The Cost Of A Data Breach – T-Mobile May Fire Experian

T-Mobile and Experian both announced that an Experian database containing credit application data for prospective T-Mobile customers (people who applied to finance a new phone or new phone service) between September 2013 and September 2015 was accessed by hackers.  T-Mobile outsources their credit application process to Experian, which is typical, and that is where the breach was.

The data that was compromised included name, address, social, driver’s license, date of birth and additional, unspecified information.  No credit card or bank information was compromised.

First the punch line and then the rest of the story.

T-Mobile CEO John Legere, who is known for speaking his mind, said that T-Mobile is “instituting a thorough review of our relationship with Experian”.  Does this mean that they are going to fire Experian as a vendor?  Certainly possible, but not a given.  There are only 3 major credit bureaus to choose from, but they could pick someone who is NOT a bureau to manage the process and store the data.  Or they could bring it in-house.

In addition, reading between the lines, T-Mobile had a cyber incident response plan and that included providing credit monitoring to the customers who’s data was stolen.  That credit monitoring was through ProtectMyID.com, a division of Experian.  Unfortunately for T-Mobile’s PR department, the company that caused the negative PR (Experian) is the company that T-Mobile set up as the Go-To company to make up for the negative PR.

Legere almost immediately Tweeted that “I hear you re: Experian as service protection option.  I am moving as fast as possible to get an alternative in place by tomorrow.” [ Note: the tomorrow he referred to is today].

So at a minimum, it is likely that T-Mobile will “fire” Experian as their credit monitoring service.

Some thoughts about  the situation:

  • Breaches are pretty much inevitable these days.  What you want to do is minimize, mitigate and manage it.
  • T-Mobile/Experian moved quickly in announcing the breach.  If the breach was closed on September 16, 2015 and they announced the breach on October 1, 2015, that is only a two week window to plan their response.  This means that they must have had their incident response plan already set up.
  • It is unfortunate that their incident response plan included credit protection services from the source of the breach.  That is hard to plan for.  Perhaps it would have been better to use someone who was not already a vendor.
  • Regarding minimizing the breach effects, why did they keep two years worth of history.  It would seem like after they made the credit decision, they could have discarded the data in 30 days.  What you don’t have can’t be stolen.  Companies seem to love to hoard data.  Sometimes that is not a good plan.
  • Apparently the data was encrypted.  More evidence that encryption is not a silver bullet.  Although they are not saying, the fact that the data was compromised even though it was encrypted means that the hackers had a valid userid and password.
  • Experian has not released any details of the hack and may never release the details.  What they want to do it put this behind them.  I am sure they are doing a post mortem even as I write this and that is where the mitigate part comes in.  I do think they will likely learn from this, whether they share that with us or not.
  • T-Mobile seems to be doing a good job of managing this so far.

What is unclear at this point is whether Experian has lost a large customer completely, partly or can recover the relationship.  It appears for sure that they will lose most if not all of the credit monitoring business.

I don’t expect this to have much negative impact on T-Mobile’s business – stay tuned.

Information for this post came from ITWorld.com and T-Mobile’s web site, T-Mobile.com.

Car Hacking – A Never Ending Bowl Of Fun

The Automobile hacking community is having a bang-up year.

In a Wired article today, Andy Greenberg talked about two new car hacking techniques – both completely different from the ones I have talked about before.

The first one is to use the Wi-Fi network in the dealer’s waiting room to hack the diagnostic equipment in the shop.  Likely auto dealerships don’t have sophisticated IT departments and that Wi-Fi could likely be on the same network as the shop.

Once you take over the shop equipment, you program it to infect every car it gets plugged into.  That would likely be thousands of cars a month.  Likely, most of the cars that come into the dealer’s shop are the same brand(s) as the dealer sells, and likely newer models, so that makes the hacker’s job easier.

The second attack is the reverse of this.

Given that there are only a few brands of diagnostic computers that mechanics use (such as Bosch and Snap-On), bring your car into the dealership already infected.  That way you can take as much time as you need to set it up.  When the mechanic plugs in his toy, your car infects the mechanic’s diagnostic tool and from there, you proceed like the hack above.

In both cases, you are using the dealership as a “typhoid Mary”.  What kind of PR does that give the dealer when the news breaks at 6PM on the local TV station.

The other story is that the Virginia State Police are working with the University of Virginia, Mitre, Johns Hopkins and other to hack their police cars.  These are are old (2012) Chevy Impalas and Ford Tauruses.  While these (early in the program) hacks required hands on access to set up the hack, the researchers were able to totally own the cars.

The State Police thinks that buying “connected” cars would be a bad move for them – they must watch 60 Minutes.

Still, given access, relatively old, non connected cars were still hackable to the point that they were able to stop the car from even starting.

Why are they interested in this?  Besides getting my award for the most forward thinking police department in the country?

First, to train their officers so that in case their car is hacked, they understand the parameters.

But more importantly, to train their forensics investigators to be able to BEGIN testing cars at accident scenes to see if they were hacked and the hacking caused the accident.

While this is VERY early stage work, I am not aware of any other police department in the country doing this.

If I was a hitman.  err, excuse me, hit person.  If I was a hit person and wanted to make a kill look like an accident, causing a car to drive off a cliff with my target in it and explode in a ball of flames might be pretty much undetectable by 99  and 44/100% of the crime scene investigators in the country – even if they knew what they were looking for.  Likely the car’s computers would have gotten burned up in the explosion, covering up the tampering – assuming the investigators even knew what to look for (you would have to be able to look at the code that was running in the tens of computers (more in a high end car) in the car at the time to figure out if any of them had been modified.  Given that the Jeep hack on 60 Minutes was done by reprogramming the radio (excuse me, on-board entertainment system), you would have to look at each and every computer to invalidate the hacking claim.

There are already some suspicious car accidents that at least some people believe fit this profile.

At least people are beginning to plan for this.  It is inevitable.  I don’t think the car manufacturers will spend the money needed to thwart them.

 

Information for this article came from Wired and Dark Reading.

Today Is The Day

October 1st, 2015.

Today, retailers are responsible for credit card fraud if they are not using credit card terminals that support chip credit cards.

While there is a learning curve for both merchants and users, the curve is pretty small and it will reduce credit card fraud at retail stores.

Gas Stations and ATMs still have two more years to convert and online purchases are not affected.

In Europe, they discovered that online credit card fraud went through the roof when they went to chip cards at retail  – because retail fraud is so much harder.

What needs to happen next is to completely remove the mag stripe from the cards – but that can’t happen until the 2017 deadline passes for gas stations and ATMs.

Customers should use chip transactions whenever possible and if a retailer can’t process a chip transaction, ask the retailer why they are not since you are concerned about your credit card security.  Make it seem like bad customer service to not take chip cards.

I have seen that at least some ATMs have already been converted to using the chip cards.

From a user standpoint, there are only two differences.  One, you insert the card into the terminal and leave it there until the transaction is complete.  The other is, at least right now, the transaction takes much longer – around 20 seconds.  I do not know if that will speed up over time.  In reality, the transaction is no slower than it was before but YOU didn’t see that time when you swiped your card.

In any case, the chip is the way it is going to be for now.

Of course, if you use Apple pay or Android pay, that is an alternative.

For merchants, if they are NOT using chip enabled terminals, they get to eat the entire cost of a fraudulent transaction.  And the credit card companies want to make that sting.  Not only will they have to pay for the transaction, but likely also the investigation, the customer communication, the reconciliation, etc.  It is unclear how much that will be, but expect it to be large to encourage retailers to move to the new system.

Here is a link to a graphic that shows when the merchant is liable and when the card brand is liable – it is complicated.