With the internet revolution in full swing, web and mobile applications are extracting more and more private information from us. While this is definitely making life easier and enhancing our productivity, large databases of Personally Identifiable Information (PII) are left exposed due to lack of security awareness and/or vulnerable applications. Identity Theft has become a common occurrence in today’s cyberspace, making it important for organizations to understand the nature of the risks and eliminate them before it’s too late.
Identity Theft: Our PII Is Far From Secure
Simply put, Identity Theft has reached epidemic proportions. The high-profile hacks are piling up, with more and more PII making its way to underground blackmarkets and espionage data repositories.
1 – Banking and Retail
JP Morgan Chase & Co suffered a major hacking in 2014 which resulted in a large Identity Theft scandal. Personal details of over 80 million customers were stolen by a group of hackers, who exploited a vulnerable server in the bank’s network. The server in question didn’t have any double authentication mechanism in place and eventually became the point-of-entry for the hackers.
It’s not just the banking sector. The retail sector has also been facing a barrage of hacking attempts, leading to Privacy Violation cases that have exposed tens of millions of customers worldwide. The 2013 Target hacking, considered by many to be the benchmark of retail chain hackings, affected over 100 million customers and forced the organization to make drastic changes.
Identity Theft at IRS. Courtesy: TomoNews US
2 – Healthcare Services
An equally worrying Identity Theft problem is brewing in hospitals and healthcare organizations. With most medical records and sensitive personal data being saved online, hackers have a wide range of targets to go after. Despite the presence of the Health Insurance Portability and Accountability Act (HIPAA), a well-recognized security standard, compliance is still far from satisfactory.
Health insurer Premera Blue Cross announced in January 2015 that it suffered a huge data breach that led to the exposure of over 11 million accounts. These accounts contained social security numbers, bank account details and sensitive clinical information. While it’s not known what was done with the stolen data, it’s safe to assume that most of it has made it to various online blackmarkets.
In another case, USA Today published a report about a data breach that took place at UCLA Health System, causing Identity Theft that affected around 4.5 million people. It’s still not clear how much data was actually stolen, but the implications are very clear. Besides illegally accessing healthcare records, hackers can now potentially tamper with medical test results and jeopardize diagnosis.
3 – Popular Websites/Applications
Identity Thefts have also become a common occurrence in globally popular websites and applications. The first exploit that comes to mind is the recent Ashley Madison hacking, where intimate details of thousands of users were harvested and some were even published online without prior consent. Financial data, information of sexual nature and other details were stolen by the hackers.
The Sony Pictures Entertainment hack was probably the biggest Identity Theft of 2014, a case that even caused political tensions all around the world due to the focus on “The Interview”, a movie based on an assassination plan of Kim Jong-un. Dozens of Sony employees lost their personal data and social security numbers in the hack, which was probably an inside job or an act of social engineering.
The Top-3 Culprits Behind Identity Theft
Determining the hacking method used to conduct these breaches is just as difficult as accessing the amount of damage done by the information leaks. The hacking techniques are becoming increasingly sophisticated and the victims usually don’t provide much information about the findings. But Privacy Violation incidents are typically initiated by one or a combination of the following three methods:
1 – Internal (Inside Jobs)
Organizations often suffer data breaches when an employee decides to purposely leak internal information to external sources. This can either be for financial benefits or personal reasons.
One example of an inside job is from the healthcare sector, where a nurse who was in-charge of making data entries simply stole it. The information included Social Security numbers, credit card details, addresses and more. In this specific case, the nurse, Debra Bush, used the stolen identifiers to obtain a wide range of utilities and comforts without the victims’ consent or knowledge.
2 – Social Engineering
Social Engineering is a technique via which an intruder can get access to private information stored in the application servers without having to be a technically-savvy and experienced hacker. The attacker can use many tactics either to manipulate workers into compromising their computers, letting the hackers in and eventually exploit their privileges to gain access to the servers.
Many high-profile hackings have been performed with this methodology. Social Engineering can be carried out in numerous ways (Phishing, Spearphishing, Shoulder Surfing, etc), but the theme is always the same – catching unaware workers off-guard and manipulating their lack of InfoSec knowledge. In many cases this can also be done physically, as shown in the video below.
Anatomy of a social engineering attack. Courtesy: Enterprise Risk Management
3 – Insecure Coding Practices / Vulnerable Applications
Secure development of applications also plays a big hand in containing Identity Theft. Also known in security circles as Privacy Violation, developers with poor security awareness can potentially create exploitable applications that provide little to no resistance to hacking attempts. Three common occurrences of Privacy Violation take place due to the following development errors:
- Unprotected storage of user data.
Most privacy violation occurs when passwords, login details and personal information used by the application are stored in plain-text format. This insecure way of programming eventually puts the application user’s private information at risk.
- Misplaced trust and unsafe handling of sensitive information.
This aspect is often overseen by application developers, who often trust the operating environment in which the program runs. Even restricted areas such as file systems and registries are not safe as authorized users cannot be trusted unconditionally.
- Display of sensitive data on end-devices.
Sensitive information is displayed on end-devices such as mobile phone screens and computer monitors, enabling malicious attackers to harvest the information with the help of various screen-capture tools and internet sniffers.
How Does Static Analysis (SAST) Detect Identity Theft Risks?
Static Analysis solutions, such as Static Code Analysis (SCA), can help take care of the third issue mentioned above – the integrity of the application code. Scanning the application code for potential issues can help detect vulnerable elements in the development stages for quick remediation. As a result, exploiting the application with malicious input becomes much tougher for the hackers.
Scan queries can also be customized to test compliance with the various security standards such as:
- Payment Card Industry Data Security Standard (PCI DSS) – Visa, MasterCard, Discover and American Express jointly created this financial sector AppSec benchmark.
- Health Insurance Portability and Accountability Act (HIPAA) – As mentioned earlier, this standard defines how healthcare related organizations should handle private information.
- Motor Industry Software Reliability Association (MISRA) – A dedicated software development standard for the C programming language, aimed to facilitate code safety.
- OWASP Top 10 – This comprehensive vulnerability list has become one of the most recognized benchmarks in the InfoSec industry, recommended by experts worldwide.
- SANS Top 25 Most Dangerous Software Errors – This includes software security errors that include insecure interaction between components and risky resource management.
Identity Theft can be curbed. It can be minimized with good security awareness amongst IT professionals and improved application code integrity. While there is a significant improvement in Identity Theft prevention regulations (i.e – Red Flags Rule), the application development aspect still has ways to go before reaching satisfactory levels. Securing your application code was never more important.
What Identity Theft prevention protocol is your organization currently implementing? Feel free to share your thoughts and experiences in the comments below.