII - is the length of time it took both firms to realize that customer data had been stolen. Indeed, the Dow Jones breach ran from August 2012 until this past July, when the company received a law enforcement tip-off, presumably because investigators found related customer data circulating on underground forums. E*Trade, meanwhile, spotted the attack against it in 2013, but erroneously concluded that no customer data had been exfiltrated, The Washington Post has reported. E*Trade has not responded to a request for comment on that report.
Based on what is known about the related attacks, security experts offer seven recommendations and warnings:
1. Employ Auditing, Logging, Expertise
Dow Jones, in an Oct. 9 letter to its customers, says it has hired a third-party digital forensic investigation firm and that its investigation is ongoing. It addresses the question of how many customers were affected: "Our investigation has not uncovered any direct evidence that information was stolen, so it is not possible to identify the number of customers."
Information security experts say it's never a good sign when an organization admits that it cannot ascertain how bad a breach might have been. "It is worrying that an organization cannot say for definite what information has been compromised on its network," says Brian Honan, a Dublin-based information security consultant and cybersecurity adviser to the association of European police agencies known as Europol. He adds that if the organization had the right tools, audit and security logs, and skilled expertise in place, then it should be able to provide a definitive breach damage assessment. The company's statement "does not endear any confidence in their investigations or the level of logging they had in place before the attack," he says.
As the reported E*Trade investigation shows, a failure to find signs of data theft does not mean no data theft occurred. Furthermore, the accuracy of any related investigation will depend on the quantity and quality of security incident and event management data being collected and logged. "Forensic investigations take time," says information security and payments technology consultant William Hugh Murray. "The worse the security, the longer they take and the less conclusive they are. A breach that takes this long to detect suggests that no one was looking at event data, and they probably were not logging it."
2. Secure All PII
Dow Jones says that based on its investigation to date, it believes the attackers were not targeting payment card data, but rather contact information. And Murray says it's a no-brainer that criminals who operate online are targeting the contact details of "high net worth" individuals who use services of comanies such as Dow Jones and E*Trade.
"Criminals will always look at ways to make as much money as possible," Honan says. "Targeting high-value individuals is a natural progression in their attacks, as there is no reason to expect high-value individuals to be any more computer security aware than those of us with smaller bank balances." He adds that the stolen Dow Jones and E*Trade information "will most likely be [used for] more sophisticated social engineering attacks that will look to encourage the targets to invest money in various schemes, rather than to simply try to break directly into online accounts."
With attackers now gunning for customers' contact details, many security experts say organizations should be treating all PII as a potential breach target - not just passwords or payment card data. But many do not. For example, when credit data bureau Experian recently warned that it was breached, exposing 15 million T-Mobile subscribers' personally identifiable information, it said that it had only been encrypting Social Security and identity card - such as passport and driver's license - numbers, although it believed that its encryption had been defeated (see Experian Faces Congressional Scrutiny Over Breach).
3. Fraudsters, Hackers Collaborate
Ken Westin, a senior security analyst with security firm Tripwire, warns that like the aggregation and data completion services Experian and other credit bureaus sell to the financial services sector, the cybercrime underground now offers similar services to fraudsters. Furthermore, as more information about any particular individual gets stolen, would-be attackers potentially have access to a more complete dossier on any would-be target.
Already, Westin says, attackers can search for information about a potential target using whatever bits of data they have gathered to date. "In a lot of the underground forums, if you have a Social Security number, if you have a little bit of information, there are groups that will put a lot of that information together for a specific individual if you want to target them," Westin says. "These underground forums are where I'm seeing a lot of fraudsters and hackers actually collaborate and work together."
4. Scammers Compile Stolen PII for Sale
Westin says it's likely that stolen PII is now being indexed with other breach-related data, such as the Ashley Madison data dump, to enable attackers "to do everything from identity theft to other sorts of confidence game types of scams."
The more PII an attacker has for a potential target, the greater the likelihood that their scams will be effective. Furthermore, such information helps attackers prioritize their efforts, based on the likely returns. "If you can get information about them, about their financial status - if I were a fraudster, it would allow me to focus on who I should focus on first; who actually has money that I can go and target?" Westin says. "And I think that's what this information is being utilized for."
5. Stolen Information Has Long-Term Value
Hence, PII is valuable on the cybercrime underground. Because many personal details do not change - such as Social Security numbers - or else change infrequently - such as email or mailing addresses - this stolen information can remain fresh and marketable in the criminal underground for a long time.
"That's the scary thing - that [a related] attack can come weeks from now, it could come months from, it could come years from now," Westin says. "And then think of all the breaches that are going to happen between now and a couple of years from now. Just more and more information is going to be out there about these people, and you're going to know who to target, and this information is going to be for sale and available in underground forums, in the deep Web, darknets - whatever you want to call it - for quite a while."
6. Financial Sector Security Lags
It's not yet clear if the recently disclosed Dow Jones, E*Trade and Scottrade breaches are related to similar breaches involving other industry heavyweights, including JPMorgan Chase and Fidelity Investments (see Chase Breach: Who Else Was Attacked?).
Murray says connecting these attacks is a "reasonable inference," and warns that there may be more PII-focused financial services breaches that investigators have yet to unearth. "The number of them suggests that the attackers are finding them efficient; one does not continue to expend dollars for dimes," he says.
Unfortunately, the fact that such attacks continue to succeed is also an indictment of the state of information security defenses in many parts of the financial services sector, Murray adds. "Our security has not gotten better in the interim. We do not even get the basics right. We need a leapfrog strategy just to catch up."
7. Be Careful About Attribution
When it comes to attribution, however, Europol cybersecurity adviser Honan warns that these financial services breaches may not even be connected. And that may be an even more alarming possibility, because it means there are multiple groups becoming more proficient in PII-targeting attacks. "Attackers may be using the same playbook used in other successful attacks against similar organizations," he says. "However without details as to how this and the other attacks happened, we should not speculate on any links to other attacks."