Friday, January 21, 2011

The Bank of iTunes

As a security professional, I am more aware than most of the risk of identity theft and financial fraud.  So some may find it odd that I was an early adopter of, and am a big fan of, online banking.  After all, isn’t that how one’s identity is stolen?  Isn’t online banking the quickest path to financial fraud?  Well, no, and yes.

The interconnectedness of the Internet and the myriad financial transactions that take place across it certainly expose me to risks I would not face in a brick-and-mortar branch.  A fraudster no longer has to interact with me face-to-face, and a modern-day bank robber no longer has to go after the physical vault (though they still do, as recent stories from Folsom and Austin show).  Instead, he or she can attack the bank electronically, or plant malware on my PC to steal login credentials (it is far less likely for someone to intercept the communication between my PC and the bank, due to encryption technology).

But that’s not really the point of this post.  Banks, credit card issuers, investment offices, and other handlers of money have a very strong incentive to protect their electronic vaults.  That is, after all, where the money is (as notorious US bank robber Willie Sutton probably never actually said).  In the US, PCI-DSS standards mandate fairly rigorous (though not perfect) data protection, and consumer protection laws provide some recourse in case of successful fraud.  In the balancing act of convenience versus security, my scale tips in favor of banking online.  Malware such as ZeuS notwithstanding, I don’t worry too much about fraud when I bank online.

But here is something I do worry about: what happens when banking bleeds into other aspects of life?  Like many security professionals (and I encourage you to do this too), I separate my online presence into a couple of buckets – I use strong passwords and a protected browser environment (a dedicated PC whose sole purpose is my family finances) for my financial and confidential / sensitive activities, and I use a more open approach to general web browsing.  Why use Fort Knox-level security to protect my login to post comments to a blog I read?

Here is where things get sticky, though.  Does my account with my electricity provider warrant the same level of security as my credit card issuer?  Perhaps not … until I realize that my utility has a record of my credit card number to automatically pay my monthly bill.  To me, that is a minimal risk – the utility has the card number, but I – or an attacker – cannot actually view the card number through my account, and cannot make new purchases through my utility account (I can only update the card information, not view it).

How about an example that might hit closer to home?  Security firm Sophos reported recently that a Chinese auction site has some 50,000 stolen iTunes accounts available for sale … iTunes accounts associated with credit cards … iTunes accounts that can be used to purchase anything from $0.99 songs to a nearly $1,000 "VIP Lifestyle" iOS application.  A few hundred song downloads in an evening could run up a substantial bill in a hurry.  These iTunes accounts are now in essence credit card accounts.

Does that mean I need to protect my iTunes account the same way I protect my bank account?  Maybe, but what happens if I download a song that happens to have a malicious payload to exploit a bug in iTunes, installing a password harvester on my so-called high-security banking system?  Bringing iTunes into my “vault” suddenly bridges the gap between the vault and the “back alley."

What is the solution?  I don't have a perfect solution for everyone, but my solution is to minimize the link between my financial identity, and my personal identity.  I don't allow retail or entertainment accounts to store my credit card if said account can be used to make new purchases.  Entering payment information manually each time is a fair compromise for the reduced risk, in my mind. It's almost no added effort since LastPass (which I use to manage my passwords) also stores my credit cards for two-click entry into web forms. As a result if such an account is compromised, it would inconvenience me, but would have limited financial impact.

While I am on the topic, I read a related posting by a fellow SANS Mentor this week, on a different aspect of online banking.  Do you protect your usernames to the same extent that you protect your passwords?  If not, it is a trivial matter for an attacker to deny you access to your own bank, by simply logging in with an invalid password enough times to lock your account: (in Spanish; here is a rough translation)