Because many modern security systems rely on users’ personal information, also known as PII, or personally identifiable information, a data breach can potentially weaken your security posture not just in a single context, but in all contexts.
Stefan Frei, Ph.D., research vice president at security research firm NSS Labs , and Bob Walder, NSS Labs' president and chief research officer, address the PII issue in a recent security brief called "Why Your Data Breach is My Problem." They say that each security breach which leaks PII data has a cumulative weakening effect on users’ personal security in aggregate. In other words, when Sony’s PlayStation network suffered a data breach in April 2011 – leaking PII data from some 77 million individuals – users’ loss of personal security was not limited to their use of the PlayStation.
That data, and data from the Target breach in late 2013 and other breaches, feeds into a vast pool of PII data in which the criminal underground horse-trades and aggregates.
With so much PII data floating around, details can easily be cross-correlated, helping criminals quickly put together accurate identity profiles. With just a few pieces of "secret" personal information, thieves can potentially gain access to online accounts and even financial accounts through identity theft.
Two Kinds of PII Data
PII is a broad industry term which encompasses many forms of data which can be used to identify individuals. We can make an important distinction between two types of PII data: static and dynamic.
Dynamic PII data includes details like credit card and bank account numbers, email addresses and passwords. All of these things can be linked to our identity, but in the case of breach they can be changed. The link to our identity can be broken, albeit not without expense of time and sometimes cost.
Fixed PII data, such as date and place of birth or a national ID number such as a U.S. Social Security number, is far more valuable. Even our mother’s maiden name – a commonly used security factor – is permanent information. When breached, this information cannot be taken back, effectively reducing our security posture.
When an online service is hacked, both the service and its users are the losers. For companies, losing customer data is at best a PR nightmare and more than likely, expensive. The massive Target data breach has so far cost the company at least $60 million (before insurance) in direct expenses. The retailer attributed a 5 percent fall in first quarter 2014 revenue to customer decline resulting from the breach.
End users not only suffer an increased risk of being hacked elsewhere – for example, if their breached login credentials were used on multiple sites – but potentially the intangible loss of "secret" fixed PII data.
Consider How You Use PII
The NSS Labs authors suggest treating security compromises not as exceptions, but as expectations. Nobody wants to believe that their security is subpar, but this is the wrong way of looking at reality. Just as everyone eventually gets sick and needs to see a doctor, we now live in a world where data security can never be guaranteed.
Preparing for a data breach can motivate companies to realize they are part of a broader data ecosystem. When another service has been breached, can that leaked data be used against your users? We are, ultimately, all in the same boat.
Anticipating a breach is an instructive way to think about the personal data a service uses. These three strategies help protect PII data:
Salt and hash passwords. Secure one-way password encoding should be a given these days, but hacks like that against LinkedIn remind us otherwise. Properly encoded password hashes should be extremely expensive to decrypt when a breach occurs.
Do not rely on "secret" fixed PII data. We cannot assume that data like Social Security numbers are truly a secret anymore. In fact, if we assume that this kind data for any given individual has quite possibly already been leaked and cannot be changed, it makes for weaker rather than stronger security.
Do not store PII for long periods of time. Again, assume that hackers will eventually acquire some or all of a company’s data. What will they find? Purging personal data which is no longer useful – such as for accounts which have been terminated, or verifications used to establish an account – limits the surface area of exposed data.
Walder notes that companies may find a "mild conflict of interest" between sales and security as collecting PII data may be attractive for marketing purposes. "However," he adds, "more sensitive data, such as SSN, could and should be kept private. Even government websites should not rely on SSN for identification. In France, during initial registration to the online tax system, you are provided with a digital certificate that is used to log on from that point forward. This is much better, since it can easily be revoked and replaced following compromise."
Put Users in Charge
Shifting security data from the service provider to the end user can benefit everyone. For example, consider the common "security questions" tactic, wherein a service asks the user to supply personal information like "favorite color." In an effort to avoid broad or easily guessed questions, many services now ask questions that are so specific and yet so arcane that a user is unlikely to remember even their own answers. "What was the name of your first teddy bear?"
Letting the user define their own security questions increases the likelihood they will use truly personal data which is not publicly documented, and yet is also well-known to them.
Likewise, increasing user activity transparency – such as providing the time and location of last login – gives extra tools to the user to detect intrusions. Even a sophisticated intrusion detection system may not be as effective as the end user saying, "Hey, I wasn’t in China yesterday. Something fishy is going on!"
With so much PII data already leaked, it begs the question of whether the toothpaste is already too far out of the tube. Walder doesn’t think we should give up, however. "With new potential victims purchasing their first computer and signing up for online services on a daily basis, we need to start somewhere. In 10 years' time, we will be glad we made the change."
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet.