Thursday, May 29, 2008

Taking Ownership of Identify Theft

Just going to throw this out there.

I think everyone agrees that Identify Theft is a huge issue but no one seems to take ownership of it.

I would say there are two to three kinds of identify theft methods

1. physically stealing information, like out of your mailbox, or a waiter steals your CC number off your card receipt from dinner

2. data lost from electronic breaches/losses

3. phishing

In general, if the first two happen to you there is little you could have done about it. Yeah you can get a PO Box, yes you can pay with cash for everything, so that aside or even maybe if you have done that let's talk about #3.

With phishing, I had to have a lack of thought (or common sense) and enter PII into a phishing site "I" did that. No hacker MADE me do that, I did it.

So the point? Instead of saying "a hacker stole my identity" maybe we should start urging people to take ownership of their stupid ass mistakes and say "I lost my identity" when the situation warrants it. Taking ownership of mistakes generally leads to not making that mistake again where passing the buck off to someone else for the blame generally leads to a wasn't my fault mentality.

When someone loses a cell phone and a person finds it and makes calls we don't say someone stole their cell phone do we? We say I lost my cell phone and some jerk ran up the charges.

I do realize that some bad guy has to actually "do" the actual identify theft, but if you gave him the information, its not his fault your an idiot just his luck.



dean de beer said...

I agree that an individual needs to take responsibility for their actions and if that action is entering in data to a phishing site or clicking on a link in an email then so be it.

But expecting average, semi computer literate people to be aware of dangers like phishing and pharming and ph..whatever is not reasonable either. Both you and I are constantly exposed to these types of attacks and so are more aware of them. That's not to say that we won't be caught out either.

If the site is obviously fake then fine, it's the person's fault for not wondering why a bank uses such bad grammar. But what about the site that is a mirror of the original? And for all we say don't click on an email it's in a person's nature to trust. This is why social engineering is so effective. social-network-experiment/phishing-preprint.pdf

This shows how susceptible people are to these types of attacks. Even the brightest of folks can be fooled.

Perhaps better technical controls and safeguards on folks email, etc.. but the problem with this is that when security affects productivity or ease of use then it becomes a burden to the user and they will likely find a way to bypass that security.

I don't think there is a turnkey solution to a problem like this and the phishers out there know it.


CG said...

'But expecting average, semi computer literate people to be aware of dangers like phishing and pharming and ph..whatever is not reasonable either."

yes it is. to make change we need to stop allowing idiots to be idiots. people will rise to the height of the bar that is set. we as a community and humans need to raise the collective bar.

working technical controls around morons is just going to lead to more creative ways of getting around those controls. fix the moron and the problem is solved.

dean de beer said...

The assumption that people are idiots because they are not aware of attacks is plain wrong. I challenge anyone to call their CEO an idiot for clicking on a link he/she should not have. Everyone has different skills and talents.

I've said it before and I'll say it again. Why do infosec professionals always preach that there is no such thing as a 100% secure environment but when it comes to the users that make up the environment we all expect 100% of them to respond to awareness training and never click on a link from an unknown source again? As with all controls you will achieve a certain percentage of success. Likely some individuals will take longer to grasp the concepts than others too.

As for raising the bar for security awareness I honestly believe that as a community we are less aware (or care less) of the dangers today than 5 years ago. I have stats from 2 large institutions where large numbers of users don't even have anti-virus installed on their personal computers. It's not that they don't care, it's that they are not aware.

So perhaps what needs to happen is that the folks whose responsibility it is to educate and raise awareness in their environments need to stop bitching about the users being the problem and look at the methods they use for educating those users and revise them accordingly. Not everyone responds to training in the same way and to expect all users to respond to your powerpoint on security awareness in the same way is unreasonable.

CG said...

"The assumption that people are idiots because they are not aware of attacks is plain wrong. I challenge anyone to call their CEO an idiot for clicking on a link he/she should not have. Everyone has different skills and talents."

The fact that i want to keep my job and not tell a superior they made a mistake or they are an idiot wouldn't make them less of one if they situation warranted it.

Back to your latest comment/post, your last paragraph is kinda what I am talking about. Educate the users to be aware of the threat and they are less likely to fall for whatever it is you are trying to protect them from.

Getting someone to admit that THEY made the mistake (whether they knew or not) instead of being the victim, can help that. if you get scammed, then YOU got scammed, yeah the scammer is a bad guy but you still handed over cash or information, whether its a new scam or not is irrelevant.

People tend to take things more serious (at least for awhile) if it happens to them or someone they know. if my friend gets his house broken into, in my mind its now much more possible that MY house might get broken into. if my friend says he lost his identity because he fell for some phishing attack then i might think its now much more possible that i may lost MY identity if i'm not careful.

Lastly, after rereading earlier comments, i disagree that i cant expect semi-computer literate users to not fall for regular phishing attacks. this has been going on for far too long for the "word not to have gotten out there."
For people to not know they shouldn't enable some obscure activeX control, i can live with that, thats hard to keep up with. but, at this point in time, to not know that you shouldnt enter in your password into a website after clicking on an email link? come on!!!!

Maybe the use of idiot in the post set us down the wrong path (we are far away from my point). I'm not in the "all users are idiots" camp. I think most users are never trying to harm the network or do anything that would hurt them or the business and that most people CAN BE and WANT TO BE educated to do just that. Hopefully we are back around to my point that if they make the mistake and lose their identity, they can and should admit that THEY MADE THE MISTAKE and move on. Instead of blaming the "evil hacker" and not taking ownership of their actions.

dean de beer said...

You're assumption that it is the users fault is too broad. I agree that if it is a blatantly obvious phish (bad spelling, fake url, etc) then sure they should be more aware.

But what about these scenarios:

The local community website is owned and now has an iframe with a download of a banking trojan that redirects them to and captures all login info for xyz bank.

Is it the users fault?

or how about a clear phishing example?

The user is requested to change their password via a form that came from the helpdesk.

Is it their fault or the security groups fault that they were not clear in their education of the users?

Also to assume that 'the word is out there' is a bit of a stretch.

Ask any group of people over 40 and 90% of them will not have any idea what you're talking about. Actually, make that over 25.

The point I'm making is that it is not always a persons fault for giving up that data. Sure, sometimes it is but more often than not you can't really blame the user.

Both you and I are hyper aware of the attack vectors today as we are immersed in it everyday but to expect even half that awareness from joe user is not realistic.

CG said...

then i guess the first step would be to "get the word out there"

i've never played 3 card monty but i know its a scam, guess we need to get a chunk of the phishing methods to that level.

how to do that? i dont know.