Zero Day Threat

Ben Rothke writes "Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity is an interesting and eye-opening look at how banks and credit card companies make ID theft and fraud rather elementary. But with all that, this book must be read in the larger context of how today's society deals with, and is often oblivious to, risk. When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes. With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud." Keep reading for the rest of Ben's review.

Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity
author	Byron Acohido & Jon Swartz
pages	304
publisher	Union Square Press
rating	9
reviewer	Ben Rothke
ISBN	978-1402756955
summary	Excellent overview on the epidemic of indent theft

The internet and web have indeed revolutionized society, and there is hardly an industry that has not been positively affected by the net. On the down side, the net is the new conduit for criminals. For example, in the few years before the web became ubiquitous, U.S. and international law enforcement nearly had a noose around the child pornography industry and brought it to a near standstill. After the web, authorities have given up hope that child pornography can ever be contained.

Similarly, white-collar crime and fraud has been exacerbated by the net. Zero Day Threat details the various loopholes that criminals use to carry out their attacks and crimes. Each of the book's 18 chapters is divided into 3 section, exploiters — which details how the crime lords and their teams carry out the crimes, enablers — which details the history and current practices of credit card companies, banks, credit bureaus, and data brokers, and expediters — which recounts how technology and technologies enable these crimes. I found that the breaking up of the chapters into such triplets is occasionally confusing, and you are left wondering what story you are in.

The book is based on the premise that the payment industry, namely the credit card companies, banks, credit bureaus and data brokers have created an infrastructure that is pliable, nearly endlessly extendable, but paper-thin when it comes to security. The system is built for ease of access, ease of granting credit, but without a robust security infrastructure or privacy controls.

Consider that the PCI Security Standards Council was not created until late 2004, and that will give you an idea how security is anathema to the industry. The outgrowth of PCI is the PCI Data Security Standard which is the first uniformly created set of comprehensive security requirements for enhancing payment account data security. While the industry debates the efficacy of PCI, attackers are busy at work running innumerable fraudulent schemes.

The authors paint an honest appraisal of the lack of security in the industry and have their facts in order, although an occasional hyperbole does creep in, for instance when the authors repeatedly state that the hackers in question went weeks without sleep. But a huge error is where they state in chapter 11 that PCI is controversial, with some merchants complaining that it is too costly to implement. There is nothing controversial about PCI, and the security controls it requires are sorely needed. While merchants express their discontent about security and its associated costs, attackers steal from underneath them. The quicker the merchants get that they needed security, the quicker the attacks will stop. But as the book shows, that will not happen anytime soon.

Part of the reason why identity theft will not go away anytime soon is similar to the problem in the air traffic control industry, as detailed in Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It. There are too many players in the game, all of which focus on their own interests, and no one wants to take responsibility for the problem. The fact that the Social Security number (SSN) is still used as a key personal identifier, combined with the ease at which an individual 's SSN can be obtained and misused should be enough to give anyone pause.

The primary purpose of a SSN has been to track individuals for taxation purposes. But in the last decade, the SSN has become a de facto national identification number. When established in the 1930s, the Social Security Administration meant for the SSN to be used as a way to track a person's earnings for Social Security benefits. Despite its narrowly intended purpose, the SSN is now used more for non-Social Security purposes, than for the reason it was created. Today, SSNs are used for identity verification, and are the de facto identifier for the credit and financial services industry. With SSNs being aggregated by the millions, they are the fodder for the stories in the book.

Book such as Silent Spring, which helped launch the environmental movement, and The Jungle, which exposed the corruption of the American meatpacking industry, were watershed books that changed America. While Zero Day Threat is not in the same category as either of these books, it is highly unlikely that the level of outrage it will create will be much, nor the indignation significant. Because as bad as identity theft is, and as much grief as it causes, there are far too many politicians, powerful companies, lobbyists and more that are in the way of any change.

Nonetheless, Zero Day is a most interesting look at the many players that work together to facilitate the countless identity theft rings. The book is an absorbing look at the many international players and their enablers involved. While identity theft is not going away anytime soon, Zero Day Threat details the problem, and shows what you can do to ensure that you are not a victim.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Review ?

When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes. With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud.

Is this a book review or a political tract ?

Re:Review ?

