Thursday, March 13, 2014

Cyber attacks and you

Jester asked a question that deserves an in-depth answer.
However would these events, particularly with personal credit databases being hacked from one of the big three start to destroy nearly all personal credit, or at least make it so that credit history is less important to the average smuck? I'm sure it would be more work to go in and have your history "Scrubbed" but if it seems to be so easy to switch credit history, or just plain go to any creditor that "Yeah, my credit has been hacked so many times now that no one knows what is going on anymore..."

In other words, if your credit history is now suspect no matter what, or if you have suspect history you can pass it off as "Hacked" would this not really start to shake up how credit is weighed, measured and balanced for risks? Not that I feel credit damage is not too easy to accomplish anyway but I digress...
Paraphrasing, could the Bad Guys destroy the credit system, or discredit it to the point where it doesn't matter to Joe Everyman?  The short answer is that the Bad Guys wouldn't want to destroy it. They exist as parasites, and killing the credit system would kill the host body that supports them.

It's possible that there are some people who would like to kill the credit system. These are almost certainly fringe States (North Korea, I'm looking at you) or terror organizations. It's unlikely in the extreme that any of these possess the capacity to do this. You need hacking skills (which they probably have), but more importantly you need a deep understanding of how the credit systems operate: IT systems, fraud detection systems, national interconnects - and especially what weak points could be exploited to lead to a cascading series of failures (which is really what you need to collapse the system).

Certainly some people know these things. They're all very well paid indeed, which is the third problem for the Bad Guys: they don't have the resources that they'd need to win.

Which brings us to the second half of this post: since the system is resilient against hacking at the macro level, is it similarly resistant on the micro level?  In other words, to Joe Everyman?

No. A million times no.

The problem here isn't that Gyorgi from Bellorus hacks Big Box Realtor and gets your credit card. The fraud detection systems are quite good, loss is spread around (bank and retailer both lose here) but this is simply a cost of doing business and is factored into the quarterly earnings reports and 10K's. Unless Gyorgi wants to kill the host, but we just saw that he doesn't.

No, the problem is at a very personal level, and is quite insidious. The problem is called Resource Poisoning.

Suppose someone really hated you, hated you and had a grudge. Suppose they also had Giorgi's h4X0Rz skillz. What could they do by planting false data about you in important databases?

For 20 years there's been a saying around the security water cooler: to give someone a bad day, hack the National Crime Information System and put out an All Points Bulletin, armed and dangerous.

That would be a bad day for someone.

If someone wanted to target an individual, the bar is a lot lower. You only need to find one open system. A bogus felony conviction will probably lead to job loss, and make getting another one difficult or impossible. Most annoyingly, this might not be discovered until years later, meaning that the chances of the Bad Guy getting caught would be very low.

The movie The Net actually covered this situation very well. Considering that it dates to the early '90s, that is holding up pretty well. The scene where Sandra Bullock's mentor dies from a modified hospital medication order is based on something that already happened.

And the scene in Homeland where Damien Lewis kills the Vice President by making his pacemaker go nuts is, as the Mythbusters would say, "plausible". I don't worry about the macro level attacks. They're implausibly difficult. The micro level attacks - aye, there's the rub. We're surrounded by soft targets.

And so Jester's question is technically plausible: Resource Poisoning is likely doable by a lot of Bad Guys targeting individual Good Guys.  But more to the point, is the argument of Resource Poisoning likely to help Joe Everyman dispute something with the Credit Card Company?  Probably not.  It's David vs. Goliath there, and Goliath's Call Center people don't know how to spell "Resource Poisoning".  


Old NFO said...

It''s a question of time until the resource poisoning becomes a hacker for hire situation... You want to destroy Mr. C, you pay hacker X $$ and he makes it happen...

Will Brown said...

Once it becomes a "business", Goliath Call Center learns how to spell Resource Poisoning from the relevant mention of its contributing offenses on the NCIS.

Make sure your lawyer knows to include that little gem in your subsequent claim for damages against Goliath. That probably won't "solve" your problem, but it ought to make recovering from it more financially bearable eventually.

Jester said...

First off, thank you for the detailed explanation and answer to the question I raised.

The answers don't really surprise me though, but it is nice to have it explained by someone that has more security knowledge than I do.

I think to perhaps take this just a bit further more to the effect of personal Joe Smuck's credit history, I feel that or at least I wonder if sometime in the mid to near mid future (Say a few years..)
that the way credit is reported or perhaps weighed may start to adapt or change because of how easy it is to verify bad history/good history or how easy it is to damage it? Coming from a divorce where I had many surprises coming out of it financially I can assure you that the simplest of things will show up that you have no clue on. I can also assure you that people make mistakes (For example my father's name and mine are similar, try explaining that you want to pay a hospital bill, but the hospital can't get you a bill or the account because they have you confused. Then they just send it to collection while you are still requesting itemized bills, a bill to be delivered to the correct address and so on and so forth..) Yes I know the things you can do to contest bills or bad reporting but the problem is as you mentioned Borepatch, is it is -so- easy for something to show up there on your credit report alone. And the big three credit reporting agencies have it set up this way. It pays for them to do so, because we as the end user have to pay to access it at some point, and things from Banks, Insurance companies, hiring officials, education offices, landlords and many other things you need in a day to day life use your credit report against you. Is there in anyone's mind a change happening where it becomes easier to contest errors? Is there going to be a change to adapt that perhaps not everything ends up on a credit report? The way I understand the credit reporting industry, collections as well as the over all security of it leads me to think that the system is due for a major overhaul or at least an attitude change. Is it going to be a few high profile credit cases that may cause a change in the system that allows users or the Joe Smuck to protect himself? What would be the way one could do that?

It is insidiously easy to have something show up on your credit as it is, let alone if someone knows what they are doing infecting the system. So I'll pose this, is this going to be a big issue that would cause ripple effects that weaken how credit is weighed or is this going to be fixed when enough issues make the news that it makes people question the current credit weight system on a much more serious level?

(Posed for both answers and a discussion.)