[SecurityRatty] tag: identity

Employee fraud at Wells Fargo Home Mortgage affects some customers

Tue, 08 Jul 2008 08:58:12 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Wells Fargo & Company

Contractor/Consultant/Branch:
Wells Fargo Home Mortgage

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"names, addresses, dates of birth, loan numbers, Personal Identification Numbers (PIN), current bank account numbers and last five digits of their Social Security numbers"

Breach Description:
"We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information. We have taken appropriate action against this individual."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Pursuant to the information compromise notification requirements of the State of New Hampshire, Wells Fargo hereby notifies you that we have give notice to approximately 24 residents of the state of New Hampshire of a potential compromise of their Social Security numbers and mortgage loan account numbers.

We have learned that a former Wells Fargo employee working in our reverse mortgage servicing department inappropriately used another customer's account information.
[Evan] Employee fraud is one of the most difficult breaches to prevent (and sometimes to detect). Most controls are largely administrative in nature such as background checks, segregation of duties, job rotation, policy and procedure, etc. Sometimes even the best controls won't do much to prevent an attack from the enemy within.

We have taken appropriate action against this individual.
[Evan] I wonder what this means.

We have no information indicating your information was compromised.

However, the former employee, in the course of their employment, had access to information that may have included your name, address, date of birth, loan number, Personal Identification Number (PIN), current bank account number and last five digits of your Social Security number.
[Evan] The fact that only the last five digits of the Social Security numbers were accessible is a good indication that Wells Fargo identified the risk involved with a person in the former employee's position accessing confidential information. Limiting Social Security number exposure also limits the extent and impact of the breach.

We started mailing consumer notices on May 13, 2008.

Wells Fargo Home Mortgage takes information security very seriously and wants to assure you that we are taking precautionary measures to reduce the potential risk associated with this incident.

Wells Fargo Home Mortgage, to ensure everything is done to protect you, will be providing you with a new PIN to access the line of credit on your reverse mortgage loan.
[Evan] Not just "to protect you". Remember that Wells Fargo is in business to make money and I am pretty sure that the things they do are to that end.

As a precaution, Wells Fargo has partnered with a company called Intersections, Inc. to provide you with a free one-year subscription to IDENTITY GUARD CREDITPROTECTX3.
[Evan] Cool! "CREDITPROTECTX3" sounds super strong and effective!

Wells Fargo Home Mortgage values and appreciates the trust you have placed in us by allowing us to serve you.

We sincerely apologize for this situation.

If we can be of further assistance, please do not hesitate to call us at (800) 472-3209 between the hours of 8:00 am and 8:00 pm eastern time, Monday through Friday.

Commentary:
I think that breaches like this are more common than some people would like to admit. Banks have the one thing that everyone wants!

Past Breaches:
Unknown

Laptop containing personal information is stolen from U.S. Foodservice

Mon, 07 Jul 2008 19:35:13 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
U.S. Foodservice, Inc.

Contractor/Consultant/Branch:
None

Victims:
Present and former employees, "and in a few instances, their dependents and applicants for jobs at USF"

Number Affected:
Unknown

Types of Data:
"names, social security numbers, home addresses, and/or dates of birth"

Breach Description:
"We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information.
[Evan] We now add U.S. Foodservice to the ever-growing list of organizations that refuse to encrypt laptops, yet allow confidential information to be stored on them.

Local authorities were immediately notified and we conducted an internal investigation.

the laptop contained certain old data files
[Evan] I wonder how old these data files were. I also wonder if these files were supposed to have been removed and/or destroyed, but were missed.

In the course of our investigation, we determined that the laptop computer contained the names, social security numbers, home addresses, and/or dates of birth of some present and former USF employees, and in a few instances, their dependents and applicants for jobs at USF.

We are sending a notification letter to individuals impacted by this incident.

We expect to begin mailing the notification letters on June 13, 2008.

we have no indication that any of the information is being misused
[Evan] A breach notification is almost not a real breach notification without this mention.

Please note that several years ago, the Company stopped using social security numbers to identify employees for internal reporting or other purposes.
[Evan] A good move by the Company. USF is still required to collect Social Security numbers however.

Pursuant to USF policies, the laptop was protected by a unique user ID and password, but the individual files containing personal information were not encrypted or password protected.
[Evan] I am interested in reading the USF policies. Do the policies only require a user ID and password to protect (or access) confidential information? Probably not sufficient.

U.S. Foodservice takes the security of your personal information seriously and apologizes for any inconvenience or worry this incident may cause you.

As a precautionary measure, we are making several services available at the Company's expense, free of charge to you, to assist you in protecting your identity.
[Evan] A true "precautionary measure" might have been restricting confidential information storage on laptops (and other mobile media) or encryption.

Although at this point we have no indication that your information has been compromised
[Evan] My definition of "compromised" obviously differs. In my opinion, if the confidentiality, integrity or availability of information cannot be reasonable assured, then the information IS compromised. If you believe that password-protection provides reasonable assurance, then you and I disagree.

Call the Toll Free Help Line at 1-866-584-9681 to get answer [sic] to your questions.

Staffed by a team of professionals
Monday through Friday from 6:00 a.m. to 6:00 p.m. (Pacific Daylight Time)
Saturday and Sunday from 8:00 a.m. to 5:00 p.m. (Pacific Daylight Time)

Please know that while we have information security policies in place, we are reviewing those practices and procedures to see what changes need to be made.
[Evan] Its good the USF has information security policies in place, but it doesn't mean that they are effective or that they are well enforced. A poorly enforced policy isn't worth the paper its written on.

Commentary:
U.S. Foodservice is also offering one year of free credit monitoring and identity theft insurance. This would be fine minus the fact that a Social Security number has an effective lifespan that far exceeds one year.

If only there were other controls available to protect information stored on a laptop. Wait, we do!

Past Breaches:
Unknown

The Risks of Outdated Situational Awareness

Mon, 07 Jul 2008 04:46:27 +0000

It's been two months since I analyzed the proprietary email and personal information harvesting tool targeting major career web sites - "Major career web sites hit by spammers attack", received comments from Seek.com.au and Careerbuilder.com, communicated all the actionable intelligence in terms of the bogus accounts used and the related IPs to the career web sites that bothered to show interest in the attack, to come across a ghost story today - Jobsite hack used to market identity harvesting services :

"A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX."

All your CV are NOT belong to us, All your CV are ALREADY belong to us.

Social Security Administration lists live people in the Death Master File

Mon, 07 Jul 2008 04:44:12 +0000

Technorati Tag: Security Breach

Date Reported:
6/26/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Social Security Administration

Victims:
United States citizens

Number Affected:
"more than 20,000"

Types of Data:
Name, date of birth and Social Security number

Breach Description:
"The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive"

Reference URL:
FederalComputerWeek

Report Credit:
Michael Hardy, FederalComputerWeek

Response:
From the online source cited above:

The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined.
[Evan] "The DMF is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. " (Source: SSA Inspector General AUDIT REPORT A-06-07-27156). This breach was not the result of single occurrence, but instead is a result of errors in current process.

The IG's analysis dates to January 2004.

Since then, SSA has made the live people's Social Security number, full name, date of birth, and state and ZIP code of last known residence available to users of the database
[Evan] The organization that distributes and manages the "system" cannot secure the information. Is this is just another case that proves that the "system" is busted?

After learning that those people were not deceased, SSA deleted the information

The IG's investigators found some instances where the personal information was available for free viewing on the Internet

SSA provides the data to the Commerce Department's National Technical Information Service (NTIS), which in turn sells it to customers.
[Evan] Selling a dead man's (or woman's) information doesn't seem right to me. Do you see anything wrong with it?

Customers include the government, investigative businesses, financial and credit reporting firms, and geneaology researchers.

Some, including prominent geneaology Web sites, post some or all of the information online for their users.

To prevent a repeat of the situation, the IG's recommendations include:

Implementing a risk-based approach for distribution of DMF information. One suggestion: Have NTIS delay release of updates to public customers for one year to give SSA ample time to correct erroneous entires.
Limiting information included in the data sold to public customers.
Starting required breach notification evaluation procedures.
Providing appropriate notification to living individuals whose information was released in error.

In response to the IG's report, SSA said limiting the personal information might be difficult, but it would consider doing so.
[Evan] There are many practices to secure information that "might be difficult", but this is not a good excuse. Life "might be difficult", so what?

The agency agreed with the other recommendations.

Commentary:
The use of Social Security numbers as personal identifiers as well as authenticators seems to be a very significant contributing factor to the identity theft mess we face today. So how did Social Security numbers become so important in the first place? Read the "Social Security Number Chronology" on the Social Security Administration web site for some clues.

To my knowledge, the victims in this breach have not been (nor will they be) notified.

Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information

Daily Mail publisher admits to stolen laptop

Sat, 05 Jul 2008 08:55:49 +0000

Technorati Tag: Security Breach

Date Reported:
7/4/08

Organization:
Daily Mail and General Trust plc

Contractor/Consultant/Branch:
Northcliffe Media
Associated Newspapers Ltd

Victims:
Staff, suppliers and contributors

Number Affected:
"thousands"

Types of Data:
"name, address, bank account number and bank sort code"

Breach Description:
"Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen."

Reference URL:
ComputerWorldUK
Guardian News (UK)
Guardian News (UK) additional info

Report Credit:
Guardian Newspaper

Response:
From the online sources cited above:

Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen.

A Daily Mail & General Trust spokeswoman said: "DMGT confirms that a laptop company computer containing certain confidential information was stolen last week.

After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft
[Evan] This is the same Daily Mail managed by Associated Newspapers that according to The Guardian "has been at the forefront of coverage of the recent bank and government department missing data scandals". It would be very difficult for Associated Newspapers to claim that they didn't know any better than to store confidential information on a poorly protected laptop.

Details such as names, addresses, bank account numbers and sort codes were on the laptop

the laptop was "password protected" but tell recipients to contact their banks and also "consult the government website ... for advice on avoiding or dealing with identity theft"
[Evan] The mention of password protection is nothing more than an effort to minimize the effect of the breach. It does very little (if anything) to protect the personal information.

In a letter to those who details were affected, Simon Dyson, finance director at Daily Mail publisher Associated Newspapers, and Martyn Hindley, his counterpart at sister company Northcliffe, said it was likely that the details had been erased by the thief.
[Evan] How is the conclusion drawn? I don't see how there could be enough information to determine what the thief was likely to do.

From the letter to affected persons from the Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley:

"Unfortunately one of the company's laptops has been stolen."

"The contents included personal data, some of which related to you."

"The laptop was password-protected. "
[Evan] So what? This won't adequately protect the information on the laptop, so why mention it?

"We are writing to you as quickly as possible to alert you to the fact that the theft has happened and to inform you of the data types lost, so that you can take appropriate action."
[Evan] I guess we should give some credit for the quick notification, if nothing else.

"In your case, your name, address, bank account number and bank sort code were the sensitive information lost."

"The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen."
[Evan] This is nothing more than speculation. I can't imagine that there are any specific facts for which this conclusion is based on.

"We have, of course, notified the police of the theft of the laptop and are talking to the Office of the Information Commissioner about what has happened."

"On behalf of the company, I would like to offer my sincere apologies for any annoyance and inconvenience to you that this breach of security may cause."

"I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures."
[Evan] This breach was caused by a "technical issue"? Like what? I presume that the technical aspects surrounding this breach were working exactly as they were designed to in the manner of which that they were implemented. Without further elaboration, "strengthened procedures" is subjective and means little. Organizations should offer details, instead of general statements in order to bolster some sense of confidence.

Commentary:
This breach must be embarrassing for Associated Newspapers. A breach like this should be embarrassing for any organizations. Unencrypted lost of stolen laptops storing personal (or other confidential) information is a pretty well-known risk nowadays. An unacceptable risk for most.

Past Breaches:
Unknown

Upcoming Talks and Training

Thu, 03 Jul 2008 10:32:26 +0000

Here is my current list of talks and training

"Breaking Web Services," Monday July 7: OWASP Twin Cities - "SOA and Web services promise wonderful interoperability, but distributed systems create lots of room for fantastic failures. This session will explore the gory details of unique vulnerabilities at each layer of the SOA stack - from the WSDL interfaces to XML processing (XSD, XPath and XQuery), to the implementation languages liike Java and C#, to new security standards like WS-Security and SAML.
I gave a version of this talk with Brian Chess at the 2008 RSA Conference.
"Web Services and SSO: There and Back Again" at Ping's SSO Summit. July 25, Keystone, CO - "What happens to your identity information and business data after you press "SUBMIT" on a website? These bits have a journey as dangerous as Frodo Baggins' travels through Mordor. This talk traces the path from the website through the perils that lurk in the enterprise and legacy systems. We will explore what threats are encountered along the way, and how to design a cost effective security architecture with Security Token Servers using open standards."
"SOA, web services, and XML Security" 1 day training at Usenix Security July 29. This is a public 1 day version of my training see the link for details

Identity federation standards ease authentication pains

Wed, 02 Jul 2008 06:38:31 +0000

Federation frameworks like SAML, OpenID and Cardspace promise to make authentication easier across applications and the Web. How do these frameworks compare, and what do they offer for financial services organizations looking to ease the authentication process? This tip explains.

Links for 2008-07-01 [del.icio.us]

Tue, 01 Jul 2008 20:00:00 +0000

'I have a lost laptop horror story for you'

Mon, 30 Jun 2008 20:00:00 +0000

The devil of identity theft is in the details: Russ Jones tells a tale of woe that isn't particularly dramatic -- or rare -- and yet it's exactly the kind of story that worries me enough to ignore my better judgment and buy identity-theft protection from my insurance provider.

Diary of a deliberately spammed housewife

Mon, 30 Jun 2008 20:00:00 +0000

The Global S.P.A.M. Diaries was an experiment by McAfee to find out what would happen if 50 volunteers from around the world put aside common sense and answered every e-mail spam that came to them, chronicling the results. Tracy Mooney, a married mother of three in Naperville, Ill., was among them, and she tells what she saw in her online identity as "Penelope Retch".