News Clip: In what’s believed to be one of the largest data breaches in banking history, Capital One Financial says personal information including names and addresses of about 100,000,000 people in the U.S. and 6,000,000 in Canada, were obtained by a hacker who’s now been arrested. Marriott says hackers managed to access the personal data of 500,000,000 of its hotel guests over a four year period. Facebook is alerting its users to a security breach affecting tens of millions of profiles. The biggest attack of all time, half a 1,000,000,000 Yahoo email users are victims of a security breach, meaning their personal information has been compromised.
Jordan: So you’ve been hacked? Yes, you. Now what? Chances are if you spend any time on the Internet like any time at all, this is not the first time, probably not the second or the third and it might have been your fault, it might have been some company you foolishly thought would protect your privacy. It doesn’t really matter. The point is some of your data, or I guess some more of your data is out there now. It’s in the hands of who knows who, being used for who knows what, so should you panic? Should you immediately change all your passwords? Should you click on that really official looking email that you just got from your bank that mentions the data breach and urges you to sign in right now to protect your account? See too much reporting around hacks and data breaches focuses on the scale, on how many accounts, on how many people, on how much data. Without acknowledging that, really, there’s almost no way for us to do business on the Internet while keeping all our data private forever. So again, it’s gonna happen, now what? What do you need to know about hacks like Capital One? What is done with the data that’s stolen? Who profits from these thefts and why do some of the world’s richest companies still not have enough security to prevent them? And, of course, how do you tell the difference between dealing practically with the realities of digital security, and deluding yourself into thinking you can prevent the inevitable breach if you just do everything perfectly?
Jordan: I’m Jordan Heath Rawlings, and this is The Big Story. Matthew Braga is the project manager of security planner at the University of Toronto’s Citizen Lab. He’s also a writer who covers cyber security. Hey Matthew.
Matthew: Hi Jordan.
Jordan: First thing I want to ask you, how likely is it that somebody out there has my data?
Matthew: So I’ll give you a good example, and this is a fun exercise that anyone could do at home. There’s a website you might be familiar with, it’s called Have I been pwned. We can even do this right now where if you go to have I been pwned,
Jordan: Ok we’re gonna do this right now.
Matthew: And so for those of you listening at home, what you can do is you can go to this website and you can plug in your email address and it will tell you how many data breaches your user name and password, and potentially other information has been in as well.
Jordan: Oh no!
Matthew: How we looking?
Jordan: I’ve been pwned. Breaches I was pwned in, Cafepress, Gawker, Linkedin, Ticketfly, and Tumblr.
Matthew: That’s it?
Jordan: That’s it. I managed to dodge some big ones I guess.
Matthew: I am in 20. I looked it up this morning cause I was curious and it’s a lot. And so I use this by way of example cause I think it’s a really, really great way to illustrate that on a very basic level, I think if you are a relatively active user of the Internet today, it’s almost certain that you have had, at the very least, your password contained in some sort of breach and some sort of of of data breach that’s been shared and published online. Beyond that is where things get interesting, cause of course, as we’re seeing the number of companies that we deal with online and digitally is ever expanding, the types of information these companies contain about us or hold about us continues to expand as well. And so you know, no longer now do we just have to fear sort of our passwords being obtained, which of course, opens up a whole Pandora’s box because you know, if someone has access to your password, we reuse passwords sometimes, that can gain access to other accounts and on and on and on. But all this to say at the very least, it’s probably likely someone has your password, and it’s increasingly likely that we’re seeing attackers find new and interesting ways to get access to everything from credit card information, to….
Jordan: Right, well that’s where I want to go with this because, you know, these data thefts I just looked up are pretty old and again if somebody has my old Gawker account or even gets into my Linkedin like, ok, crap, but it’s not ruining my life. But last week, Capital One, isn’t a name that when you hear their data has been compromised, there’s a good 6,000,000 Canadians who are immediately fearing for not their email account but their credit card.
Jordan: How did these escalate?
Matthew: So the interesting thing about the Capital One breach, I think it’s a really good example of how for us, for people who might be affected by these breaches, there’s often not really much you can do, like it’s not your fault. So there’s all of this advice out there, and security plan early, you know, we have a lot of sort of different recommendations and advice on how you can lock down accounts, and smart security practices and things like that. But it’s not really gonna help you much if the company that you’re trusting hasn’t done something to secure your data, and that’s one of the interesting things about this case. So what we have been able to, I guess, piece together and I was looking at the complaint, and one of the interesting things that they lay out there is that Capital One, like a lot of other companies, is moving a lot of their…. whether it be information or their applications or just things that help them run their service into the cloud, right? So just, you know, big server firms that companies like Amazon and Google and Microsoft they all run these big cloud server farms. It makes a lot of sense because then you don’t have to run one of these data centers in your own sort of space anymore, which costs money and time and resources and on and on and on. But the flip side of this is that you’ve got to be very good at configuring your servers, you have to be very, very good at making sure that these things that you can access remotely, can’t be accessed by other people remotely. And the sense that we’ve gotten at this point is that there was some mis configuration of these cloud services that allowed people who shouldn’t have had access remotely to gain access to that server remotely, and it’s really interesting because this is a class of attack that you’re increasingly seeing. There are cyber security researchers out there who basically just devote their days, they just have companies, and all they do is go scouring the Internet for in this case, it’s called an S3 bucket, that’s sort of Amazon’s name for this bucket of data that you can put stuff in, you can build applications around it, and ideally, you’ve configured that bucket so no one knows it exists, no one can find it. In this case clearly someone found a way to access this bucket that Capital One had with Amazon, and we’re seeing a lot of breaches like this now, right where people go scouring for these buckets, they kind of go and they find them and they realize oh there’s actually some interesting information out in these buckets. And if you are uh.. if you are altruistic and you are running the company and you care about peoples security, maybe you email the company someone like Capital One and you say, hey, you know, perhaps you should lock this down, configure this appropriately great. We’ve seen other cases where data is just sucked right out and pillaged and repackaged and put up online to either be sold or disseminated in other ways. And ah, and it’s not great, it’s sort of like the today’s equivalent of, you know, back in the day, people used to have, like, FTP servers that we just like, leave exposed and you could kind of find there…
Jordan: Because there wasn’t anything quite as valuable as our digital banking information on those sites back in the day.
Matthew: No and I think that’s one of the real interesting things about just how a lot of companies have transformed their business practices is that in the past, a lot of that information would have maybe perhaps been held really close to the chest. You would have locked it very deep in your own premises, your own computers, maybe you wouldn’t have connected those things to the Internet. Maybe you could only access those things off line or in some room, that’s you know, you call it air gapped, where computers aren’t connecting to any other computers. I don’t know…
Jordan: But a banking company can’t do that anymore and compete.
Matthew: Most companies can’t anymore, right? This is, I think, the reality now where there’s a reason why you have companies like Amazon and Microsoft and Google making billions of dollars every year off of Cloud computing service because they offer very, very good services that you can no longer expect companies whether it be a bank, whether it be; I know a start up you’re just trying to get off the ground, to build up that capacity and offer that yourself. And so that’s why you’re seeing more of at least you know, we’re talking about this particular case where this data was taken off of a cloud server according to the complaint and that’s just sort of one thing that we’ve seen on the rise.
Jordan: What happens to this data after it’s taken. You mentioned that it could be sold or posted. What’s the end goal there?
Matthew: So it certainly depends on who we’re talking about. So if you are someone that is altruistic, you’re trying to improve the sort of security posture of companies all over the place out there. You know you’re trying to identify these exposed servers, these mis configured servers before other people can. In other cases, you know, there’s a couple of different sort of levels here, right? So, for example, some companies and Capital One is among them, offer something called a bug bounty program. And so this is something where you essentially, and there are caveats here, but you essentially give well intentioned hackers the green light to try and hack into your company. You basically give people the green light to oh, you know, go and discover those mis configured servers to test us, right? Can you actually get data out of this? Can you actually sort of access things that shouldn’t be accessed, like credit card information? And in those cases, you know these people, if you discover this sort of stuff, you can report it to the company, maybe you get a little bit of monetary reward in response to that, and then continuing down that spectrum you have people who also will go scouring for these miss configured servers for information that’s being left in the open if you know where to look. And they are interested in all sorts of things, right? Maybe you take this data and you hold the company hostage. You say, hey, we have access to this data, we’ve had access to this data for months, for years we know everything about your customers, your clients, on and on and on, and they try to extort companies. And so we see that a lot in certain cases especially where, I mean, there’s two ways of looking at it, right? Sometimes they’re just crimes of opportunity. So people find an exposed server and they go after it and they try to hold the company ransom. Or there’s been other cases where and some of the big cyber security companies out there have noticed this, where there’s actually actors who just target specific industries. So maybe they go after casinos or oil and gas companies because they know these are companies that now have the money to pay, and they want to protect their client information, on and on. And then there’s other cases too where people get into these servers, they siphon out all the data, and if it’s valuable, if it’s stuff that they can make money off of, like credit card information in the right format of course, maybe it’s just biographical information, right? Cities, hometowns, addresses, on and on and on that you can cobble together with other data into profiles that can then be sold more valuable than these pieces on their own. That’s another thing as well, and so that there’s basically corners of the Internet where this stuff is bought and sold and traded, you know, either in bulk on one big package or sometimes it’s parceled out piecemeal, right? Little bits of data at a time to make it; You know, all in the name of making it less clear that a company perhaps has been breached, right? If you’re just using a couple of credit cards at a time as opposed to maybe, you know, parceling off hundreds, thousands, hundreds of thousands of them, maybe it becomes a little bit; You can use them for a little bit longer before people notice.
Jordan: Well in your work with security planner, what do you find are some of the misconceptions that people who see a headline Capital One hacked, 6,000,000 Canadians, data at risk have in terms of oh my god I’ve been hacked, do they have my credit card now, versus what’s actually going on with that data.
Matthew: I think one of the things that people need to keep in mind is that every time there’s a breach or some sort of hacker data is is leaked online or made accessible, I think it’s really easy to panic. It’s really easy to perhaps worry that oh, my goodness, like my information is out there or maybe for some people, there’s actually the opposite reaction. A bit of apathy, right? Oh, my information is already out there what is it to me if Capital One has put a little bit more information out there as well. But I think one of the biggest misconceptions is that certainly security planner tries to dispel in the way that it’s designed, and the recommendations that it puts forth is that I’m taking a little bit of control over the security of your online accounts, the privacy of your data is not actually that hard, it shouldn’t be hard, it shouldn’t be something that you think of as this big daunting task. There’s a lot of really easy things you can do, sort of low hanging fruit that can help sort of improve your overall security posture, right? Whether that be things like, you know, not reusing passwords. So, for example, if there’s a breach where there’s a whole bunch of passwords are dumped onto the Internet, if you no longer use the same password for every different account, you don’t have to worry as much perhaps right? Because it’s right in the past for that one account that’s been breached out there, right? Or for example, a two factor authentication is another thing that’s, you know, a really easy recommendation. So the idea being there, that for a lot of accounts now, instead of just putting in your user name and password, you are also asked to put in your user name, your password and maybe a code that’s texted to your phone number, or a code that pops up in this little app that you have in your phone and it’s supposed to be this extra layer of authentication because even if someone has your password, you know they likely don’t have your phone, and these little one time kind of strings of numbers that are sent to your phone. So the idea being that, you know, on the one hand, when you have stuff like Capital One, it’s not your fault, there’s not a lot you can do, because this is information that you’ve trusted with a company like Capital One, and you hope that they would keep it secure, and in this case, they didn’t. But on the other hand, there are also some things that you can do to help lessen the impact of things like that. So whether it be Capital One or whether it be another breach, there are things that you can do certainly around account security, and privacy of data that could help minimize the impact. You can never really eliminate the risk, but you can do what you can to sort of minimize it. I think this is where certainly companies and they’ve gotten better at it, I think you know, banks in particular but I think a lot of companies could do better and have started to do better about also educating their users, their clients, you know, their customers about some of the stuff that we’re talking about here, right? So maybe, you know you would never; And that, I think, is a big part of it, right? Is that for a lot of people they don’t even know where to start, right? They don’t even think of security or privacy as something that they need to kind of necessarily worry about.
Jordan: And when you check on have I been pwned and you get 20 results, it can seem like a mountain to climb, like I can’t even think up 20 different passwords and remember them. And not only that, is nothing that terrible has happened so far, so why would I go to the trouble of doing all of this just to, you know, get my LinkedIn account?
Matthew: It’s so funny you say that because I think that that is also something that companies are grappling with as well. This has been a long time problem and why I think you know, part of the reason why you see, I think so many breaches continue to happen to such a wide range of companies is people keep punting those decisions down the line. They think, oh well we haven’t been breached yet, or, you know, our data is not that valuable who’s gonna go after us, who’s gonna go after our customers? All these sorts of reasons and rationales that people have to delay the big decisions about how they’re going to spend their money, and what you end up with is a situation where you’ve punted those decisions down the line so far that you’ve left your company vulnerable in a way that could be exploited down the road that you just don’t even anticipate. And I think this is one of the challenges with people as well is it’s really easy to think ok, well, I’m going to, you know, changing all of my passwords is a lot of work, and it is a lot of work, right? I think one of the challenges when we’re trying to sort of dole out sort of simple advice is that each one of these things, you know, you get yourself a password manager, for example. This is a really, really great thing that everyone should have if they can, is, you know, something like get yourself a password manager, create unique passwords for each of your accounts, set up two factor authentication. Individually, these things can be relatively simple but when you start adding them all together, it can take a lot of time. And I think in those situations as well, just reminding people of that they don’t have to; You don’t have to do everything at once. You don’t have to sort of, you know, clear your schedule on a Saturday afternoon, you know, pour yourself a coffee or, I mean you can certainly do this, I’ve done this, I know people who have done it. It’s great if that’s the level of dedication and effort you want to bring to it. But it also doesn’t have to be like that, right? It could be the sort of thing to were, and this is something I think we want to explore a little bit more with security planners as we we evolve and improve on this thing is, how do you show people that it can be easy? It can be a relatively simple thing, maybe you just get a reminder every couple of weeks that say, hey, you know, you did a great job of updating some of your passwords, maybe update a couple more of them, right? Or maybe you do something where you don’t have to change every single one of your passwords in one go, but maybe every time you get prompted to reset your password or update your password, or you create a new account you just start from sort of a new baseline of okay, instead of me thinking up a new password, I’m just gonna start using my password manager to generate those passwords and store those passwords for me, basically breaking it down into smaller steps so it’s a little bit more manageable if possible.
Jordan: One of the last things I want to ask you about is sort of side phenomenon that I’ve noticed, which is after one of these hacks and data breaches are announced and they get a lot of publicity, people will start getting phone calls or emails purporting to be from Capital One. We realized that your data might have been compromised, please log into your account and make sure that we can secure it. And this is like a cottage industry off of hacking and how can people protect themselves from that?
Matthew: We saw this after Equifax as well. I think we saw this after the Marriott Hotel hack last year as well, it’s one of those things where it requires some vigilance, it requires you to essentially keep your wits about you, which isn’t always easy. Fear plays a really, really big role, and I think that’s why these campaigns can be so effective is people think, oh, gosh, right, there’s this big breach, I have to do something about it, here is someone contacting me saying, hey, here’s what you can do about it, it’s one of the classic hallmarks of a successful phishing attack, right, where phishing attacks that work the best are contextual. They take into account things that are happening in the world, things that are happening to you and that’s when people are most likely to fall for these things. I mean, there’s a reason, broadly speaking, why phishing attacks are still so effective and why phishing attacks can still trip up even experienced security professionals. People who know this stuff and think about this stuff because really, really good phishing attacks are indistinguishable from something that you might be expecting. There’s a reason why when you get into some of the really kind of, you know, impressive targeted attacks, right? Attacks that know that you’re gonna be in a conference on a particular weekend, and so you get an email saying, hey, here’s the updated information about the session and you wouldn’t even think twice not to reconsider whether this is actually legit because, of course, you’re at a conference who else would know you’re in a conference? Who else would know to email you about the conference? This is the same sort of thing that people who take advantage of these breaches are trying to take advantage of, is well, like, of course, there’s a breach and of course I know I need to do something about it and here’s this email just in time. I think one of the things that people could do is if you just try your best to be vigilant, try your best to think critically about messages you’re getting, attachments that might be included on those messages, prompts that you get in text messages or emails things like that. One of the things that is often a really, really easy thing to do is maybe you get one of these messages and it purports to be from Capital One, a really simple thing to do is phone up Capital One, and look up their support email or look up their support phone number separate from this email or message that you’re receiving, call them up and say, hey, like, are you sending out messages like this? Is this one of yours? You know, I get these messages all the time that purport to be from Bank of Montreal or from TD Bank or other, you know, Canadian banks and they have these links and their text messages and they say, hey, you know, you’ve received an e transfer, and it’s not uncommon for me to receive e transfers from my friend and in one of these cases, right it’s as simple as basically, you know, calling up your bank right and asking for more information. Basically, doing a little bit of work to try and check and verify the validity of the messages that you’re receiving can go a long way.
Jordan: Get paranoid and stay paranoid.
Matthew: But also there is some hope, and I think there is some optimism and there are certain things that people can do to take a little bit of control back and have a little bit more peace of mind rather than I think fall into sort of a state of apathy or nihilism because, sure, there’s lots of breaches, and there’s a really good chance that some of your data is out there but there are again, things that you can do to minimize that risk and not all is hopeless, not all is lost, and a lot of this just falls on the companies to actually get their stuff together and improve things because ultimately it’s not you that’s broken, it’s the system that’s broken.
Jordan: And where can we find security planner?
Matthew: You can find security planner at securityplanner.org. It’s this really simple tool, you answer a couple of questions about maybe some of your concerns, the devices you have, things that you might be worried about or concerned about. Maybe you don’t even know what you’re worried or concerned about, but we can give you a couple of easy recommendations, really low hanging fruit that you can use to try and improve some of the security and privacy concerns that you might have in your day to day life.
Jordan: Which are everywhere.
Jordan: Thanks Matthew.
Matthew: Thanks Jordan.
Jordan: Matthew Braga, the project manager of security planner at the University of Toronto’s Citizen Lab. And that was The Big Story. If you want more from us, you can find us at the bigstorypodcast.ca, we will never ask for your information. You can also get us on Twitter @thebigstoryfpn, and you can find us, and our brother and sister shows at frequencypodcastnetwork.com and every little app that carries podcasts. Thanks for listening. I’m Jordan Heath Rawlings, we’ll talk tomorrow.
Back to top of page