Your Personal Data is Already Stolen

In an excellent blog post, Brian Krebs makes clear something I have been saying for a while:

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren't, including your credit card information, Social Security number, mother's maiden name, date of birth, address, previous addresses, phone number, and yes ­ even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold ­ usually through no fault of your own. And if you're an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

[...]

Once you've owned both of these realities, you realize that expecting another company to safeguard your security is a fool's errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne'er-do-wells from abusing access to said data.

His advice is good.

Posted on December 6, 2018 at 7:33 AM • 38 Comments

Comments

Clive RobinsonDecember 6, 2018 8:37 AM

@ Bruce,

Brian is slightly wrong on one thing,

    your recourse to do anything about that when it does happen is limited or nil.

Whilst there is some supposadly "limited" things you can do, the credit and banking industries have conspired to make them worse than "nil". That is doing them has a negative impact on the individual, thus they are "on average" better off not doing anything to protect themselves such as freezing their credit.

The old advice when faced with a "rigged game" is not to play, but when it is the only game, you might not have the choice...

That is to be able to earn a living almost invariably means having a bank account. To have a bank account usually means you are "creditworthy". Perversely to be credit worthy you have to have been in debt regularly, thus you have to pay the credit and banking industries table stakes as a minimum.

Thus the prudent behaviour of never getting into debt counts against you as well...

I actually wanted to open a new bank account recently due to the closure of my local branch office. I went to another well known "high st" bank and on asking about oppening an account I found I was not alowed to because I did not have direct debits, credit / loans or overdrafts... The message is clear I'm not "profitable" enough...

Thankfully for some there is UK legislation that forces "Basic Bank Accounts" to be available, but these quite adversely effect your credit rating...

So my choices are stick with a bank that is of less and less use to me, get into debt and pay the price of it, or get treated like a modern day leper...

vas pupDecember 6, 2018 8:56 AM

@Clive: I agree with your point 100% out of my personal experience:
"The old advice when faced with a "rigged game" is not to play, but when it is the only game, you might not have the choice..."
The absence of any reasonable choice is created by Legislative branch government which pretend to care about average Jane/Joe needs by lip service only just before election and then do nothing.
Fortunately, in US it was created CFPB (Consumer Financial Protection Bureau)which suppose counter balance power of big financial sharks in favor of average citizen. New administration try to undercut authority of CFPB by any means (unfortunately).
"your recourse to do anything about that when it does happen is limited or nil." - yeah, if you are average guy. Many years ago powerful private data broker Choice Point was fined for about $15 million (amount is as best of my memory) because huge leakage of personal information affected directly some powerful Federal Legislators.
Time and again, they will do NOTHING (nil) to change status quo until personally affected - bitter observation.

WinterDecember 6, 2018 8:58 AM

"Thus the prudent behaviour of never getting into debt counts against you as well..."

For which countries does this hold?

I live in the Netherlands. I know that you can get a bank account, CC, personal loan, and mortgage without ever having been in debt. And even those with a CC almost always pay out any outstanding dues at the end of each month.

MarkusDecember 6, 2018 9:45 AM

I kinda disagree with Brian and Bruce about planting the flag. My own strategy had been to keep my attack surface as small as possible and that means the least amount of things in my real name, the better. For example, I am going on ten tears since my ISP has my real name or physical physical address. I buy most things off the internet with a prepaid gift card and have it sent to an Amazon locker or USPS general delivery, and not to my home. Maybe that it too hard core for most people but I don't like Brian's idea that the best answer to hacking is to spread even more personal data around.

billDecember 6, 2018 10:11 AM

@markus: It's the same data that is already out there. "Planting your flag" is distributing it more places, but as long as you use very strong, unique passwords, it makes some sense.

As part of this project, I am looking at U2F type USB devices. Has anyone worked with them, and specifically the OnlyKey which requires PIN to unlock before use? It claims to also support OTP, SSH keys, etc.

David Allen WilsonDecember 6, 2018 11:02 AM

> doing everything you can

Like what, rejecting the Evils of Technology? Growing a beard, riding a horse, and milking my own cow?

Yeah, that's been done before, but I /kinda like/ my laptop, visa card, and smoothie.

mausDecember 6, 2018 11:24 AM

"Perversely to be credit worthy you have to have been in debt regularly, thus you have to pay the credit and banking industries table stakes as a minimum.

Thus the prudent behaviour of never getting into debt counts against you as well...

I actually wanted to open a new bank account recently due to the closure of my local branch office. I went to another well known "high st" bank and on asking about oppening an account I found I was not alowed to because I did not have direct debits, credit / loans or overdrafts... The message is clear I'm not "profitable" enough...

Thankfully for some there is UK legislation that forces "Basic Bank Accounts" to be available, but these quite adversely effect your credit rating...

So my choices are stick with a bank that is of less and less use to me, get into debt and pay the price of it, or get treated like a modern day leper..."

You don't need a credit history to open a bank account (the first one you had is self-evident), so just go to another bank.

Petre Peter December 6, 2018 12:28 PM

@Steve
I exist in a cell because I don't exist without a cell.phone. The only way out of our universal captivity is the mystery--what if existence is exile and nothingness is home?

TonyDecember 6, 2018 12:31 PM

If my identity is stolen and the thieves open credit lines with my SSN, my plan is to get a lawyer to write to the foolish companies that opened the accounts pointing out all the times my SSN has been stolen and let them know the account is their problem not mine.

[I have almost zero expectations that this will work]

Clive RobinsonDecember 6, 2018 12:44 PM

@ maus, Bob, Winter,

You don't need a credit history to open a bank account (the first one you had is self-evident), so just go to another bank.

I've had quite a few bank accounts in my time for various reasons and as you note never had a problem opening one, untill now...

The real problem is in the UK bank branches are closing all over the place. As I will not do "online banking" because I'm not that stupid, it also counts against me. Also I happen to prefer using a bank branch for as much as I can like taking out money (I'm a cash buyer) and write cheques for the likes of Utilities, not use direct debits.

Whilst I'm aware this makes me a bit of a fossile, in the UK it is the "minimum risk" strategy. Which is what I prefere having once suffered ID theft that was due to a tempory employer with a very lax HR Dept...

My local town has much of what I need and is a little light excercise away, thus my prefered destination for shopping etc etc. Unfortunatly though it has had most bank branches close down including the one I'm with. The choice of bank branches in my town is now very very limited (ie the one I got turned down at).

I could go to the closest "Market Town" but that involves needless expense which is in effect yet another "table stakes" tax (apparently Luxembourg has decided to make public transport free from next summer[1] and Hasselt in Belgium has been free since 1997).

That said I have asked at other financial institutions and they want you to take out accounts that have monthly charges for things I have absolutly no use for and you have to have atleast two direct debits etc AND "must do Online Banking" so more "table stakes" and stupidity for the Smartphone generation. As for a cheque book... I'm not even sure the young lady I spoke to in one had ever seen one...

The UK now has many "no bank" areas larger than major cities and it is getting worse. However there is some madness in the system, I know of two larger towns where several banks have more than one branch...

[1] https://www.theguardian.com/world/2018/dec/05/luxembourg-to-become-first-country-to-make-all-public-transport-free

NopeDecember 6, 2018 1:11 PM

"The UK now has many "no bank" areas larger than major cities"

BS, for actual values of "major"

JonKnowsNothingDecember 6, 2018 1:33 PM

@Bob, Winter, Clive, All

This is in part the hubris of those who haven't been that far down the path of life yet.

There are millions of people that cannot open bank accounts. We often refer to them as Homeless and pretend they are not human beings as they cannot open bank accounts. There are billions of people living in poverty and a good deal of them live in the wealthiest nations and they cannot open bank accounts either. There are also a large contingent of people that live where there are no services like banks, medical care or the latest fad in supermarkets, these people cannot open bank accounts either.

There is also another unmentionable group of people that used to have such services and now no longer have them, not because they do not want them but because they have been priced out of the services and can no longer afford the latest in technology in order to connect with the latest data harvesting version of the web site or software program. This segment is often viewed with contempt because the millions of people who cannot upgrade mean that millions of machines remain forever vulnerable until such time as these machines no longer work at all.

It doesn't surprise me that such hubris exists, it only surprises me that it took me this long along my life path to have fallen off the high tech roadway to .... where was it we were going???

You don't have to be a fossil or a luddite to not have a bank account but the best thing is: you cannot be tracked easily.

Except in the cases of governments tying benefits to having bank accounts for direct deposit and reloadable debit cards for less than basic needs food assistance. It gives credibility to the stats that indicate "not as many using the services" but it doesn't mean people aren't hungry, cold, homeless, sick or sans-funds.

You can see them on nearly any street and any city... if you chose to look.

VRKDecember 6, 2018 1:44 PM


Perhaps the "far more sense to focus instead on doing everything you can" to sidestep this problem really DOES mean "growing a beard, riding a horse, and milking my own cow" if that also eventually means I need not "receive a mark" / barcode on my body so I can buy razor blades, gas, and groceries.

MarkHDecember 6, 2018 2:47 PM

"Why, you never expected justice from a company, did you? they have neither a soul to lose, nor a body to kick."

Rev. Sydney Smith

BobDecember 6, 2018 3:15 PM

@Markus

The attack surface is already there. Either you protect it by planting the flag, or you leave it open. Leaving it open doesn't remove the attack surface. It just leaves it undefended.

Clive RobinsonDecember 6, 2018 4:04 PM

@ Nope,

New handle?

BS, for actual values of "major"

Ever done geography or studied a map of the UK?

Thought not, have a look at one and you might learn something...

Clive RobinsonDecember 6, 2018 6:31 PM

@ JonKnowsNothing,

This is in part the hubris of those who haven't been that far down the path of life yet.

Unfortunately I'm only to aware of what homelessness does for people, which is why I made the point of,

    That is to be able to earn a living almost invariably means having a bank account.

A lot of things are said about the homeless, in newspapers and the like, much of it wrong. Back when "Mad" Maggie Thatcher was the UK PM famed for her,

    A man who, beyond the age of 26, finds himself on a bus can count himself as a failure.

Denigration of many, she also very deliberatly tried to introduce legislation to make homelessness a permanent state for many and also to deny them any benifits as a consequence of the process, so condemn them to death by penuary.

Then as now the three main groups of homeless are ex-military, ex-care, and men over fifty. Rapidly rising though are those that are virtualy homeless. These are those forced into the care system and as part of that they get forced miles if not hundreds of miles away from where they currently are. Often to accomadation it would be illegal to keep animals in. They are then forced into a process that would challenge the well educated with their own transport and sat nav, and should they fall at any point, the whole thing starts again in some other godforsaken place where poverty is not just a statistic but a grimy sick reality and a short uneducated life a reward for not running hard enough in the Red Queens race.

This is unfortunately the reality of many places within the worlds fourth or fifth[1] largest economy.

As for living on the streets the statistics make grim reading, where crime is the only form of survival for many and self harm so common even hospital A&E departments "patch em up and boot em out" as there are now no psychiatric beds due we are told to the need for "austerity" whilst the very rich get further tax breaks... The figures for suicides of those on the streets are unknown because of the way things are --not-- recorded... Likewise the deaths by suicide by those on benifits that have been quite deliberatly and illegaly suspended.

The current UK political emucumbrants atleast have given up spouting the nonsense of the "trickle down effect", "big society", "Hug a hoodie" and the other pukeworth sound bites. How ever they are still upping the persecution of the disabled even those who are ex-military with very severe, dangerous and unstable mental conditions...

The one thing you can be certain of without any doubt, such behaviour to the poorest and most disadvantaged in the UK is a very delibetate policy of not just the elected politicians but much of the unelected government as well, where the "promotion and bonus culture" pushes many civil servents to do what they know is not just unethical or wrong but actually illegal.

Next year will be the 50th anniversary of Ralph McTell's song "Streets of London"[2], it describes just a tiny fraction of the deprivation to be found there. It is now if anything worse than then, as the places it could be hidden have been destroyed to create property for the worlds dictators, tyrants, terrorist and worse to invest in. Due to this it is nolonger a "property ladder" but "tight rope" that few will now ever be able to cross or place a single even step on.

It's a not so well kept secret that the London Ambulance Service has considerably more than half it's emergancy responders living further away than the Channel at Dover which is "the last land stop before France", because they can not on their income live any closer... Likewise teachers, nurses, doctors and the service personnel and cleaners they are dependent on for a safe working environment...

With regards,

You can see them on nearly any street and any city... if you chose to look.

And in the woods just down the road from where I live, oh and in the garage of a nearby house where the "landlord" owner who "lives abroad" has not rented the house for a couple of years for some reason... Just last year a homeless man burned to death in a disused office block a short walk down the main road, that was waiting to be turned into ~200 £15,000/year bedrooms for students... Yup almost anywhere you care to look, Oh and those students will probably be between £50,000 and £75,000 in debt with not much chance of earning more than £26,000/year if they can get a job at all... Welcome to the "Disunited Surfdom of contemptible Britania".

So hubris no, sadness yes, a desire to change things definitely. As the old saying has it "Charity begins at home" but I doubt there is enough charity in the UK to undo even a fraction of the harm the last three governments have done...


