The massive Russian hack/data breach

[OldShooter]

I'm afraid I can't side with the Luddites on this one.

Our whole financial system is based on trust. Any assets in a financial institution exist only as ones and zeros in a computer somewhere. Even a pile of cash is only as valuable as society says it is.

So where do you draw the line? I protect my account information using the current best practices. I take steps to limit my exposure to any single hack.

But in the end, the kind of massive back-end attack we're talking about here is not a risk I can - or really need to - mitigate. If something like this were to hit a major bank where I had an account, I certainly wouldn't be alone. The bank, the banking industry and the government all have a stake in maintaining society's trust. I don't think I'd simply wake up to a zero balance one day, with no recourse.

I do everything almost exclusively on line. I'm having a hard time coming up with any scenario where this would be a bad idea, short of total breakdown of our society. At which point I'd have bigger things to worry about.

I pretty much agree with this, except that I do not tempt fate by using my phone or my tablet for any financial activities and certainly do not load financial institutions' apps. Phones and tablets can be lost or stolen. Home computers also, but the risk is smaller so I limit my financial activities to my home office. My passwords are never recorded anywhere and certainly not in a honey pot called a "password manager." Finally, I have Schwab's sweeping guarantee that they will cover me if any account gets compromised.

 

[JoeWras]

Staying offline probably is not going to make much difference in these server-side breaches.


You might be a little safer if you don't link accounts/don't enble transfers, but, as always, a trade-off between security and convenience.

And one could argue that if you have on-line access, you can monitor the account on a more timely basis and find issues early. You can also get notifications of activity on many accounts, which could help find the server-side impact early.

For example, it is like a credit card hack. Most hacks don't occur from YOUR online activity. Yet, setting up notification alerts allow you to see the problem early. I know when my credit card got compromised, it was helpful to pull up my account when I called them. I could see the string of fraudulent transactions and I could talk with the representative about them without confusion or just listening to her naming them. That early intervention helped clear the problem immediately, instead of having to wait and do an affidavit* later, as I had to on transactions found weeks later in the old days.

* - OK, not a true affidavit, but some statement I had to sign in blood saying "I didn't do this!"

 

[MRG]

I haven't read this thread top to bottom. I have shunned doing anything financially over the internet. There will always be holes that can be exploited. I just can't understand why companies push people to open themselves to vulnerabilities when the potential loss can be so devastating.

Do you understand it doesn't matter what you do? Your provider has an open door so your accounts are exposed to about the same risk as if you were on 24x7x365.

Companies push to use internet because the majority of people demand it. Having worked on securing transactions for internet exposure its not difficult or very challenging however there's discipline and processes that must be enforced.

 

[CaptTom]

Do you understand it doesn't matter what you do? Your provider has an open door so your accounts are exposed to about the same risk as if you were on 24x7x365.

Thank you. My point exactly.

I'm still waiting to hear exactly how using on-line options puts me at greater risk than doing things the old-fashioned way.

In fact, I'd argue that it's far safer. I've had deposits lost and I've had checks stolen. I've even had a teller make a typo entering my transaction. And the whole idea of only being able to see my account activity once a month seems so primitive - and risky!

 

[Chuckanut]

My personal informaton has been out in the wild for years. The release of that information had nothing to do with me selecting a weak password, being careless with my ID and password, or any of the other things I have control over.

It was caused by an insurance company that kept the information in plain text format and allowed criminals to snoop around in their computer system for months before being detected.

While I agree with should all develop good security habits when online, I am peeved that most large companies get away with this, and have been so successful with fobbing off the responsibility on their customers who have no control of how their information is stored. It's shameful.

 

[jcgc50]

All that is good advice, but I think the point was that we can't assume that other people are providing adequate protection for the data they collect from us and in some cases we can't refuse to provide it.

When I was working, I was required to give my personal information to OPM, and it was stolen by China.

I am required to give my personal information to the IRS every year, and it may have been stolen by someone who may or may not be Russia.

SSA has my personal information, state agencies like the DMV, county agencies like vital records and the tax assessor's office and the registrar of voters, etc. It's likely that every one of these agencies uses SolarWinds and installed the malware versions of their software. I'm sure they weren't all targeted and hacked, but there's no way that I can protect any of the data they have on me.

Around 140 million of us had our personal data stolen from Equifax a few years ago. Not to mention business hacks stealing credit card info for years. What's a mystery is why any of us have any faith that our data or money is safe with anyone. I await the day when I log on to a retirement account and find it empty.

 

[statsman]

Around 140 million of us had our personal data stolen from Equifax a few years ago. Not to mention business hacks stealing credit card info for years. What's a mystery is why any of us have any faith that our data or money is safe with anyone. I await the day when I log on to a retirement account and find it empty.

A scary thought as we finish up an awful year. But you're right. I fear the day one of our accounts has been drained with no recourse for recovering the lost funds.

 

[MRG]

A scary thought as we finish up an awful year. But you're right. I fear the day one of our accounts has been drained with no recourse for recovering the lost funds.

It's really just bits somewhere that were turned off, technically they could be turned back on.

 

[zinger1457]

A scary thought as we finish up an awful year. But you're right. I fear the day one of our accounts has been drained with no recourse for recovering the lost funds.

I'm fairly sure most of the major investment firms cover any losses from your account due to unauthorized activity.

 

[target2019]

Do you understand it doesn't matter what you do? Your provider has an open door so your accounts are exposed to about the same risk as if you were on 24x7x365.

If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.

 

[G8tr]

I've been in cyber security for the past 15 years, double that if you count hobbyist use of rudimentary antivirus tools (anyone remember F-PROT?). However, I'm not a cyber security professional; rather I've been more on the policy and standards side during my time in the industry. The evolution of cyber security technology has been significant since the early days, but the weakest link has always been in the chair (hence the acronym PICNIC - problem in chair, not in computer aka an id10t error). These days, that weakest link is in lower tiers of the supply chain, particularly if the supplier is located overseas.

 

[CaptTom]

If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.

Very much more complicated. I've yet to hear any specifics as to how on-line transactions increase my risk. Like, what exactly constitutes the "threat" hypothesized in the diagram?

Of course a lot depends on the person. If you create weak passwords, share them with others, post them or save them somewhere obvious, then another individual may take advantage of you. But that's not what this thread is about. We're talking back-end hacks, which you have no control over.

I'll also add that at the individual level, it's far more likely that someone will simply provide their account information to a phone scammer. Which of course would have nothing to do with whether or not they made legitimate online transactions.

I've been in cyber security for the past 15 years, double that if you count hobbyist use of rudimentary antivirus tools (anyone remember F-PROT?). However, I'm not a cyber security professional; rather I've been more on the policy and standards side during my time in the industry. The evolution of cyber security technology has been significant since the early days, but the weakest link has always been in the chair (hence the acronym PICNIC - problem in chair, not in computer aka an id10t error). These days, that weakest link is in lower tiers of the supply chain, particularly if the supplier is located overseas.

Yes, I remember F-PROT. And I've done first-, second- and third-level user support. You'll get no argument from me about the damage a clueless user can inflict.

But again, we're talking big picture. Assuming I'm not handing out my information to scammers, the risk isn't coming from MY chair. Maybe some low-level employee at the financial institution or one of their contractors, but that's not something *I* have control over. Nor is it something that *I* will be held accountable for. If it's their mistake, they will take the loss. Anything short of that would undermine our entire financial system.

I remain unconvinced that I'm increasing my risk by using online transactions.

 

[target2019]

If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.

Very much more complicated. I've yet to hear any specifics as to how on-line transactions increase my risk. Like, what exactly constitutes the "threat" hypothesized in the diagram?

Of course a lot depends on the person. If you create weak passwords, share them with others, post them or save them somewhere obvious, then another individual may take advantage of you. But that's not what this thread is about. We're talking back-end hacks, which you have no control over.

I'll also add that at the individual level, it's far more likely that someone will simply provide their account information to a phone scammer. Which of course would have nothing to do with whether or not they made legitimate online transactions.



Yes, I remember F-PROT. And I've done first-, second- and third-level user support. You'll get no argument from me about the damage a clueless user can inflict.

But again, we're talking big picture. Assuming I'm not handing out my information to scammers, the risk isn't coming from MY chair. Maybe some low-level employee at the financial institution or one of their contractors, but that's not something *I* have control over. Nor is it something that *I* will be held accountable for. If it's their mistake, they will take the loss. Anything short of that would undermine our entire financial system.

I remain unconvinced that I'm increasing my risk by using online transactions.

In the diagram in previous post TA stands for Threat Actor. The TA has an ever-improving toolbox which targets the vulnerabilities in a given system. If you need specifics, all known vulnerabilities can be searched at this site:
https://www.cvedetails.com/

That answers your comment which I've bolded and underlined in your reply. BTW you do have control over back-end hacks by hardening your system and using secure practices so that a TA can't ride your connection into the secure enclave. This doesn't eliminate all threats, but I think most will agree that hardening your own system mitigates some threats, and means less potential work for institution security.

G8tr can address your comments to him.

 

[target2019]

What part didn't you understand from the previous post? The hackers DO have the "master key" - while not in the form of an encryption key, it is the access itself to the back-end systems. They got administrator-level access, namely they could open a database containing your account balance info and subtract money from your super precious account. While it may be true that - if proper data security and privacy was put in place - sensitive info like credit card numbers, SSN number, passwords, DOB etc are encrypted, once is inside the system, one can still do damage.

It's always nice to get a proper explanation of what someone has posted. I wasn't able to find a source that confimed SolarWinds master key had been stolen. Of course it would be a juicy target, but nothing proven yet as best I can tell. Of course I'm just a bystander reading technical reports, and have no special sources to tell me otherwise.

In any event, you can be sure the real masterkey has been changed.
https://www.makeuseof.com/microsoft-reveals-target-solarwinds-cyberattack/

Bollocks! As is one would call M$ Windows 10 a "secure OS"

I did not call Windows 10 a secure OS. I did say that it is safer and more secure than Windows 7. Please don't misquote.

Bollocks 2nd time. I, for one, do not wish to give the keys to my house to the "Mr. Password Manager" - no matter how much auditing and open source "transparency" he's showing to me.

It's clear to me that you hold some convictions most here don't subscribe to. Let me end my last post to you in this way. 15 years of working in defense, having access to secure systems, and writing documentation about such leaves me very comfortable with using a password manager. When DS purchased 1Password for famly use, I went with it. Who could argue with someone with a security degree, Cisco-certified, and over 10 years experience as security engineer with 2 worldwide companies?

I don't write this to convince you of anything, but wanted to respond one last time to make some clear points.

 

[sengsational]

If you measure potential threats, the risk is at least doubled when you use online access. See below. Of course the picture is much more complicated.

The implication in the diagram is that by opening a web account with a business, you expand the attack surface. I think that is true, because now the computer used to access the web account can be a vector.

I found myself imagining the diagram without the account owner computer used to access the web account, and thinking how much better that would be. Then I realized it wasn't quite that easy because an additional risk appears: If the true account owner doesn't initiate the web account, then a threat actor could initiate the web account.

Probably the safest would be to initiate the web account with long random passwords, and don't save the passwords, and never log on. And of course put nonsense also in the backup mechanism (my first grade teacher's name was "Smith", I kid you not). This presumes the bar is equally high for resetting web access as initiating web access (my experience varies).

Because most of us enjoy the convenience of accessing our accounts over the web, nobody likes to hear that they could be "safer" if they did not enabled web access, but I think there is some truth to it.

 

[JoeWras]

Because most of us enjoy the convenience of accessing our accounts over the web, nobody likes to hear that they could be "safer" if they did not enabled web access, but I think there is some truth to it.

It probably is slightly better, especially today. But I don't think it was safer 10 years ago. Back then, it was way too easy to open an on-line access to your account with a little knowledge. It was safer to have done it yourself and denied the hacker the opportunity.

It seems like some precautions have been taken to avoid this kind of hack? I hope?

DW opened up her on-line Social Security account access for this reason and then buried it.

10 years ago, I was busy getting on-line access to my father's accounts so I could manage his affairs. It was shockingly easy. I really hope it is harder today.