If the hackers are not rookies (which seems unlikely), the breakin at Epsilon is going to dwarf Wikileaks, and every business and ISP needs to be on guard.
A large number of reputable companies relied on Epsilon to handle their emailing lists which have probably been stolen. One of my financial institutions emailed me this morning to let me know they were affected.
While Epsilon did not have account data – account numbers, passwords, social security numbers, they did have 3 important pieces of information – my REAL name, my email address and the fact that I have an account with the “X” company.
That’s a gold mine of information for social engineering….. with my name, they can quickly find out my address and my home phone number (if your name is not common)….
So they could call up my ISP and say “Hi, this is [name]…. my account at [ISP] is [userid]. I live at [addresss]. I forgot my password on my email account. Could you reset it?”
So how does an ISP know if this is really me or some hacker from China? The way everyone does verification these days is to use your email account to confirm that your attempt to reset a password is legitimate.
If you can’t trust your email account to not be taken over, then none of your online accounts are secure.
“Solving” this by giving yet more personal information to your ISP (“What was your mother’s maiden name”) just makes you even more vulnerable as you run out of reliable secret information. (Like your brother and sister don’t also know your mother’s maiden name, what street you grew up on, your first dog’s name and your favorite teacher in school?)
This is going to grow big, and may ultimately require everyone to have to carry a SecurID authentication device – oh, that’s also been hacked. Never mind.
The situation is looking bleak out there. I work in Information Security at a large company, and what I’ve learned recently looks very bad.
Take every precaution with your accts. Don’t access your bank from anywhere other than at home. Also, don’t carry your credit cards unless you plan to purchase something, because they can read your cards just by getting close to you with mobile card readers.
And do you think it will get better when you can swipe your phone to pay a bill (just around the corner)?
It all cascades. The SecurID thing was a big deal. Since people with those cards are generally given a high degree of trust once they authenticate, someone following in their tracks could get access to bigger and bigger things which would let them break into bigger and bigger things.
George W Bush refused to use the internet. Maybe he wasn’t so stupid after all.
I don’t think he was stupid, but I do think he was a tool.
As is Barry Osama. And Reid.
If I wasn’t so optimistic I’d be very depressed.
Very Yogi Berra-ish statement, eh?
I’m not worried (Was? Mir habe angst?). After the cost of energy and everything it touches reduces my bank account to a pile of cracked corn and some tree bark, I won’t be able to afford those newfangled things — telephones, and computers, and accounts and all. Just hope they don’t close up the culvert I have picked out for winter.
Thanks Barry! Thanks Harry! Thanks Barby! Thanks Mr. Soreass …..