[1] Depends on who's compiling the figures, but fifth is now the most likely, if not sixth with the Brexit nonsense.

[2] Ralph McTell recorded it for his 1969 album Spiral Staircase, and five years later released as a single. He later said originally it was going to be about Amsterdam or Paris but London was more appropriate.

WaelDecember 6, 2018 9:28 PM

Your Personal Data is Already Stolen

Yea! What's all the fuss about then! Leave your weak password unchanged forever. I mean, what's an extra line on a zebra or an extra patch on a leopard. Why protect something that's already stolen? In fact, you no longer own it. Protecting it basically aids the 'thief'. I guess -:)

JonKnowsNothingDecember 6, 2018 10:26 PM

@Wael, All

Why protect something that's already stolen? In fact, you no longer own it.

This is actually a very interesting situation. For a very long time FB/M$/Amz + the 5EYES Their Ilk have been harvesting data and building ginormous databases with horrendous error rates and generically "we" have zero recourse because we (did/did not) give consent to the harvesting (depending on who's doing the reaping).

Consent meaning, not a lot, except by partaking of "the modern world" like buying a loaf of bread ... we granted the data to anyone able to pick it up electronically (the Good the Bad and the Can-It-Get-Any-Worse-Ugly).

So why are "We" supposed to protect what is no longer ours? Where's the benefit? Of course preventing getting ripped off every which way is the proposed benefit but is it really?

But who REALLY benefits? The owners of the databases are the beneficiaries because their data is only as good as the error rate and it's bad now, and its about to get a lot worse. Especially when all the AI Flakes start trying to make sense of Bad Data.

But even so, once tagged you cannot "correct" anything. There's nothing to protect because you cannot repair the damage. Anyone ever dealing with a credit reporting anomaly can tell you, it comes back over and over and over again. It is never fixed.

So, one way to crap up the system a bit more is to actually pollute the databases. Since they are doing an excellent job of crapping up their own systems without any assistance from the "We", it is perhaps a good point to Not Bother About It.

Rach ElDecember 7, 2018 12:41 AM


who are these strange people that think they know more about Clives personal circumstances, than he does?


https://www.forbes.com/sites/niallmccarthy/2018/06/08/1-7-billion-adults-worldwide-do-not-have-access-to-a-bank-account-infographic/#4b39fe24b011

this is Forbes but not paywalled. 1.7 billion adults worldwide without a bank account. The number is probably high IMO.


being charged a fee to maintain a personal account is criminal. Banks profit by virtue of your money being stored with them.

WaelDecember 7, 2018 1:55 AM

@JonKnowsNothing,

building ginormous databases

Genomerous is more precise!

it is perhaps a good point to Not Bother About It.

We are the product; the "goods". Ever seen a product complain that it's list of ingredients invades on its privacy?

WinterDecember 7, 2018 3:42 AM

"1.7 billion adults worldwide without a bank account. The number is probably high IMO."

The point is that a bank account is quickly becoming a necessity to earn a living everywhere. And if something is a necessity to earn a living, it should be provided.

Some countries do provide bank accounts to everyone, one way or another. An indeed, homeless people do pose problems for any banking system. But these are problems that can and should be solved.

I am not British, but from across the Channel it looks to me that those in charge of the UK do not think poor people are worth caring for. Elections show that that opinion is shared by many British voters. As the proverb states:
People get the government they deserve.

Gerard van VoorenDecember 7, 2018 5:05 AM

I thought that this is what the EU is trying to prevent with the GDPR, with HUGE fines for companies that try to "break" their implementations.

65535December 7, 2018 5:44 AM

@ Markus

“I don't like Brian's idea that the best answer to hacking is to spread even more personal data around…My own strategy had been to keep my attack surface as small as possible and that means the least amount of things in my real name, the better.”

I agree with the general thrust of your post. Yes, spreading your personal data around probably does more harm than good.

I think if you look that Social Security number and W2-W3 history which started around 1945-1946 after the war you begin to suspect a bit of government spying mixed with a financial Ponzi scheme.

The SSI "money" is supposed to be in a “trust fund” but has no actual actuarial system to make it a real Trust. It is "pay as you go" or borrow as the US Debt grows...which the Social Security “Trust” invests in. Technically, that is like a corporation borrowing from itself which is against accounting rules.

The W2 wage stub cleverly forces a US citizen to reveal his Name, Address, approximate place of birth, his income level, the number of children he has and so on.

This Nation SSI ID number is looking to be a mistake. It is tied to “Credit rating” agencies who tend to sell this data. This data is now spread far and wide.
If you look at the whole SSI national ID and the credit rating agencies you get a picture of them selling you out to about anybody and expanding the average Jane/Joe’s attack surface rapidly – all without approval of Jane/Joe tax payer.

Bob quips “The attack surface is already there.” Yes, and it was created by the government, credit rating agencies, and cell phone companies who see to expand it every “data breach” and cell phone "port-out".

I will say the cell phone companies who are closely entwined with the credit rating agencies can track US troops and citizens constantly [Troops have family cell phones].

This is a catch-22 where the government, credit rating companies and data harvesters expand the average Jane/Joe for profit and legal fishing expeditions.

The real problem could be with enough data harvesters and sifters to find and track military and LE persons to the danger point.

Troop strength, troop locations, and troop movement are valuable information for unfriendly nation state actors. These unfriendly state actors could eventually predict an import and build to war strength and end run said build up causing a loss of military secrets and even a lost war.

If the above situation happens US soldiers and citizen could take beating. The government, credit rating agencies and so on would be to blame. They appear to be the major leakers of data.

This constant data harvesting and data breaches must stop or be greatly curtailed for the good of the average citizen. Doing so will help the average Jane/Joe but hurt the data harvesting players causing a dead-lock. There is a solution but I am not sure what it is.

Clive RobinsonDecember 7, 2018 8:13 AM

@ 65535,

There is a solution but I am not sure what it is.

Yes there is...

You might know about jobs that are of "Protected status" come hostilities and emergencies.

What we need is the opposit call it "first into the breach" that is there are certain lines of work that are not only socialy undesirable they actually harm society. The late Douglas Adams identified some as pasangers for the B-Ark... Such people should be the first into hostilities compulsory as the price they pay for the job they do. They should likrwise have extensive compulsory training in the evenings and all weekends and holidays, so that they are "emergancy fit" at all times.

Of course if they decide some other occupation that would benifit society better suit them...

Petre Peter December 7, 2018 8:19 AM

Confidentiality goes away first; afterwards it will be my property and then potentially my life.

echoDecember 7, 2018 9:08 AM

@Clive

Space: 1999 episode "Earthbound" is a cautionary tale for those who would push to the front of the queue using threats and menaces. I had nightmares off Dragon's Domain for years.

Alan FDecember 7, 2018 9:39 AM

The advice to freeze your credit accounts and to plant your flag with the SSA is contradictory. It turns out Social Security will not let you create an online account if you have a credit freeze in place.

MarkusDecember 7, 2018 10:02 AM

@Bob writes, "The attack surface is already there. Either you protect it by planting the flag, or you leave it open. Leaving it open doesn't remove the attack surface. It just leaves it undefended."

Correct. Yet it isn't self evidently correct that every undefended attack surface needs to be defended. One has to consider the tradeoffs. The advantage of planting a flag is that I get there before the attacker does. But the disadvantage is that I spread my data around to more places. A government website isn't magically more secure than others, look at the OPM hack. Now Bruce and Brian think that this tradeoff is worth it but I am not so sure.

@Bill writes, "It's the same data that is already out there."

Untrue. Metadata kills and the metadata gained from the websites themselves could be valuable data in some circumstances.

MarlonDecember 7, 2018 2:23 PM

"focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne'er-do-wells from abusing access to said data"

Which leaves ppl with *which* proactive options exactly? Lie about your details on everything from shopping sites to government?

BobDecember 7, 2018 3:08 PM

@Markus

It doesn't need to be "more secure." The data you're using to plant the flag is already available on the dark web for a few cents unless you've literally lived your entire life in a cave. They're not going to get anything new from breaching the website. I'm not even sure what information you're concerned about anyone gleaning from a five-minute visit to the SSA website. You're kind of going into tinfoil territory in the most ineffective way possible.

echoDecember 8, 2018 5:47 PM

@Markus

Auhtority tends to listen to authority. If the systems says "X" all the obedient box tickers perform accordingly. "Planting a flag" just makes sure that box which is supposed to say "X" actually does say "X". Most systems of this type may be hackable so a criminal can obtain a data dump but are mostly not editable. If a criminal gets there first there are reporting mechanisms. While not impossible it's unlikely a criminal would pass "deep vetting" of the kind even basic law enforcment can conduct. A real human being has a big footprint and far to many real world connections to easily fake.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.