Saturday, March 10, 2007

Social Security Numbers Vulnerable Online

When it comes to identity fraud, there is nothing a criminal likes more than to get their hands on than a US Social Security Number (SSN).

The Better Business Bureau ranks social security numbers as the most sensitive (and useful, from the criminal point of view) of all personally identifying information. According to AARP, as of 2005, there were 227,000,000 social security cards in circulation in the US.

All these social security numbers are disturbingly vulnerable online, as I found out last night, when I went to the IRS web site to explore the options for paying taxes online. All the options I looked at require end users to enter their full names and SSNs as part of the submission process, in plain sight of keyloggers and screen-scrapers.

Looking at other web forms online, I found that virtually all banks and online financial institutions were making use of social security numbers - mainly as part of the financial service (i.e. loan) application process. Many allowed the use of a social and credit/debit card number to access online credential information, or change these credentials.

For example, clicking on the "Get Help with Your Online ID" at the Bank of America site, for example, this takes you to a form that enables you to access your online ID number, using a Social Security Number and your BoA account number. A sidebar includes the following explanation:

# We use your Social Security or Tax Identification number only to identify you. The information is safe and secure. No one else has access to it.

# Entering either your SSN or TIN ensures you get access to your Bank of America accounts. A Tax Identification Number (TIN) is for business owners.

When Bank of America says "this information is safe and secure", they are not talking about the point in time at which your social security number is entered by you into that form on a web browser. They are making a statement concerning only the security of the copy of your social security number they keep inside their database. At the point at which your SSN is being entered into a browser, your SSN is *not* safe and secure - it is highly vulnerable.

As you enter your information into a web browser, Bank of America currently has zero control over your computer and no idea whether any malware/spyware is installed on it. At this point, your information is clearly visible to a key-logger, and visible to screen-capture technologies as well - and we've seen some very capable screenshot capturing pieces of malware in the virus lab over the past few years.

Worse - if you are the target of a phishing site and end up at a clone of the "Get Help" site, it may not be possible for the average user to tell the difference. The padlock at the bottom of the page is only an image, after all, and easily copied, and sitekey, though a welcome step in the right direction, is not exactly the most visible or robust of technologies.

How can this problem be fixed? As many of you know by now, we have developed a new, patent-pending technology - VirtualATM - that enables online banks, tax payment agencies, money transfer agencies, and other financial institutions to protect these forms and user sign-up procedures from these kind of attacks. Several financial institutions are currently evaluating VATM. Our first deployment is planned for May.

VirtualATM takes the whole transaction out of the "visible" browser/PC environment and effectively prevents screen capture and keylogging devices from stealing the information. It doesn't work using tradition antivirus or antimalware principles: it is a pro-active security solution that focuses on protecting and concealing this kind of information at every step in the chain.

Look for it next year, during tax-time - or the next time you sign up for a financial service, online. I know I will be.

No comments: