

Data Broker Giants Hacked by ID Theft Service - sshykes
http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service

======
zaroth
It _should_ take a lot more than an compromised web server to gain long-term
access to data feeds from LexisNexus and D&B. Even if the web server let them
make API requests into the feed, you would think a regular usage report would
show a discrepancy in the expected and actual number of requests, or if they
attributed them to some user, someone complaining about getting over-billed.

For 4 million requests to be injected into their feed from a compromised
server, it would suggest that they have essentially no audit logs or
accounting systems in place beyond the front-end business logic. I wouldn't be
surprised if that's illegal in some states. Maybe the NY AG can take a break
from setting up fake yogurt shops on Yelp to catch bad reviews and look into
this...

"We could well be witnessing the death of knowledge-based authentication, and
it’s as it should be,” Litan said. “The problem is that right now there are no
good alternatives that are as easy to implement. There isn’t a good software-
based alternative."

I also hate the KBA questionnaires, and hope they die soon. Some people are
working to solve this problem using Facebook or social proof. I'm not too fond
of that idea, although in certain cases like AirBnB type scenarios, I can see
where a Facebook hook adds a useful data point.

One approach I've _never_ seen used but which seems like it provides two nice
strong 'factors' is to put a temp charge to someone's credit card and ask them
to tell you how much it was for, and then clear it. That would prove they have
the card (including CVV2) and also that they have the login credentials for
the account.

I think the credit card processor I use doesn't charge anything at all for a
temporary auth. And I know at least AMEX, Bank of America, and Discover will
show the temp amounts on their webpage in real-time.

So it's similar to the ACH method of making 2 random small-amount deposits,
which is also considered 'gold standard' for linking a checking account,
except if you used credit card temp auth, it's free, and real-time instead of
.25 and 1 - 2 days of lag.

~~~
EdwardDiego
> It should take a lot more than an compromised web server to gain long-term
> access to data feeds from LexisNexus and D&B.

Especially as Dun & Bradstreet operate as a credit bureau (in my country at
least).

------
jessaustin
_“Data security is a company priority, and I can assure you that we are
devoting all resources necessary to ensure that security.”_

That's kind of an odd statement to make in this situation.

~~~
mathattack
Companies have a lot of bluster when it comes to safety and security, but few
of the people making the statements have any real understanding of what would
be required to make an institution secure.

------
jgalt212
This sort of stuff is exactly why I fight tooth and nail any and all efforts
to digitize my medical records.

