Zero Day Threat 264
Ben Rothke writes "Zero
Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber
Crooks Steal Your Money and Identity is an
interesting and eye-opening look at how banks and credit card companies make
ID theft and fraud rather elementary. But with all
that, this book must be read in the larger context of how today's society
deals with, and is often oblivious to, risk. When is
comes to risk, American society tolerates tens of thousands of drunk-driving
deaths, gives millions in federal tobacco subsidies, and is oblivious about
near-epidemics such as heart disease, obesity, and diabetes. With
all that, it is doubtful that the myriad horror stories Zero Day
Threat details will persuade Congress or the other players to do anything
to curtail the problem with identity theft and internet
fraud." Keep reading for the rest of Ben's review.
The
internet and web have indeed revolutionized society, and there is hardly an
industry that has not been positively affected by the net. On the down
side, the net is the new conduit for criminals. For example, in the few
years before the web became ubiquitous, U.S. and international law enforcement
nearly had a noose around the child pornography industry and brought it to a
near standstill. After the web, authorities have given up hope that
child pornography can ever be contained.
| Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity | |
| author | Byron Acohido & Jon Swartz |
| pages | 304 |
| publisher | Union Square Press |
| rating | 9 |
| reviewer | Ben Rothke |
| ISBN | 978-1402756955 |
| summary | Excellent overview on the epidemic of indent theft |
Similarly, white-collar crime and fraud has been exacerbated by the net. Zero Day Threat details the various loopholes that criminals use to carry out their attacks and crimes. Each of the book's 18 chapters is divided into 3 section, exploiters — which details how the crime lords and their teams carry out the crimes, enablers — which details the history and current practices of credit card companies, banks, credit bureaus, and data brokers, and expediters — which recounts how technology and technologies enable these crimes. I found that the breaking up of the chapters into such triplets is occasionally confusing, and you are left wondering what story you are in.
The book is based on the premise that the payment industry, namely the credit card companies, banks, credit bureaus and data brokers have created an infrastructure that is pliable, nearly endlessly extendable, but paper-thin when it comes to security. The system is built for ease of access, ease of granting credit, but without a robust security infrastructure or privacy controls.
Consider that the PCI Security Standards Council was not created until late 2004, and that will give you an idea how security is anathema to the industry. The outgrowth of PCI is the PCI Data Security Standard which is the first uniformly created set of comprehensive security requirements for enhancing payment account data security. While the industry debates the efficacy of PCI, attackers are busy at work running innumerable fraudulent schemes.
The authors paint an honest appraisal of the lack of security in the industry and have their facts in order, although an occasional hyperbole does creep in, for instance when the authors repeatedly state that the hackers in question went weeks without sleep. But a huge error is where they state in chapter 11 that PCI is controversial, with some merchants complaining that it is too costly to implement. There is nothing controversial about PCI, and the security controls it requires are sorely needed. While merchants express their discontent about security and its associated costs, attackers steal from underneath them. The quicker the merchants get that they needed security, the quicker the attacks will stop. But as the book shows, that will not happen anytime soon.
Part of the reason why identity theft will not go away anytime soon is similar to the problem in the air traffic control industry, as detailed in Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It. There are too many players in the game, all of which focus on their own interests, and no one wants to take responsibility for the problem. The fact that the Social Security number (SSN) is still used as a key personal identifier, combined with the ease at which an individual 's SSN can be obtained and misused should be enough to give anyone pause.
The primary purpose of a SSN has been to track individuals for taxation purposes. But in the last decade, the SSN has become a de facto national identification number. When established in the 1930s, the Social Security Administration meant for the SSN to be used as a way to track a person's earnings for Social Security benefits. Despite its narrowly intended purpose, the SSN is now used more for non-Social Security purposes, than for the reason it was created. Today, SSNs are used for identity verification, and are the de facto identifier for the credit and financial services industry. With SSNs being aggregated by the millions, they are the fodder for the stories in the book.
Book such as Silent Spring, which helped launch the environmental movement, and The Jungle, which exposed the corruption of the American meatpacking industry, were watershed books that changed America. While Zero Day Threat is not in the same category as either of these books, it is highly unlikely that the level of outrage it will create will be much, nor the indignation significant. Because as bad as identity theft is, and as much grief as it causes, there are far too many politicians, powerful companies, lobbyists and more that are in the way of any change.
Nonetheless, Zero Day is a most interesting look at the many players that work together to facilitate the countless identity theft rings. The book is an absorbing look at the many international players and their enablers involved. While identity theft is not going away anytime soon, Zero Day Threat details the problem, and shows what you can do to ensure that you are not a victim.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Review ? (Score:5, Interesting)
Is this a book review or a political tract ?
The really sucky thing is... (Score:5, Interesting)
Know this site and this is the ONLY tuly free credit report [ftc.gov] direct or start here [annualcreditreport.com]. The other "free" credit report websites are just trying to sell you stuff that you don't need.
To be truly safe from someone opening credit in your name is to freeze your credit - monitoring services are NOT as good. Here's a great guide on how to do it. [clarkhoward.com]
On another note and something positive about credit, check your credit card. They may offer to double or more the manufacturer's warranty. Meaning, if you're actually considering an extended warranty, your credit card may give you the same coverage to you for free.
But other than that, the whole credit industry seems to be geared towards sucking us in. I mean, unless you're going to drive and stay with friends and relatives, is it possible to travel without one?
Is it possible to get a job without a credit rating now? They background checks with Choicepoint who gets their data mostly from the credit bureaus.
What about flying? If you don't have a credit rating, are you automatically flagged as suspect?
And as far as SSN is concerned, we're stuck with that beast. I kind of hope it does go bankrupt then maybe we can burn the things!
Great more to care about.... (Score:5, Interesting)
Great something else I need to care about. Why is everyone telling me that I need to care about something. Global warming, global cooling, global climate change, Obama, McCain, Clinton, Pelosi, abortion, gay marriage, paying my taxes, paying my rent, RIAA, the most recent pop tart to get drunk and flashing her cooch, Colbert, Sterwart, child pornography, identity theft, and on and on. It's not that people don't care or are comfortable with risk it's just there are too many things to care about.
Frankly if someone wants my identity they can have it but you gotta take the whole thing because I don't fucking care anymore.
Install accountability, and this will get fixed (Score:4, Interesting)
Until it costs institutions less to secure this stuff than it does in losses, this will not change.
How do you shift this balance?
- Make the C level folks criminally and financially liable for theft of your data (they store it and sell it, they should be on the hook to protect it).
- Make the credit agencies financially liable for inaccuracies in their data bases. (they should be held accountable for the accuracy of the information that they are selling).
Today, there is no real recourse for you if institutions sell lies about you, or give your private data away to all takers.
Re:Review ? (Score:2, Interesting)
Have you ever looked at the food at the disposal of the average american? Let's eliminate junk food from this discussion. First, let's focus on... Apple Juice. Looking at my 16oz bottle (two servings by the way), it has 44g of SUGARS per serving. That is 88g of SUGARS for the whole bottle. That is 1/3 of my days sugar that I am supposed to be having. Also, how much fluid do you think I am going to drink today? Now lets take a look at the Peanut Butter and Jelly Sandwich I brought in today. Assuming that I can actually spread one service of Jelly onto my bread without needing special engineering tools, that is another 37g of sugars.
So for my snack (a sandwich and a bottle of apple juice is nowhere near a whole meal), I have consumed 125g of sugars, or almost HALF of what I should have for the day. This doesn't even address the fat content I have consumed.
It isn't JUST overeating anymore. It has gotten to the point where even the good things for you are bad for you. Your only recourse is to eat polystyrene and drink water, or join Walmart America.
It seems so elementary to me... (Score:3, Interesting)
...but working in the financial industry may have my blinders tighter than ever.
I recall a very basic security seminar I was in many years ago - before Microsoft was in the server business. One of the core concepts presented was the three security factors we could rely on:
- Something you ARE - fingerprint, iris, voice, etc.
- Something you KNOW - password, phrase, challenge response.
- Something you HAVE - token, card, whatever...
Any two of the three could offer good security. Asking for all three could offer very good security. Of course, we are only talking about access security here, as being forced to use all three to sign into your already-compromised workstation does not offer much data security.
But in most credit card transactions, we have to offer at least #2 & 3, not always in that order. Adding biometrics (something you ARE) is interesting.
Faking #3 (something you HAVE) is not so hard. Cards get copied, and actually the account number may be as good as a card in the card-not-present environment that e-commerce lives in.
Faking #2 is the most current target of many, and they add loggers to terminals. Only a matter of time before we see wireless loggers inserted into terminals or POS devices, making it very hard for a consumer to check for the wire to 'another' device, and removing the need to go and retrieve the logger. Sending those PINs wirelessly is just too easy, only requiring a modest investment in technology. I venture there are plenty of ways to get those made for ya.
Ultimately, for financial security, I think we need to mitigate the technological 'expediter' by introducing either more accountability or more time into the settlement process, allowing fraudulent transactions time to be rolled back and deny the crooks the funds. That is probably impossible in an environment where merchants demand faster payment, especially when merchants live on the edge of cash flow and can fail if they are denied cash over the course of days. Imagine trying to slow down the cash flow for weeks...
Another option is faster accountability. Perhaps your cell phone is your friend here, and you get an SMS for every transaction... Imagine the thrill of seeing your purchase of two minutes ago appearing on your phone with a big "dispute this" button available. Imagine the thrill of getting that message for a purchase you *didn't* make, and killing the transaction... Imagine the potential for abuse. Not perfect.
One key point to remember, perhaps. Theft is not new. The methods have changed. The scale is larger, but everything is.
Is it fixable? Not if we want convenience. But hey, it used to be that people got mugged for cash. Does that happen so much any more? In a cashless society, with stricter security, are we gonna see ATMs that can tell the difference between the eyebell you use to authenticate yourself, or the eyeball the mugger just popped out of your socket?
Hope so. I want all my biometrics to stay with me.
Re:Review ? (Score:2, Interesting)
The problem is that obesity causes 1) my health insurance to go up to pay for obesity-related health problems, and 2) huge losses in productivity due to obesity-related health problems, which results in a weaker economy. Read this. [forbes.com]
I agree with you that if people want to engage in risky or unhealthy lifestyles they should be able to, but not when it costs everyone else.
BTW, smoking is worse, as it is no longer just about money. After Scotland banned smoking in public places heart attacks in NONSMOKERS decreased by 21% [nih.gov].