Thursday, January 09, 2014

Moving beyond incident identification

I made a few IT security predictions for 2014 last last year, but I want to highlight item number 3 as it's become particularly relevant:
"Security departments will shift their focus from incident identification to incident reaction and management"
We're only a week into 2014 and the two highest profile IT security stories so far are related to incident reaction and management (a.k.a. response).

While the acquisition of Mandiant by FireEye technically completed in 2013, it was only announced in 2014. To quote the New York Times article:
"Mandiant is best known for sending in emergency teams to root out attackers who have implanted software into corporate computer systems."
The other piece of news was that Bruce Schneier has joined Co3 systems. In his own post on the matter, he states:
"...there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now, it's time for response."
The true value in security monitoring, and by association Security Information and Event Management (SIEM), lies in moving beyond incident identification/detection. SIEM technologies have become much better over the past few years at using data analysis techniques to translate raw data and events into useful information that security departments can understand and hopefully act on.

Unfortunately, few organisations have the resources available to react to incidents adequately and in a timely manner let alone attempt to manage them. Incident identification/detection without the ability to respond is akin to having an alarm on your house go off that only your neighbours can hear. Even if they are around, how many actually care enough to do something about it?

The best alarms don't make any noise, but lock the house down so that no one can leave while simultaneously sending an alert to have a professional incident response team dispatched to the premises to deal with the threat while the incident is in-progress. Of course, it would have been better if they hadn't been able to enter in the first place, but we'll leave access management discussions for another day. Security departments need to work on the presumption that bad guys will get in somehow.

While the latter option sounds more like a military operation, it's how organisations need to be thinking about security incidents in 2014. At the very least, security departments need to have properly thought out, documented incident reaction and management procedures that anyone can follow with minimal training. While not every incident response person can be the IT security equivalent of a Navy SEAL, at least have a security guard on staff and augment with external assistance by using tools or service providers.

As I said in my predictions article:
"The focus when dealing with threats up to this point has been on the identification of them. Vendors spend large sums of money expounding the wonders of their tool’s collection and analytical abilities. It has become a game of “my feature is better than your feature” and “my analytics are better than your analytics”. Ultimately, it is pointless identifying a threat when there is no path forward to manage the incident, deploy the appropriate responses and counter the threat through remediation."

Monday, January 06, 2014

Why crooks love gift cards and how retailers are to blame

It’s the holiday season and there are those that don’t feel like thinking about particular gifts can cop out by gifting a gift card. For those that have never used one, it’s relatively simple. The card number combined with an access code is usually enough information for a gift card to be used for a purchase. This is how it usually works when making online purchases. At the actual physical store, the use of a gift card typically requires the user to also be in possession of it.

Fraud liability lies with the purchaser

Gift cards are designed with convenience in mind with no regard to security or indemnity. If your bank issued a card with the PIN printed on it, you would immediately cut it up, cancel it and change banks. Unfortunately, this is exactly what most retailers do with gift cards.

Both the number and the access code are displayed on the actual card (both physical and virtual versions). This is all one needs to make a purchase using the card. The anonymous nature of gift cards is just as much of a problem. Crooks love anonymity because at no point can a transaction be linked back to them.

To add to the mess, most retailers have a statement in the fine print to “treat the card like cash as we cannot process refunds in the event of theft or loss”. We would not tolerate this type of behaviour from financial institutions, yet that’s exactly what we do each time we buy a gift card. At least financial institutions will indemnify cardholders from loss or theft. Retailers simply say “too bad, your loss, not our problem”.

Because retailers do not care enough to accept responsibility, at no point will they ever attempt to investigate the crime and the criminals that stole your gift card details get away scot-free.

Digital gift cards are less secure than physical ones

While gift cards are not secure for the reasons already mentioned, digitally-delivered cards are worse. With physical gift cards, the most blatant, practical example of fraud involves crooks cloning inactive cards from stores and subsequently waiting for them to be activated through a legitimate purchase.

The best way around this particular method of fraud is to cover the access code on each card with a layer that can be scratched off, which many retailers have implemented. This is a simple, yet effective way to reduce the risk because if a card has a visible access code, you know it’s been compromised. Unfortunately, the digital version of this “scratch layer” is often non-existent.

The most common method of retrieving a digital gift card involves accessing a URL. To understand why this is a problem, consider the fact that often, the URL to retrieve a gift card is derivable, even if encryption is used in the actual URL pattern. It is not too difficult for a skilled attacker to get the standard URL pattern by legitimately ordering a card and subsequently performing a brute-force attack, similar to how passwords are cracked, on the parts of the URL that change to retrieve other gift cards.

The digital equivalent of a “scratch layer” would be to make the retrieval URL accessible exactly once. This way, one would know upon an attempt to retrieve the card if it has already been compromised through its URL and contact the retailer to report the issue immediately instead of finding out after the card has already been used. Once a card has been used by the fraudster, it is too late and there is no recourse for the victim.

No protection against insiders

As is the case in many organisations, the insider with access is a huge risk in this particular context. Credit card numbers are partially protected through PCI-DSS requirements that mandate encryption of stored card details and audit of access. Gift card details however are not subjected to the same rules and thus can be stored in clear text and not be monitored when accessed without regulatory consequences for the retailer.

Organisations tend to ignore security when they are not liable in the event of a security incident. In the case of gift cards, no liability lies with the retailer. This means employees of a retailer storing gift card details in the clear have relatively easy access. In addition, even if the retailer happens to have audit mechanisms tracking access to databases storing gift card details, the fact that consumers are expected to “treat gift cards as cash” is a sure sign that a retailer will not spend precious dollars to investigate any potential internal fraud with gift cards.

Too many third parties involved

Another trend that contributes to the problem is the use of third parties to administrate and issue gift cards. For example, many large retailers in Australia use the same third party company to do this. The problem with third parties is that access to data is now expanded to people not directly associated with the responsible retail organisations.

As gift cards are not subjected to the same standards as credit card information, employees of the third party company potentially have full access to gift card details of multiple retailers and can exploit this access for personal profit much more easily than if they were attempting to steal credit card numbers.

No regulation, no deal

Gift cards are effectively cash cards. Retailers have said so themselves in an attempt to indemnify themselves from liability in the event of fraud. The problem is that they are indemnifying themselves at the expense of fraud victims, also known as customers. The relationship in this instance is completely one-sided in favour of retailers.

Financial institutions dealing with credit card details are not afforded the same cop-out liability statement. In fact, it is the opposite. Financial institutions are held liable in the event of fraud and we as consumers are protected.

Imagine if we were told that whenever we use a credit card, we assume all the risk? Mastercard, Visa and American Express would go out of business very quickly. Why are retailers not subjected to the same rules?

It is time we woke up and realised exactly how unprotected we as consumers are when we buy gift cards. If you feel the need to buy a gift card for someone else, do what Asians do instead and put cash in a red packet.

In Asia, giving a red packet to someone implies you are wishing them good fortune. Giving someone a gift card however, means you couldn’t be bothered. You may also have just gifted them a worthless piece of plastic which they will resent you for when they try to use it.