If you've bought shares using retail broker Scottrade in the last few years, you may want to get in touch with the biz because its servers have been plundered by hackers unknown.
The firm only found out about the data breach when the Feds got in contact to let it know. It now appears that 4.6 million customer accounts have been compromised. The IT security breach occurred between "late 2013 and early 2014", and the intruders primarily went after customer names and addresses, we're told.
"Although Social Security numbers, email addresses, and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident," the firm said in a statement.
"We have no reason to believe that Scottrade's trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident. We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm."
(Score: 1, Interesting) by Anonymous Coward on Thursday October 08 2015, @08:45PM
This seems to be a daily occurrence now. From the combined numbers of all the different hacks, every single US citizen that ever lived (and some that have not even been born yet), including those with high-level security clearances, have been compromised. So how come identity theft is not happening on a massive scale?
(Score: 2) by rondon on Thursday October 08 2015, @08:53PM
Real question: who says it isn't happening on a massive scale? It has happened to me more than once (anecdotal I know) so who is to say it isn't happening to many others?
(Score: 3, Interesting) by Non Sequor on Thursday October 08 2015, @09:03PM
I'd hazard a guess that the level of fraud observed may be more constrained by man hours of criminal labor than by volume of raw data.
SSN's are harder to get than the other personal data items but once you have that, I'm guessing you need to devote some time to round out the other items (mother's maiden name, address, middle name, phone number). If you were perpetrating identity theft, you might also do some triage to identify the better targets.
There may also be an effective limit on how many applications for various things you can send out without calling attention to yourself.
If this hack was focused on contact information, then I'm guessing the focus was on info for spear phishing rather than credit fraud. That could have a somewhat higher throughput than identity fraud.
Write your congressman. Tell him he sucks.
(Score: 2) by frojack on Thursday October 08 2015, @09:54PM
I'd hazard a guess that the level of fraud observed may be more constrained by man hours of criminal labor than by volume of raw data.
Clearly this limitation does not apply to those breaking in and stealing the data. They seem to harvest far more data than they (or their customers) can use.
So there may be some selective process by which those with access to this data actually make attempts to use it. Perhaps, as you surmise, they are simply collecting data from various sources until some analysis engine spits out matches in a number of databases indicating they have enough for an attempt.
From that you need to subtract those that have (by that time) put some protection and monitoring in place.
From the remainder, you have to subtract those that are caught by automated processes put in place by the banks and credit card companies. (I've had Visa intercept several attempts to compromise my credit card. Usually this results in the snap cancellation of my card followed by an immediate re-issue, not always at a convenient time).
You are left with a few customers with slim protection. But these are unlikely to be very lucrative accounts.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday October 08 2015, @10:31PM
Credit fraud is the lowest level crime this data could be used for.
Think bigger. I promise the data thievery rings are. For example, with this kind of info they can now impersonate Scottrade, call up the customer and get them to do things like reveal newly changed passwords, or conduct 'test' trades that are actually real trades. They can use the info to impersonate the customer at other institutions. They can use the balance info to decide if the customer has a high enough net-worth to target for a long con or even a kidnapping. It is really open-ended, worrying about credit card fraud is so last decade.
(Score: 2) by frojack on Thursday October 08 2015, @10:39PM
The thing is, people smart enough to have enough money to use Scottrade probably would not fall for this nonsense.
"Test Trade?" Really? Are you stupid enough to fall for that, or do you just assume everyone else is dumber than you and would glibly assume Scottrade had no other way to can test their system other than by cold calling some random customer?
No, you are mistaken. I've always had this sig.
(Score: 2) by Non Sequor on Thursday October 08 2015, @11:09PM
I'm thinking the pattern is hackers steal data, sell it to a fence, who sells the data to a large number of scammers who each have different data sets and buy new ones when their list of strong prospects gets too thin. Time spent doing searches through public data may be a substitute for new hacked data.
Collectively, the scammers have at least some data on most people. What actually triggers a successful identity attack against you could be new data added to the collection or it could be a result of time spent scouring public data or it could be scammers working out new tactics for using the information without getting caught.
Here's an example of one form of identity theft in practice: http://www.al.com/news/montgomery/index.ssf/2015/08/alabama_mail_carrier_accused_o.html [al.com]
It sounds like a substantial chunk of that was old school fraud rather than data collection. The opportunities were also limited based on geography.
Write your congressman. Tell him he sucks.
(Score: 2) by frojack on Friday October 09 2015, @12:12AM
I suspect the searching is the least of their problems. They probably have computers, ready made scripts. matching algorithms at the ready.
Now setting up the attack, establishing enough plausibility, making sure you can answer the surprise question, etc. That might take a bunch of time.
I can't remember who the verification call came from, but one of my brokerage companies had need to verify me when I called, and they were asking me street names in cities I haven't lived in for over 30 years, vehicle models long since sold, old co-worker names, and all sorts of other stuff that I had no idea where they got it. Not all of it was on the internet as best as I could tell.
No, you are mistaken. I've always had this sig.
(Score: 2) by Non Sequor on Friday October 09 2015, @01:25AM
Eh, I'm drawing inspiration from my work that involves the legitimate use of personal data. Occasionally I make forays into unorganized data sources to troubleshoot data entry problems from our clients. This involves things like newspaper announcements, obituaries, and some sketchy white page sites include estimated ages. Today I confirmed that some dude existed by pulling up his voter registration from a "genealogy site" that has one state's (publicly requestable) voter registration records.
Improvised matches between data sets can be tricky too, but sometimes they're needed to bridge data sets with different conventions, although that is a do it once and it just works sort of thing.
I struggle to remember the model year on my current car or the names of streets I regularly use so I'd fail the level of vetting they put you through.
Write your congressman. Tell him he sucks.
(Score: 0) by Anonymous Coward on Thursday October 08 2015, @09:01PM
This AC's Rule of Data Security is - If it is on a network, it will be stolen.
This AC's Corollary of Data Security is - The more valuable the data, the sooner it will be stolen.
You want security? Print it on paper and put it in a filing room with controlled access.
It still might be stolen, but it will take 1000x more effort to do it.
(Score: 2) by arslan on Friday October 09 2015, @02:31AM
Hey AC... is there an AC's rule of about getting security tips from ACs in the internet?
(Score: 0) by Anonymous Coward on Friday October 09 2015, @05:50PM
Well, that's just splendiferous! However, there is one important thing your little rules won't be able to get around: many (most?) of today's big leaks of customer PII come not from the negligence of the individual customer but from the negligence of the companies holding our customer data. The vast majority of us have little or no say in how those companies holding our data keep positive control of it. Care to come up with some rules for combating that problem? And before you say "just don't give them your PII", that is practically impossible. You may as well just advise all of us to go completely off grid and live in caves.
(Score: 5, Insightful) by darkfeline on Friday October 09 2015, @12:25AM
I'm a little confused and worried about a recent trend in security breaches. It goes something like this:
"The attackers accessed information about users' names, addresses, emails, etc. But don't worry! The passwords are safe!"
I would much rather the passwords be compromised than any of the other information. A compromised password costs, at most, one minute to change and check for malicious activity, not to mention that the passwords are all salted and hashed. Compromised personal data? Cannot be fixed.
Join the SDF Public Access UNIX System today!
(Score: 2) by Yog-Yogguth on Friday October 09 2015, @11:55PM
And in this case also profiled as belonging to far above average value targets.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))