Tuesday, October 20, 2015

The T-Mobile Experian Hack: Lessons in Socially Engineered Breach Prevention

Experian, the world's biggest consumer credit monitoring firm, has suffered two major data breaches.

The first breach came shortly after Experian purchased Court Ventures in March 2012. They learned of the breach when the U.S. Secret Service informed them of a problem with their newly acquired company. It was reselling data from a U.S. Info Search database.

A third party client was engaging in illegal activity. Hieu Minh Ngo posed as a detective to gain physical access to Experian’s network. He took this opportunity to inject his Trojan-Horse malware to access sensitive data. He then sold that data through his online service called Superget.info to identity thieves.

Ngo is now serving a reduced 13-year sentence for cooperating with law enforcement. This breach compromised 200 million personal records.

To give you a context: the U.S. currently has a population of 325 million people.
T-Mobile Breach Discovery

The second breach, the subject of this article, exposed the personal data of 15 million people. Those records came off a server for T-Mobile US Inc. Experian discovered the problem on Sept. 15, 2015.

There are things you never read about in these news reports. There’s a human cost.

Try to imagine the agony the T-Mobile systems admin felt as he or she realized the magnitude of the problem. Someone had accessed a backdoor and used it to inject malware into a server. And worse, that server contained people’s private information.

See the shock registered on the face of the Experian CISO, as he recognized another breach had taken place.

Think of the Experian Board of Directors and the horrible moment they realized their mistake. They never should have rushed the vetting process for the Decisioning Solutions acquisition.

Feel the disgust the T-Mobile Chief Executive felt. He had to explain to customers that Experian’s remedy for this problem was 2-years of free credit monitoring.

Think about the customer. Maybe it was you, and you now have to work with the 3-credit reporting agencies any time you want to make a major life move.

Our hearts go out to the victims of these attacks.

It’s easy to point fingers and blame in hindsight, but the fact is that most breaches are never detected.

This one was just painfully high profile.
More Details about the T-Mobile Server Breach

Krebs on Security reports: on December 3, 2013, T-Mobile notified a small group of customers that someone gained unauthorized access to a file stored on servers owned by Experian.

The T-Mobile exposure began September 1, 2013, and lasted until September 16, 2015. Breached information includes:

·    Names
·    Dates of birth
·    Addresses
·    Social security numbers (SSNs)
·    Other forms of identification
The mobile provider identified Decisioning Solutions as the breached vendor. It’s an identity proofing company acquired by Experian in April 2013.

T-Mobile Chief Executive posted this response on their company website:

Obviously, I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.

Connecticut's attorney general plans to launch an investigation.

Jeff Stone (International Business Times) reported the hacked T-Mobile records were available for sale for $1 apiece on Dark Net, payable in Bitcoin.
Decisioning Solutions Onboarded

Decisioning Solutions provides Software-as-a-Service (SaaS) based workflow management. The system automates decisions for the customer lifecycle.

So far so good…

Experian is a huge company. To take care of the customers well requires workflow processes.

The problem came when Experian failed to fully vet the security for the different verticals at Decisioning.
Automation and the Need for Customer Care

Automation was one of the big topics at NANOG 64. It speeds things up, standardizes processes, and takes care of the customer.

The problem with automated systems is the potential for risk.
During a podcast for SEI, Tim Maher, President and Chief Strategist for the RSA Security Conference, had this to say:

Software, Infrastructure, and Platform as a service can be very enticing given the potential cost savings.

But business leaders need to make sure of three things.

They must (1) evaluate the benefits and savings against the risks that can arise when co-mingling their data with other, unknown organizations.

They must (2) demonstrate they meet their compliance requirements.

And they must (3) attempt to hold providers accountable.

In his 2014 article: SaaS Security Risks: It’s the Users, Stupid, Sean Michael Kerner said the security approach is different.

With SaaS, the attack surface shifts from the traditional application deployment landscape.

Instead of infrastructure itself being the primary target, attacks are moving toward users who hold access rights to data. Individual users of SaaS apps also typically do not have appropriate security controls in place to fully minimize risk.
Universal Access to Filing Support Tickets

Krebs also says: The problem with the T-Mobile Experian hack there was a backdoor in the form of a support site portal. It allowed anyone to file support tickets and attach any type of file including malicious files.

By the time Experian became aware of this problem, the exposure had gone on for 2 years. The agency immediately contacted law enforcement.
Data sharing

Dark Reading: The T-Mobile and Experian relationship illustrates the importance of tracking and auditing. The use of sensitive and regulated data in different forms evolves throughout its lifecycle and processing supply chain.
The Critical Nature of Security Assessments

The usual timeline for picking up a breach can range from real time to a few days or even to a number of years. But most breaches are never even picked up at all.

Anytime you involve people, there’s potential for risk.

That’s why regular security assessments are critical to keep your network safe.
The hacking field is dynamic.

As new systems are developed, hackers find ways of breaking into them.

That’s why you need to have security assessments done regularly.
To find out more about how security assessments and training can minimize risk for your enterprise, reach out to one of our staff members.  

No comments: