Thursday, November 22, 2007

7.25 Million UK Families + MailMerge = Problem

As you already know, this week, the UK Government lost two disks in the mail that contained the personal information of 7,250,000 families, or 25,000,000 individuals, including, in many cases, their banking information.

Ho-hum, I hear you say. This "lost data" stuff happens all the time. It won't affect me.

I understand this reaction. Subconsciously, most of realize that by now, statistically, our personal data, including that of our family members, has probably been stolen or misplaced multiple times. And because we can correlate that with the additional fact that there is still money left in our bank accounts, we think, "why worry"?

Here's why we should worry: Things are about to get really rough in the identity theft market. The reason? Online criminals are starting to discover the power of database mining and targeted marketing. Consider the "Better Business Bureau" phishing scam of earlier this year.

During this scam, I received a phishing email that I'm ashamed to say almost fooled me - a security professional. Why? Several reasons. First of all, the email was very well-formed, and it was not flagged as coming from an IP address associated with any previous phishing activity.

But most importantly, this scam email addressed me personally - by my correct name, my correct title, the name of my company, and our address - plus, it contained a plausible premise that any business owner can relate to - a complaint from a customer who has not yet received the goods that he ordered.

In other words, it was targeted - and, unlike the amateurish and non-targeted "Dear Sir" emails from the wives of defense ministers of deposed dictators offering 25 million dollars in return for an email address, it had a good shot at fooling a reasonable percentage of the 29 million small business employees in the United States.

Most industry analysts believe the data was "scraped" from LinkedIn, ZoomInfo, Plaxo, or some other business-oriented social networking site. It doesn't matter. Social networking is just a fancy name for what you do using a "database interface". "Social Network Engineering" is where these crooks are headed.

Since the BBB scam, we've seen a few copy-cat attempts at replicating its success in our labs, but none yet aimed at a specific user population or brand. This what scares me about the situation regarding the data theft in the UK - and phishing in general.

Assuming these disks have indeed fallen into the wrong hands, it is probable that right now, schemes are being crafted by data-smart criminals that will utilize the personal data of these families to fool them into thinking that a counterfeit piece of communication from a criminal is actually coming from a trusted government body.

So how does the UK government now tell these people not to worry? Not by email - email is dying as a communications medium. By phone? Not the best idea - see my earlier posts on VOIP-based caller-ID spoofing. By snail mail? Heard of MailMerge?

So have the criminals.

If I'm wrong, then we can all pour a cup of tea and go back to being complacent. But if I'm right, and the criminals decide to get rich quick, rather than milk this opportunity over the long term, banks, online trading companies, credit unions, and other financial service providers - including Revenue, and other government departments - could be in for a rather bumpy ride.

Note: There are some practical steps we need to start taking. Authentium strongly advises consumer banks, credit unions and other online financial service providers to refrain from telling their customers that personalized emails can be trusted. Some of your web sites still suggest that personalized emails under the bank's letterhead should be trusted. This is very poor-quality advice.

No comments: