
Capital One’s breach was inevitable, because we did nothing after Equifax - Corrado
https://techcrunch.com/2019/07/29/capital-one-breach-was-inevitable/
======
rocqua
This is a bigger issue than 'credit agencies have poor security'. This is an
issue of 'standard authentication in the US is negligently weak'.

Knowledge of a SSN and other public information should never be enough to
authenticate any person. That means no credit issued based on that, no tax
returns filed or viewed based on that, no checks sent based on that.

The solution is not better security with credit companies. The solution is
some form of actual authentication. Preferably done by an organization
dedicated to that (public would be best, private could work); not outsourced
to organizations that are mostly geared towards determining credit worthiness.

For the public system, assign to every participant a true unique identifier,
rather than the SSN which explicitly states should not be used as such.

For those citizens that do not want to register in this way, allow for
physical authentication at physical locations.

In Europe this is far less of an issue since our population registration is a
lot more comprehensive.

~~~
souterrain
To this point: does “identity theft” really exist, or is this simply a
reframing of banks, etc., completely failing at authentication?

~~~
3JPLW
Identity theft is an amazing PR term, not-so-subtly shifting blame onto the
individual whose identity was fraudulently used.

* The PII wasn't stolen from me, it was negligently exposed by services I contract with (and pay!) and others that I have no formal relationship with (like Equifax).

* It wasn't defrauding me, it was defrauding services I contract with (and others) who failed to verify my identity.

And yet somehow I'm obligated to do the cleanup myself.

~~~
tryptophan
Yup. The quickest way to stop these sorts of things from happening is to make
the banks responsible for accepting/using stolen information(ie facilitating
identify theft). For some odd reason, its the person's responsibility now that
the bank used fraudulent information.

------
moltensodium
There is no reason to spend one dime on infosec after the big Equifax breach
and the numerous Facebook hacks/intentional spreading of data. They already
lost all the most important data for every American and both companies are
doing far better than ever. Nobody went to jail, everyone gets to keep making
money.

You should worry about lightning strikes and like solar flares disrupting your
business before you worry about cyber security. Why should any enterprise risk
manager waste their time on an issue that has no consequences?

~~~
ashleyn
Part of this problem is that Congress has simply stopped functioning for the
past ten years or so. They're pretty much just keeping the lights on while
social conservatives refuse to compromise with anyone else. When's the last
time you remember high-profile federal legislation being passed with the
intention of protecting or aiding constituents?

~~~
ethbro
_> When's the last time you remember high-profile federal legislation being
passed with the intention of protecting or aiding constituents?_

July 1st, 2019

H.R. 3151

"Taxpayer First Act

This bill revises provisions relating to the Internal Revenue Service (IRS),
its customer service, enforcement procedures, cybersecurity and identity
protection, management of information technology, and use of electronic
systems."

[https://www.congress.gov/bill/116th-congress/house-
bill/3151...](https://www.congress.gov/bill/116th-congress/house-
bill/3151?s=5&r=2)

Just because actual legislation is too boring for cable news and NPR doesn't
mean it's not happening.

You can find all the bills that passed into law here:
[https://www.congress.gov/advanced-
search/legislation?congres...](https://www.congress.gov/advanced-
search/legislation?congresses%5B%5D=116&legislationNumbers=&restrictionType=field&restrictionFields%5B%5D=allBillTitles&restrictionFields%5B%5D=summary&summaryField=billSummary&enterTerms=&wordVariants=true&legislationTypes%5B%5D=hr&legislationTypes%5B%5D=hres&legislationTypes%5B%5D=hjres&legislationTypes%5B%5D=hconres&legislationTypes%5B%5D=hamdt&legislationTypes%5B%5D=s&legislationTypes%5B%5D=sres&legislationTypes%5B%5D=sjres&legislationTypes%5B%5D=sconres&legislationTypes%5B%5D=samdt&legislationTypes%5B%5D=suamdt&becamelaw=true&chamber=all&actionTerms=&legislativeActionWordVariants=true&dateOfActionOperator=equal&dateOfActionStartDate=&dateOfActionEndDate=&dateOfActionIsOptions=yesterday&dateOfActionToggle=multi&legislativeAction=156&sponsorState=One&member=&sponsorTypes%5B%5D=sponsor&sponsorTypes%5B%5D=sponsor&sponsorTypeBool=OR&committeeActivity%5B%5D=any&committeeActivity%5B%5D=referred+to&committeeActivity%5B%5D=hearings+by&committeeActivity%5B%5D=markup+by&committeeActivity%5B%5D=reported+by&committeeActivity%5B%5D=reported+original+measure&committeeActivity%5B%5D=discharged+from&committeeActivity%5B%5D=legislative+interest&satellite=%5B%5D&search=&submitted=Submitted&searchResultViewType=expanded)

PS: Believe the 9/11 first responders bill would be more recent, but I figured
people would take issue with that as a celebrity bill.

~~~
resfirestar
What makes you say this bill is doing more than call for a minimalist response
to tax return fraud (giving people “identity protection ID number” to use with
ID theft cases and a single phone number to call about tax related identity
theft) and make updates correcting obvious flaws in the tax code (aka keeping
the lights on)? The provisions in this law will not make it less likely that
someone will file a tax return with your stolen info, and not make it easier
to get it made right if that does happen.

At least the 9/11 first responders bill was about allocating resources to do
something, but the main reason it doesn’t serve your point is the fact it
stood for 18 years as an example of our government’s incompetence and
inability to do basic, non controversial things.

~~~
ethbro
I could quote from the bill, but the individual subsections all make material
changes in the way the IRS runs.

Reducing everything to "creates a new department or abolishes an existing one"
or "does nothing and just keeps the lights on" isn't a useful rubric.

Good law is acreted over time, in the same way bulletproof code is.

~~~
resfirestar
You are asking me to trust that the people making law now know what they are
doing and are slowly moving things in the right direction instead of slowly in
the wrong direction, while not contesting the claim that this law does nothing
to accomplish its stated goal of reducing the public burden of tax return
fraud.

US tax law has been dysfunctional and getting worse for decades, to me that
says there are issues with how the system is designed and meaningful progress
beyond “keeping the lights on” will require restructuring the law and the
agency, not adding a new office here and giving taxpayers more notifications
there. Those types of measures, as you correctly point out, have to be looked
at as part of a larger plan for the organization that meaningfully addresses a
problem, not in isolation. Except here we have a collection of measures that
doesn’t coherently address a problem, so there is no way left to look at them
except in isolation.

~~~
ethbro
I was pointing out passed law that I consider answers "When's the last time
you remember high-profile federal legislation being passed with the intention
of protecting or aiding constituents?"

The law has many stated goals, as set forth in the quote I posted.

------
ThePhysicist
In my opinion organizations still don't rely enough on "defense in depth"
techniques to protect sensitive data. Breaching the WAF and gaining access to
S3 files shouldn't suffice to gain access to the raw data. Personal data that
is not required for transactional use should be either encrypted,
pseudonymized or anonymized. I couldn't find information about the exact use
case of the data but as it was stored in S3 I would guess that it was "set
aside" for future use in analytics or machine learning, maybe? If so there's
really no reason to store the raw data.

Any single IT system is hackable and will eventually be hacked. The
probability that an adversary will be able to hack multiple, independent
systems is much lower though, and would in many cases prevent data breaches
like this one.

~~~
delinka
I find that in large organizations, business only cares about business. Maybe
because they can't be bothered with IT or security or any of the geeky
disciplines. I'm pretty sure it's all about soft skills: they just can't
handle dealing with folks that lack soft skills and those geeky, nerdy folks
running the technology stack lack soft skills and only ever ask to spend money
...

If you, tech geek, learn enough to speak well to The Business, you have
another challenge: the market is at a place where incentives matter. You can
articulate, in the right language, the need for cleaning up the company
security posture, but you can't articulate an incentive. User can't sue
because the ToS says 'mediation;' There's no regulatory agency that will
really threaten our profits - we can afford a $10MM fine when they get around
to levying such after three years of investigation ... what's the incentive to
spend half a million dollars this year on additional employees and licenses
when that's money destined for high-level bonuses this year, and by the time
that fine arrives, this executive team will have moved on?

>In my opinion organizations still don't rely enough on "defense in depth"
techniques...

This flies in the face of 'easy money.' 'Easy' meaning we, The Business,
comprehend the purpose of a particular budget line item. Spending money is
bad. But spending money in some places is a necessary evil, and only
acceptable when it is in a place that is directly reflected in the price to
the customer. Acquiring, manufacturing, assembling parts in the final product?
Fine. Marketing to acquire a customer? Sure. Attaining regulatory approvals?
Bah, ok. After we've articulated the costs and padded an acceptable margin,
the only thing left is the self-congratulatory bonuses for executives!

~~~
lunias
I've found that at large companies, employees touted as having great soft
skills often lack the ones that I consider key for productivity:
communication, integrity, responsibility, and work ethic.

Meanwhile, engineers possessing all of the above traits as well as hard skills
are told to develop their other soft skills (i.e. positive attitude, courtesy,
and professionalism) to make themselves more palatable to the inept.

In a vicious cycle, the feeling that everything is focused around appeasing
those that contribute the least is enough to erode many engineers' soft
skills.

Enter the dead sea.

------
mcnichol
Not even close to the same.

Granted a misconfigured firewall is surprisingly close to data with no
AuthZ/AuthN but the Equifax breach was an operation.

This should be punished but the level of ignorance from both sides highlight
just how immature the community is and how little concern we have in handling
PII.

Thermodynamics....make the path of least resistance more secure. I feel laws
find that by following the money which they seemingly tried to do with
equifax.

Surprisingly small fine but on the other side, I have seen many enterprises
with numerous processes/controls in place where it wasn't so easy to identify
the security through obscurity that was going on.

There's a longer conversation to be had here.

~~~
0xDEFC0DE
It's actually a lot harder than you'd imagine to break into security
considering how much outrage and demand there seems to be in the press and on
forums.

Maybe this WAF wasn't the greatest software though. Simply buying something
and squeezing it into your tech stack isn't enough. You have to know how it
works or it could be the thing that gives a foothold to an attacker.

~~~
mcnichol
I spend a considerable amount of time pentesting. I understand it very well

~~~
0xDEFC0DE
Not that. Break into it as a job.

The talent pool is woefully underfilled.

~~~
mcnichol
Ah, gotcha. Sorry about that, misread it

------
nyc_pizzadev
Wasn't this a private S3 bucket and she somehow hacked permission access?
Anyone know the full details of how this came to happen?

As for mitigation, does S3 encryption happen at the user access level (GET) or
S3 system level. Basically, does each GET call pass in the decryption key?
This means an attacker needs another piece of information. More encryption
wouldn't hurt here. This goes for Equifax too.

~~~
cddotdotslash
I'll preface this by saying that I haven't seen any official resources
confirming that it was an S3 bucket issue (although the statement from hacker
mentioned releasing "buckets" so it very well could be).

S3 provides server side encryption that encrypts the files at rest. This is
done entirely on the server side and does not require any additional keys from
the client. However, it is possible to do your own file encryption using your
own keys ahead of time, but I imagine that a very small subset of AWS users
actually do that.

The way these hacks usually happen is that someone configures the bucket to
enable public access, either to the entire bucket or certain files within it,
and then someone stumbles upon the bucket's endpoint.

The mitigation is simply not to configure your buckets to be publicly
available. That used to be relatively more difficult than it sounds because of
a confusing S3 UI, but AWS has recently pushed a number of changes that try to
address this issue, including putting a very clear "Public" label next to
buckets with these settings, sending emails to users with public buckets, and
providing configurations that allow account owners to prevent users from
setting buckets to public access.

Some articles are referencing a WAF configuration issue, in which case the
above may not fully apply here. The commenter below me mentioned the use of
temporary AWS access keys, which can be obtained from an internal AWS service
known as the metadata endpoint. Typically this endpoint is only accessible
from EC2 nodes (or services that rely on EC2 like Lambda or CodeBuild) and
allows AWS to deliver short-lived credentials to the node that can rotate
frequently. If this truly was the issue, then it's possible a WAF issue
allowed the remote attacker to query the internal endpoint from an external
source and obtain credentials that were previously only available to the node
itself. From there, the attacker could make AWS API calls to the S3 buckets
and download the files.

~~~
Cpoll
> it's possible a WAF issue allowed the remote attacker to query the internal
> endpoint from an external source

But then it's literally a configuration issue, right? WAF is just Rule ->
Block/Allow. It doesn't proxy traffic or anything, it just attaches to a load
balancer, API Gateway or CloudFront.

More puzzling, what is the WAF-Role they're talking about? WAF doesn't use IAM
roles, so is this just a role they used to configure the WAF (and also had S3
permissions?)

~~~
cddotdotslash
Yeah, that part is confusing. Since I posted the above a few more details came
out, but it seems like the WAF may have been involved because it wasn't
configured to block requests to the IAM instance metadata endpoint, which
would have allowed the attacker to operate in the scope of the instance, which
seems to have had the S3 permissions. But again, entirely conjecture on my
part at this point.

------
pluc
It's so funny that with all these breaches, Equifax is the winner and gets
150M customers. Same thing happened with Desjardins (Quebec bank) recently.

~~~
ceejayoz
The really bonkers part about the Equifax settlement is they're being
permitted to "pay" the fine by giving away their own credit monitoring
solution. They value at it as something like $15/month, but it likely _costs_
them pennies to run. A good portion of those users will probably convert to
paid users at the end of things - I strongly suspect they'll wind up profiting
overall.

They should've been forced to cover _another company 's_ credit monitoring
solution, preferably a direct competitor's.

------
rbc
First American Financial Corporation is another company that appears to have
been extremely naive about securing non-public personal information and didn't
act until their customers went public. That wasn't even a platform security
vulnerability. They were allowing unauthenticated access to their customers
documents. Brian Krebs reported on 24 May that 885 million mortgage documents
had been exposed. According to First American's reporting since then, they say
they have narrowed that down to 32 consumers that had their information
exposed and provided them with complementary credit monitoring. That's an
awfully big discrepancy between the security community and company reporting.

------
jinushaun
After my identity was stolen, likely from Equifax, I closed my Capital One
account and advised everyone I knew to do the same. I was shocked to discover
how easy it was to get past the forgot password screen: you are immediately
logged in with full privilege if you answer all the easy to guess PII
questions! No email notification. No text. No 2 factor. Full logged in access!

Lesson learned: always check the forgot password/trouble logging in feature on
sites where security matters.

------
giancarlostoro
I said this on the other HN thread about CapitalOne but I found it ridiculous
that Aaron Swartz was facing a hefty sentence and the culprit behind this hack
last I checked is facing up to 5 years??? What the heck?

For every person exposed in this hack is a single victim to be added. Not to
mention the numerous indirectly affected people part of small businesses.
Aaron Swartz hacked some ebooks by comparison harming only a school.

Can the punishment for crimes stop being absurd. I am only reserving further
outrage because those are the current charges against the hacker. We know more
can pile up as they learn more.

Really though if that kind of PII can give you access to ruin someones
financial life then it should be made harder to get credit cards. If you dont
have a drivers license and other things to show you shouldnt get a credit
card.

~~~
ovi256
Prosecutor discretion exists. Furthermore, AFAIK (IANAL, especially not a US
criminal justice lawyer), US sentencing guidelines take into account first-
party financial damages (low for CapitalOne) not diffuse third-party damages
of the kind suffered that will be suffered by the 100M people whose PII was
lost.

~~~
eigenvalue
CapitalOne disclosed that this hack is going to cost them between $100mm and
$150mm, which is a lot more than JSTOR would have lost from Aaron Swartz's
"hack" of academic humanities papers.

~~~
madaxe_again
Right, but it wouldn’t have happened if they hadn’t had such lax security, and
I would argue that capital one are liable here for failing to adequately
safeguard consumer data. If you properly secure your stack, you don’t get
hacked.

If they had fallen victim to some undisclosed zero-day, I’d feel bad for them
- but in this case it appears to be misconfigured VPC SGs. Their error.
Inadequate processes.

We are also all labouring under the assumption that she was the only person to
make off with this data.

I’m willing to bet that she’s just the first one daft enough to talk about it.

~~~
qaq
"If you properly secure your stack, you don’t get hacked." Thats absolutely
not true. You do reduce the chances of being hacked and you might reduce time
it takes for you to discover the breach and you will be able to contain it
quicker.

~~~
madaxe_again
You _vastly_ reduce the chances. It’s the difference between bothering to
close the bank vault’s door when you go home at night or not.

------
mikece
How long before owning a breach databases requires a license in order to avoid
a criminal charge? I have to imagine that access to breach info from other
sources greatly reduces the work necessary to pull off another breach as users
typically use the same "highly secure password" across most, if not all of
their online and work accounts. All you need is one breach with weak password
hashing -- or no hashing or encryption -- to provide an electronic skeleton
key to intruders. The more breaches that occur, I think the more we'll see.

Just curious: if a prior breach, for example the Equifax breach, yields data
that enables a future breach like Capital One's, can Equifax be held liable
for damage to Capital One?

------
ghostpepper
> The Equifax incident should have sparked a fire under the credit giants.

I get what the author is trying to say, but based on the entire remainder of
this article, the large credit firms are doing exactly the right thing (for
their shareholders) by not spending tons of money on security.

~~~
consumer451
> the large credit firms are doing exactly the right thing (for their
> shareholders) by not spending tons of money on security.

Isn't this due to the fact that there are no serious penalties for losing
customer data, aka regulation?

~~~
ghostpepper
Yeah, as much as I would like to see a market-based solution to this, I'm not
sure how it would work exactly.

Equifax seems to be the exception to the rule that most of the data lost in
most of the breaches we hear about was given voluntarily; the customers are
the ones getting screwed and they still willingly hand over their data to
anyone who offers a small discount or even just a newsletter sign-up.

It seems like most people don't care about privacy, at least not enough to pay
more for it.

------
lurquer
"we" did nothing?

I'm annoyed at the use of first person plural pronouns in such articles. It's
particularly obnoxious in a story about identity theft which, as other posters
on this thread have pointed out, is a linguistic con-job banks pull on
customers.

------
siffland
I have been part of 12 data breaches, that i have been informed about, in the
last 5ish years. I read about it and then move on at this point. I have a sick
feeling credit monitoring with insurance is going to become the norm, just
like house and car insurance. I am not sure why progressive and state farm
dont have it yet on your policy (maybe they do).

I wonder if these companies are like one of the places i work at and have
checkbox cybersecurity as opposed to real cybersecurity.......if you have ever
had to ask your cybersecurity department "you really want me to loosen the
permissions on those files so it will pass the scan¿", then you know what
checkbox security is.......

------
supergeek133
What exactly can "we" do other than the government creating some financial
penalty for this?

I soundly believe that in most of these cases some line level security person
told middle management there might be an issue, but it wasn't dealt with
because of time/money considerations ("Just Ship It") or there are many legacy
things that never received a proper audit/fix schedule because of lack of
people/experts to even see the issue.

One time financial penalties won't fix that, because I'd bet it might be
cheaper to pay it. Criminally penalizing executives may not fix it, because
some of these decisions likely never made their desk.

------
buboard
What guarantees does Amazon sell to AWS clients regarding the security of
their data?

~~~
syn0byte
Lots! Tons and Tons and Tons! S3 is super secure and CAN NOT be hacked when
properly configured and used according to our standard!

You got hacked? You must have configured it wrong because we already told you
it was unhackable; Good luck proving it was our fault not yours.

~~~
SmellyGeekBoy
> Good luck proving it was our fault not yours.

Seems like it would be incredibly easy to prove that an S3 bucket was
misconfigured in such a way that the data was publicly accessible. In fact
this has been the case in the recent high-profile cases that I can recall.

~~~
giggzy2
The S3 bucket was not public.

The hacker got ephemeral keys by remotely exploiting the WAF. The WAF had no
reason to have privileges to read from S3, that was a mistake.

I’m unclear if data in bucket was encrypted at rest but I guess if you get
keys to read it’s a moot point.

------
irrational
I'd really like to see someone target federal politicians. Get their data and
just destroy their finances. Now that would get their attention and result in
rapid changes.

------
lol_jono
Thoughts and prayers

------
drunner
Has anyone seen any material on what do you if you have Capital One accounts
besides update passwords? My Credit is already frozen.

------
HNisCurated
"we did nothing"

Who?

These companies get sued, that is a reaction.

Congress? Well if you make a law twice as illegal, I'm sure that will make it
stop /s.

No one wants to be hacked, let's not pretend there is no fallout from ignoring
security.

~~~
acollins1331
Oh come on, do you think these companies are doing everything to protect our
data? Why the hell is our credit card applications hosted online anywhere
after they've been processed anyway? And for 14 years?

No mate, making it doubly illegal (such as actually fining and imprisoning the
negligence in leadership that chooses forgiveness over permission) would
undoubtedly help. There are plenty of ways to keep our data secure and they
didn't do enough.

~~~
cameronbrown
This line of thinking doesn't work. I want to agree with you, but I can't. An
executive could do all the right things by promoting and pushing for security
in their organisation and still be hacked. Should he/she face jail now?

~~~
sgjohnson
Problem is, executives don't understand those things. Of course it's very
simple to point a finger at them, but they rarely are tech savvy, and they are
there to run the company, not micromanage every decision every department
makes.

~~~
okmokmz
Hiring people that don't know what they're doing isn't a reasonable excuse,
such as Susan Mauldin, the ex-CSO of Equifax with a bachelor in music and no
technical or security related education/training

