The Busy Executive's Guide to Personal Information Security, Part 2 of ?

-

 It was, of course, bound to happen. As soon as I published the The Busy Executive’s Guide to Personal Information Security the first person I showed it to said “but what about...”. Of course, there are a lot more things you should very seriously consider. The two that came up in that discussion are covered here. If you have additional tips that I hadn’t thought of, or questions about other steps, let me know.

Freeze Your Credit Reports

Most countries have some form of credit rating system. In the U.S. we have three credit bureaus with a not-altogether stellar record of keeping your information secure, nor a particularly inspiring track record of keeping bad guys from using it. If you want to change how they protect it, you need to begin by finding someone to vote for on November 3, 2020 who cares about such things. I’ve not heard anyone really pay much attention to it though, but you should definitely vote anyway. 


However, if you want to control how the information is used you can do that by freezing the reports. Naturally, there is no one-stop shop for this. You need to go to each bureau and do it separately:


Experianhttps://www.experian.com/freeze/center.html is the website where you manage its freezes. It’s not a very pretty process, but you go to the same place to unfreeze the report. To unfreeze you must remember a PIN that you create when you freeze it. I recommend using a password manager, such as 1Password, to generate a random PIN and store it in a secure note. To change the freeze state of your report you set a date by which to unfreeze and re-freeze the report. That means it must stay unfrozen for at least the rest of the current day. This is a pretty big hole that Experian surely is not working on fixing.


Equifax allows you to create an account which makes it a little easier to freeze and unfreeze your report. Equifax also requires you to set a date to unfreeze and freeze your report, so, again, you have to leave it exposed to fraudsters for far longer than is advisable. 

Figure 1 Equifax website for unfreezing a credit report.


Transunion, by far, has the best user experience for freezing or unfreezing your credit report. Through the trueidentity.com website you can lock your credit report and with a click, unlock it for as short or as long a period as you want, then click to lock it again. Transunion is the only bureau that provides its product (you, as it is your data they make money selling) with the ability to only expose the credit report for the amount of time necessary. 

Figure 2 Lock and unlock your report easily on the True Identity website.


Yes, it is a pain in the neck to keep your credit report frozen. It becomes an even bigger pain in the neck because most lenders are not content with accessing one of your reports. They want all three. After all, you’re paying for the credit checks one way or the other, so why not. 


Nevertheless, I keep mine frozen/locked constantly for several reasons. First, it keeps the credit bureaus from making money selling MY data to hucksters on a daily basis. Second, it keeps shady people, like Good Chevrolet in Renton, WA, who tried to pull a credit report on me when I tried to pay cash for a car, from succeeding in getting my data. Third, well, let’s just say that after Equifax and Experian were both breached someone tried to use my data that was stolen in the breach to file fake unemployment benefit claims. All in all, it is well worth it. 

Port-out Protection

The second additional thing you should absolutely consider is protecting your mobile phone service. Obviously, you have set it up to be used as a second authentication factor on sites that offer no other option. Other sites will automatically use it as a second factor, even if you do not configure it to do so. Phone companies have a checkered past protecting against Subscriber Identity Module (SIM) swapping, however. 


If you recall, SIM swapping is where a criminal convinces your carrier to associate a SIM they own with your phone number, so that they get your one-time passwords sent to them. This can take two forms: they can convince the carrier to let them port the number to a different carrier, or they can convince them to simply associate a new SIM with your number while keeping it on the same carrier. 


While it has not proven fool-proof, all three major carriers now offer some form of “port-out protection”. Here is the information from each of the major carriers on how:


T-Mobile  - Go to https://www.t-mobile.com/customers/secure for the information. You may also call 611 and request “NoPort” protection, which is not a setting they surface in any of their websites. Allegedly, it requires you to go into a store to authorize porting out your number. 


AT&T - Go into your account and add “Extra Security”. It allows you to create another password/PIN code that’s required to port the number to another carrier. 


Verizon - Dial *611 from your mobile phone and ask for a Port-Out Freeze. You may also ask for an “Administrative Lock”, which should prevent any changes from being made to the account. 


As always, I strongly recommend writing down any of the additional passwords you create during this process in a password manager. If your normal password is your dog’s name, having your pet goldfish’s name as the port-out PIN is probably not your best strategy.


A word of caution, however. As you probably recognize by now, all these protection measures (with the possible exception of Verizon’s Administrative Lock) are designed to prevent moving the phone number to a different carrier. However, many of the SIM swapping attacks I’ve worked on involved binding a new SIM from the same carrier to the number targeted. Port-Out Protection will NOT prevent that attack! It is a very incomplete solution, but it satisfies what the carriers were required to do under regulatory pressure. Unfortunately, legislators, who can actually require stronger protection, seem to have failed to realize this limitation and there is precious little legislative movement on the issue. The carriers are left only incentivized to make it more difficult to move your number to another carrier (a practice they strenuously opposed in the first place) but not actually required to provide you with better controls against within-carrier SIM swapping. As a result, we are still largely beholden to how well the carriers train their customer support staff in detecting SIM swapping attacks. 


Based on what I have seen in the past six months, their track record continues to be somewhat checkered. 

Comments

Post a Comment

Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

-
  In our journey through possession proofs we have encountered hardware factors of various kinds. HOTP and TOTP is often implemented as hardware devices, and of course, so are Smart Cards. In this post we will look at authenticators that implement the FIDO standards -  U2F, WebAuthn, and CTAP2. WebAuthn and CTAP2 are collectively part of the FIDO Alliance ’s FIDO2 protocol suite. U2F and UAF are older FIDO protocols that are supported under FIDO2. They can all be thought of as being part of the FIDO2 suite of protocols.  To understand these protocols, and their advantages and disadvantages, we need to be familiar with the three fundamental actors: Relying party (RP) - Also known as the server. This is the service that a user wishes to log into. Client - This is the application that brokers the authentication from the relying party to the authenticator and eventually the user. Much of the time, this is a web browser, but it could be any application. Authenticator - This is a thing tha
Read more

The Busy Executive’s Guide to Personal Information Security

-
Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware. If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do. 1. Patch Your Stuff! The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable
Read more

Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading th
Read more