Feb 27

Why the Anthem Breach May Be a Catastrophic Event for US Children

General Cyber Intel
Today’s blog post comes to us courtesy of guest contributor Tim Rohrbaugh, VP of Information Security for Intersections

GettyImages_462386679

In all the noise around the stolen customer data at Anthem Healthcare, many have missed what is now a new and very serious risk to American households: millions of children’s social security numbers have been stolen, and will be used in waves of financial crimes over decades to come.

Anthem Healthcare (and other healthcare providers) believe they needed to collect their customers’ children’s names and Social Security Numbers (SSNs) to verify the beneficiaries of their health plans. If this is absolutely necessary, what Anthem should have done thereafter would be to destroy this sensitive information, which currently only resides in two other places in the world – with the U.S. Social Security Administration (the issuer of the SSNs), and with the Internal Revenue Service (needed for parents to claim tax credits for their dependents).

The massive information security blunder at Anthem, where the SSNs were stored insecurely, has exposed this data to the world’s cyber criminals and brings the risk of financial fraud and identity misuse to US families to a new high.

Why is the Anthem breach a watershed event for children’s identity protection? This is the first major breach of children’s names, SSNs and birth dates, running into the tens of millions of data elements. Second, the information that was stolen, particularly pertaining to children, was directly linked with that of their parents. This link will make it much easier for cyber criminals to perpetrate fraud using the children’s stolen data.

Children, for obvious reasons, do not have established credit files or financial identities. The theft of parent’s data describing their financial identities – full names, SSNs, home addresses and such, directly linked with the full names, SSNs and home addresses of their children, makes for a catastrophic event for the children. Children are essentially more vulnerable to identity misuse because they have no established credit or identity records. Children are, in effect, “off the grid” when it comes to financial information. Add to this that the cyber criminals now have an “on the grid” related record in the parents information, and you have a fatal combination.

Criminals will use the combined parent and children data to create new “Synthetic ID’s”, as termed by the security industry. Synthetic ID’s take information from multiple identities and combine them to create a new fake identity. Why are your children great targets for cyber criminals? They are great targets for cyber criminals wishing to steal money because children do not have any existing and verifiable information with which to refute the Synthetic ID. Children have no established financial records or information that can tell banks and other financial service companies, “Hey, this application or transaction doesn’t look right.” And now for the really bad part: most children won’t even find out that they been victimized until they are an adult and start to establish credit, which could be 18 years later. When they do reach adulthood, they will find that their credit history is scarred beyond recognition, and it will take many months and substantial resources to fix the problem.

Advice For all US Parents

Parents should be vigilant in protecting their children’s SSNs and other personal information. Does the local soccer league really need Joanie’s SSN or birth certificate? The answer is “No”! Parents should be on the lookout for marketing offers (via email or mail) addressed to their children. This is an early warning sign that the child’s identity may already have been stolen by cyber criminals and is in use somewhere in the US. For older children, parents should speak with their children about the breach, explain the risks of sharing too much, and ask for their help in looking out for anything that seems suspicious; calls, texts, social network friend requests.

Parents should seriously consider enrolling their children in a service to monitor their identities. In choosing an identity monitoring service, parents should take care and only choose a service that does not create a credit record for their child in the enrollment process. It is important to note that traditional credit monitoring does not work because a minor is typically unable to be monitored the same as an adult. Creating a credit record is what a cyber criminal will do when creating a Synthetic ID.

It’s a scary world in cyberspace and it just got even scarier for a lot of children in America. We in the U.S. need proper data governance by all which, when applied, properly would challenge the collection and storage of minor’s sensitive PII. And how about requiring all issued SSNs to minors be restricted from certain forms of use in the financial sector? System changes, even if time consuming, could mean a great deal to some.

Guest blogger Tim Rorhbaugh is Vice President of Information Security for Intersections Inc. (NASDAQ: INTX), a leading provider of consumer and corporate identity risk management services.  It is recognized as the preferred partner of major financial institutions in North America, providing custom identity management solutions. Tim currently serves on the board for the Online Trust Alliance where he provides strategic advice from technical and corporate governance prospective with the goal of strengthening the bonds of trust between consumers and concerned businesses, and he has been a featured speaker at many security events. The views and opinions of guest bloggers do not necessarily reflect the views of Cyveillance, Inc.

 

Feb 24

Are Medical Mobile Apps Medical Devices? According to the FDA: Yes.

General Cyber Intel

 

187209893

Modern healthcare has changed dramatically over the past year. In particular, mobile health applications saw an increased adoption rate among smartphone users. Millions of people are now using one or more apps as part of their daily health routine – whether it is tracking workouts or reading notes from a doctor’s office visit. Some apps are less task-oriented and more “Internet of Things”-oriented, helping patients do things like breathe.

Read more

Feb 11

The New Windows 10 Release is Attracting the Attention of Criminals—and Not Why You Might Expect

General Cyber Intel

Among many interesting tidbits in Microsoft’s recent Windows 10 announcement was that it would include two Internet browsers: the classic Internet Explorer, and a new one called Spartan.

Although it’s not that big of news per se, criminals are taking advantage of the media attention that has accompanied the Spartan announcement – not to exploit potential security flaws, although we’re sure that will come soon – but to register domain names associated with it.

Using our proprietary Domain Database tool in our Cyber Threat Center, we found several domain names already registered by non-Microsoft parties, including:

Spartan domains

Although there is no criminal activity associated with these registrations yet, spammers and cybercriminals often register variations of names like this to launch phishing or other online attacks, taking advantage of people who may be curious about new releases.

Did you know? Ongoing domain name registration monitoring can alert you to suspicious or malicious activity that may be associated with your brand.

To find out more about how we can help protect your intellectual property, contact us.

Feb 6

How Can Threat Intelligence Play a Role in PCI 3.0 Compliance?

General Cyber Intel

 

481116575

 

Many of the organizations we work with must comply with the Payment Card Industry Data Security Standards (PCI DSS) in some way, shape, or form to help safeguard cardholder information. Since the PCI Security Standards Council recently released a new version, PCI 3.0, which took effect January 1, we thought it was a good time to examine how threat intelligence can factor into your PCI compliance program.

For starters, let’s quickly define what we mean by threat intelligence, since this term is bandied about for a wide range of things that may or may not be “intelligence.” Our definition, which we’ve discussed at length in some of our recent whitepapers and webinars, is that whether data is transformed, distilled, or otherwise turned into usable intelligence by software or human intellect, the output must be relevant, actionable, and valuable to your organization.

Read more

Jan 26

Welcome to 2015: Encryption is Not an Option! An Interview with Ivan Ristic

General Cyber Intel

If last year felt like a wild ride in terms of security, you were not alone. Good news though: by encrypting traffic from your organization’s websites, you’ll go a long way in making your users safer with little cost.

We invited security researcher, engineer, and author Ivan Ristic to answer some questions about the business imperative of encryption by default. Ivan is the Director of Application Security Research at Qualys.

Ivan is a not just an expert in online security but a leader in making the web a safer place, as you’ll find in this conversation between Ivan and Cyveillance Chief Scientist Caleb Queern.

ivan-ristic

Read more