More than that, it's essentially meaningless. Americans are not "oblivious" to obesity, and do not "tolerate" drunk-driving deaths. Cursory references to large problems like that weaken your opinion and make the reviewer sound flippant rather than bolstering a real or arguable opinion.

American society tolerates 200,000 deaths per month! Most of these are due to heart disease! Why should we care at all about economic systems or fraud?

The answer is we care about both, and heart disease receives a great deal of attention from the best and brightest students and gets a large amount of public and private financing. That need doesn't obviate the need to avoid fraud, or remember your wife's birthday, or all of the other small stuff in the world. Now, let's discuss the book.

Re:Review ?

More than that, it's essentially meaningless. Americans are not "oblivious" to obesity, and do not "tolerate" drunk-driving deaths.

Perhaps not individually, but as a mass, they are. Surely obsese people don't like being called "fat tub of lard" but in the end they do nothing to improve their condition. They keep eating the same quantities of junk / high-carb food, do from little to no exercise, and even ask not to be "discriminated" for their "condition". See, it's not a problem, it's a disease, and since it's a disease, there's nothing they can do about it. They feel better with themselves, and problem solved.... right? RIGHT?

Re:Review ?

in the end they do nothing to improve their condition.

And why is this a problem? Some people choose to smoke even though they know the risks of doing so. If people choose to live unhealthy lifestyles than I'm not going to get real worked up about it. I don't know about you but I'm growing weary of the war on vice.

Provide people with the information but at the end of the day it's up to them to make smart choices.

Re:Review ?

And then after that she found out that there were kidnappers and murderers outside so she was smarter and kept you in the house all day. Such paternalism can be taken too far, and it is. Enter video game bans, smoking bans, gun bans, etc...

The analogy is flawed anyway. A child needs such parental protection because they can't know any better. Adults can and should know better, and if they are coddled they will never learn how to make good decisions. Then that becomes justification for ever more laws to protect them from their own stupidity. Quite the cycle.

Also, the idea that "Provide people with the information but at the end of the day it's up to them to make smart choices." is a Republican mantra is laughable when they are the party that has been against contraception education in schools and want to outlaw abortion. It should be everyone's mantra anyway, at least anyone interested in maximizing freedom.

Re:Review ?

It's a problem because like smoking and other addictions, such people can become a burden on society.

As a taxpayer, I wish more people smoked. It's cheaper when they die of lung cancer in their 60s than when they collect Social Security and Medicare until they're 90.

Re:

And what should society as a whole do about that? It's like drunk driving or any of hundreds of society's problems - the underlying cause cannot be addressed. To eliminate drunk driving we just need to eliminate the freedom to drive. To eliminate obesity, we just need to dictate to people what they can or can't eat and then mandate some exercise. Let's eliminate peoples' freedom of choice, shall we?

Surely obsese people don't like being called "fat tub of lard" but in the end they do nothing to improve their condition

I'm sure there are things about yourself that you don't like, don't want pointed out, and don't do anything to

Re:

So carry water and learn to enjoy a peanut butter sandwich.

Conflating the food that you brought to work today with 'the food at the disposal of the average American" is borderline offensive.

Re:

Actually, I have had a great deal of success with a primative diet (high fat, high protein, very low carbs) but the real problem can be traced to High Fructose Corn Syrup. In the US nearly EVERYTHING has this poison in it because it is cheaper. In Europe and South America it cane sugar is cheaper. The problem with HFCS is that the liver stops processing other items until all of the HFCS is processed, if you eat lots of it it never lets the other stuff in to be processed.
The question is "why is HFCS so cheap

Re:Review ?

"Oh stop it. 90% of food at the grocery store does not have high-fructose corn syrup in it."

If it is a processed item it most probably contains either Corn Syrup or HFCS. Granted the produce section is fairly safe as is most of the meat section, however vitamin D fortified milk has small amounts of HFCS added (at least at the stores around me). Even if an item has 'sugar' it will most often have additional HFCS added. Even some 'diet' beverages have HFCS added to them. READ LABELS.

    "That is so non-sensical it's hard to know where to start. You make it sound like the liver is the primary digestive organ. Also, according to you, if I eat some HFCS, I can then eat 20,000 calories and it'll never be processed. Hurray! HFCS is the cure for obesity."

High-fructose corn syrup (HFCS) is a recent invention of the food industry, made by an enzyme-mediated process. Old-fashioned corn syrup is less sweet and contains mostly glucose....

"HFCS contains 14 percent fructose. Never before in history have so many people been consuming so much fructose, and I am concerned about its possible disruptive effects on metabolism. I'd advise you not to buy products made with HFCS...."

From http://www.metnews.com/articles/reminiscing110603.htm [metnews.com]
A Los Angeles Times article on March 24 said: "Unlike glucose, fructose is almost entirely metabolized in the liver. When fructose reaches the liver, says Dr. William J. Whelan, a biochemist at the University of Miami School of Medicine, 'the liver goes bananas and stops everything else to metabolize the fructose.' "

    "Sorry, wrong. The reason is the high import tariff on sugar in the USA. That's not the same thing as a subsidy."

While I admit that you are partially correct here. In ADDITION to high tariffs on sugar there are also substantial subsidies provided to the growers and refiners of corn.

Additionally, If one was to chart the occurrences of obesity and diabetes, heart disease, etc. in the US and compare that to the overall production/consumption of HFCS the lines mirror themselves even closer than that of carbon and global warming. Believe the propaganda that you choose. I know of 7 people who all removed HFCS from their diet and low and behold their blood glucose levels returned to normal, their serum cholesterol dropped to normal levels and the lost a substantial amount of weight. All but 2 had these results without additional exercise or other caloric modifications. The other 2 actually increased the amount of calories and the amount of dietary fat and still lost weight although they did increase their activity.

So get bent ass clown

Re:Review ?

"Oh stop it. 90% of food at the grocery store does not have high-fructose corn syrup in it."

Assuming a grocery store is a supermarket and not a greegrocer's, then you are wrong.

I apologise for the payment gate, but there's an hour long lecture on corn in the US food system available here:
http://www.alternativeradio.org/programs/POLM001.shtml [alternativeradio.org]

Amongst other things, the speaker details the scientific testing done trying to find processed food with no corn in it. USians should listen to this talk.

If you're referring to a real greengrocer, then you need to check the availability and price of these stores and goods compared with processed foods. I don't think most people can afford a fresh fruit-and-veg diet in the US, or so I've been told.

As for the liver, apparently every cell in the body can metabolize glucose. However, all fructose must be metabolized in the liver. The livers of rats on high fructose diet look like the livers of alcoholics, plugged with fat and cirrhotic. (from http://www.westonaprice.org/motherlinda/cornsyrup.html [westonaprice.org])

This is probably what the previous poster was referring to.

A tarrif is not the same as a subsidy. However, they have roughly the same effect. Ignoring tarrifs, it remains true that the corn industry, and the oil industry upon which it depends so heavily, are both subsidised by the US taxpayer.

Between 1995 and 2003, federal corn subsidies totaled $37.3 billion. Ethanol makes this even worse.

http://www.slate.com/id/2122961/ [slate.com]

There are very big problems with corn in the USA and you should do your own homework; it took me 5 mins to glue some links together.

Oh, and read "fast food nation".

Re:

I think what disturbs me about the submitter is the implication that lack of government or large organization action implies we don't "care" as a country about these problems.

Thats a flawed argument. Yes we care, its just we care more about the individuals right to make their or decisions. Talk about a loaded political submission. I thought this was "news for nerds" not "manifestos for the nanny state".

Re:Review ?

It has nothing to do with the risk assessment. It has to do with one sides inflamed rhetoric being spewed as if it was fact. That is a political rant, not a book or a book review unless the book and review is politically oriented.

Here are a few examples with the truth behind it.

"American society tolerates tens of thousands of drunk-driving deaths" This is false, the truth is that all areas in America assign high/strict penalties to people who get caught drinking and driving as well as those who cause drunk driving deaths. Nobody tolerates drunk driving deaths at all. But just like a kitchen knife that can be used to kill a person, not everyone who gets drunk drives let alone kills someone. The author is insinuating that because we havn't banned anything the could indirectly lead to a death, we tolerate the death.

"gives millions in federal tobacco subsidies" This has nothing to do with risk. Tobacco is used for more the cigarettes and doesn't always cause harm to everyone.

"and is oblivious about near-epidemics such as heart disease, obesity, and diabetes" again this has nothing to do with risk. It is nothing but a political rant about fat unhealthy Americans.

"With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud." Notice how this political rant mentions a body of politics directly? I mean it specifically says CONGRESS and suggest they should be doing something.. perhaps if he said "think of the children" it would have been more obvious.

None of the things mentioned have to do with banks or threats. None of them are related. And before you or someone else jumps in with "but..but. but Tobacco causes cancer", look at how many people have used tobacco who has gotten cancer. Before you or someone else chimes in with "but alcohol is legal", realize that so are guns, knives, baseball bats, and millions of other things that can be just as lethal if used improperly. In order for there to be a drunk driving death, a person must violate not one, but at least two separate laws if not more. "but. but , but Heart attack and diabetes" shut the hell up. How many people eat a twinky and get diabetes? How many people eat a greasy cheeseburger and have a heart attack. How many people who don't exercise every day or don't stick to some annoying persons latest health fad diet, have diabetes or heart attack? How many people who are over wight according to come damn chart have heart disease or diabetes? And after you figure all that out, compare it to how many people never have one lick of problems.

The comments in the submission were made by a moron too stupid to see he is being manipulated and your too distracted to see when he is getting political.

Ummm....

When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes.

This whole sentence is moronic, but it's easiest to point to the fact that federal tobacco subsidies ended several years ago. If one has to criticize American society, too little hysteria over risk seems like an odd choice.

The really sucky thing is...

if you do get your identity stolen, it's up to YOU, the victim, to keep the documentation forever regarding everything to do with the theft - even if it's the fault of some careless company or government agency.

Know this site and this is the ONLY tuly free credit report [ftc.gov] direct or start here [annualcreditreport.com]. The other "free" credit report websites are just trying to sell you stuff that you don't need.

To be truly safe from someone opening credit in your name is to freeze your credit - monitoring services are NOT as good. Here's a great guide on how to do it. [clarkhoward.com]

On another note and something positive about credit, check your credit card. They may offer to double or more the manufacturer's warranty. Meaning, if you're actually considering an extended warranty, your credit card may give you the same coverage to you for free.

But other than that, the whole credit industry seems to be geared towards sucking us in. I mean, unless you're going to drive and stay with friends and relatives, is it possible to travel without one?

Is it possible to get a job without a credit rating now? They background checks with Choicepoint who gets their data mostly from the credit bureaus.

What about flying? If you don't have a credit rating, are you automatically flagged as suspect?

And as far as SSN is concerned, we're stuck with that beast. I kind of hope it does go bankrupt then maybe we can burn the things!

Wrong, Wrong, Wrong

American society tolerates...
There is not enough time or resources to protect people from themselves.

identity theft will not go away .... There are too many players in the game
Clearly the author has no immediate experience in the banking industry. The process is designed to minimize business risk. It shifts the consequences to the customer. It's intentional and the industry is quite happy with it.

Utter the words EMV in the U.S. banking industry and you are on the wrong end of a tirade on socialist schemes, government regulation and the kitchen sink's role in harming business interests.

Great more to care about....

Great something else I need to care about. Why is everyone telling me that I need to care about something. Global warming, global cooling, global climate change, Obama, McCain, Clinton, Pelosi, abortion, gay marriage, paying my taxes, paying my rent, RIAA, the most recent pop tart to get drunk and flashing her cooch, Colbert, Sterwart, child pornography, identity theft, and on and on. It's not that people don't care or are comfortable with risk it's just there are too many things to care about.

Frankly if someone wants my identity they can have it but you gotta take the whole thing because I don't fucking care anymore.

Install accountability, and this will get fixed

Until it costs institutions less to secure this stuff than it does in losses, this will not change.

How do you shift this balance?
- Make the C level folks criminally and financially liable for theft of your data (they store it and sell it, they should be on the hook to protect it).
- Make the credit agencies financially liable for inaccuracies in their data bases. (they should be held accountable for the accuracy of the information that they are selling).

Today, there is no real recourse for you if institutions sell lies about you, or give your private data away to all takers.

The nanny state mindset in its purest form

In which "failure to pass bunches of laws and spend taxpayer's money" is equated with "being oblivious to"

It seems so elementary to me...

...but working in the financial industry may have my blinders tighter than ever.

I recall a very basic security seminar I was in many years ago - before Microsoft was in the server business. One of the core concepts presented was the three security factors we could rely on:

- Something you ARE - fingerprint, iris, voice, etc.
- Something you KNOW - password, phrase, challenge response.
- Something you HAVE - token, card, whatever...

Any two of the three could offer good security. Asking for all three could offer very good security. Of course, we are only talking about access security here, as being forced to use all three to sign into your already-compromised workstation does not offer much data security.

But in most credit card transactions, we have to offer at least #2 & 3, not always in that order. Adding biometrics (something you ARE) is interesting.

Faking #3 (something you HAVE) is not so hard. Cards get copied, and actually the account number may be as good as a card in the card-not-present environment that e-commerce lives in.

Faking #2 is the most current target of many, and they add loggers to terminals. Only a matter of time before we see wireless loggers inserted into terminals or POS devices, making it very hard for a consumer to check for the wire to 'another' device, and removing the need to go and retrieve the logger. Sending those PINs wirelessly is just too easy, only requiring a modest investment in technology. I venture there are plenty of ways to get those made for ya.

Ultimately, for financial security, I think we need to mitigate the technological 'expediter' by introducing either more accountability or more time into the settlement process, allowing fraudulent transactions time to be rolled back and deny the crooks the funds. That is probably impossible in an environment where merchants demand faster payment, especially when merchants live on the edge of cash flow and can fail if they are denied cash over the course of days. Imagine trying to slow down the cash flow for weeks...

Another option is faster accountability. Perhaps your cell phone is your friend here, and you get an SMS for every transaction... Imagine the thrill of seeing your purchase of two minutes ago appearing on your phone with a big "dispute this" button available. Imagine the thrill of getting that message for a purchase you *didn't* make, and killing the transaction... Imagine the potential for abuse. Not perfect.

One key point to remember, perhaps. Theft is not new. The methods have changed. The scale is larger, but everything is.

Is it fixable? Not if we want convenience. But hey, it used to be that people got mugged for cash. Does that happen so much any more? In a cashless society, with stricter security, are we gonna see ATMs that can tell the difference between the eyebell you use to authenticate yourself, or the eyeball the mugger just popped out of your socket?

Hope so. I want all my biometrics to stay with me.

Do they want us to all have bad credit?

It seems to me that the entire credit complex is designed to make sure that very few people have good credit and that it is trivially easy to lower a person's credit rating so that the cost of borrowing is increased. Even on the surface the system seems rigged -- credit bureaus get paid for access to their records by the very people who loan money out, thus they have a financial incentive to make sure that their ratings are as low as possible so as to maximize the profits of those loaning out the money.

I say this because it seems like every time I turn around there is some new attempt to evaluate (and ultimately lower) the credit score of people. The first one that comes to mind is the slight reduction every time you *apply* for credit, even if you don't take it. The second (which I believe was rebuffed here in MN) was the attempt to use driving records to help set credit ratings.

And now its identity theft, where the onus is on the consumer to use a complex and difficult system to "repair" their credit ratings which countless stories would indicate is nearly impossible to do, even a decade later.

In some ways its like the grade on a curve vs. straight percentage debate -- the credit industry seems to want to grade us on a curve, regardless of how many of us score 95% on the test, thus minimizing the pool of people who are eligible for the best interest rates.

Any criticism of America must be lefty claptrap

Those wacky leftists, pointing out that Americans don't assess or address risk well. What traitors!

Re:Any criticism of America must be lefty claptrap

What makes it "claptrap" is that the areas mentioned are all areas where there is government intervention all out of proportion with the risk, oftentimes applied in a manner where and examination of the risk factors involved indicate that the intervention does not significantly mitigate the risk.
Take for example drunk driving deaths, studies indicate that most fatal accidents involving alcohol involve people who have repeatedly been convicted of DUI. What is the response? Lower the legal limit for blood alcohol content.

Re:

And what exactly do you believe they deserve?

Honest question. I can see powerful arguments for pretty much any point on the spectrum, from a slap on the wrist and a month of therapy all the way up to the death penalty. Where do you place yourself?

Accepting some amount of risk and "tolerating death" are not the same thing, despite what some risk-averse folk will tell you. Quite the contrary: a life with no risk is not worth living, and so sometimes risks need to be accepted in the name of simple, basic freed

Re:AT LAST!!!...

Not according to Webster [merriam-webster.com].