tv Key Capitol Hill Hearings CSPAN December 16, 2013 11:00pm-12:01am EST
good idea. all those things work. longer pass words, changing pass words. cybernew jersey, he had a cheap idea that would be extremely, i think, extremely useful and extremely effective. he said, you know, anybody can a lap these days and buy top or a desk top for $300. or desk top for $300. you set it up in your house. that you do on that computer is your on-line banking, right? that's the only thing. you don't check "the new york times," g mail, anything, except for your on-line banking. turn the computer off when you're not using it. hat would make your bank information a lot more security. advice ission of that get a linux cd.
the off of that, do on-line banking. >> sure, yeah. does that make you 100% ask you are? >> because the bank could have a data breach? >> right. right. heck of a lotou a more security than almost everybody else? absolutely. >> there there are keys to be taken. yes.nswer to each one is >> it is valuable. we play a role in protecting data. at it on a broader level, it revolves around the criminal. anything we can do to a, protect urselves and also give assistance to law enforcement and their efforts to try to really his crime stretches, right. every data breach we read on the news that result in the identity back to the street in some level. if you report something that happens to you, then law take action, n eventually, that all kind of adds up to give law enforcement kind of and ion on leads to work off of.
gonzalez'sf initial ape rest was in new jersey -- or new york. everything goes back to being on street. we quick that it's hard to demystify cyber, right? put a face to cyber. being conducted by real humans with real skills and could live anywhere at any time. those steps are reactive. steps an take the proactively, they give us a fighting chance as individuals and organizations around the where they a point can do the same for themselves, right? they realize that the results of heir security and the other efforts they put into this are now -- they affect the they'reod of others and taking serious -- security very seriously around the world. >> next question is to abigail. hart has done interesting research. 11% of teens felt personally
vulnerable to identity theft. of themes said they posted all of the following -- full birth, te of self-portraits, name their school and e-mail address. they're more or less than inble to i.t. theft the past? the gentman here knows what they're doing on the law nforcement side, but teenagers -- by virtue hoff the fact there are so many more platforms they're using and sharing ties to be information about themselves and so.y are doing it would suggest to me that our threats are greater now than past.ere in the interestingly, teens -- the issue of identify theft is on radar. people talked to them about it. he idea of the personal -- the security -- their personal information is something they're ognizant of and they say is a concern for them.
credit or credit history is not something they're aware of. it's concrete if you have a credit card, someone can steal that number and you're on the charged, hatever they that's more concrete. so there is an awareness there. the question is the ftc's report 29-year-old cohort people there who particularly the prevalence of identity theft there.gher folks may know more about the figures.
would have ison i there's an aware nls. there's room to educate kids and they're bout what doing. there are some things they are doing. choosing a variety of pass words. 54 october teens say yes, they do that. on the other hand, they most ize that as the helpful thing they can do to protect their information. it.e are a lot not doing there's a disconnect. he focus groups say that's complicated and burdensome, the awe then if l occasion -- i log on to facebook to do s a day and i have that every time. of are theyquestion going to age into adulthood when hey go on to college and when they go out to the, quote, real world, and start to take out their edge occasion or credit cards and other things?
going to bring awareness of the issue that i don't think was there for generations. whether they take the steps to protect their information as comprehensive e and complete way will remain to be seen. ut i think the threat is greater now. but there is an opportunity aware they do seem more of it. once they become an adult, will credit card, it plays out in their behaviors. >> i'll share this anecdote from past.n when i was a college student, the laws of the district of looser over what would pass muster. based on the d. college i.d. my college i.d. had my social on it so i put it on my fake i.d. too. sure, why not? smarter than i was. >> can i piggy back of one
thing. my pay grade. s a federal employee, most things are. the harsh reality is that security and inconvenience are coop stand tension. we should all recognize that. recognize s need to that because there are some imes that corporations perhaps make it easier toly jit mately access your data, maybe it be based upon the understanding and the himselfry. want to provide their customers with the best possible interface they can. if their services are harder to competitor, then people are going to migrate to their competitors. responsible.l it's like -- everybody is stepssible for taking the
that they can. to make themselves more secure. but who wants to change a pass word every two weeks? who wants to do the duel identification, right? it's a pain. recognize at a starting point these two things one another.n with recognized if they that vulnerability, that tension might be great and they would have a hard time going down the of convenience. >> absolutely. >> one thing that's interesting, aybe there's a change a little bit. we did ask kids this, is on-line, is your social security number on-line to your knowledge? 75 or more said their full name was. a lot of people said their other things. but only about 2% to 4% said their social security number was. in the focus groups we did, kids clearly have been told, do with you.your card and do not ever give the number out.
i think it's worth noting that don't know their social security numbers. so it's not something they're off of the top of their heads. they heard this message. they don't thing -- really understand why that's important, they recognize that a lot of people are telling them, you is something that shouldn't share with anyone. >> if i could just add one last thing. we talk about as are they more vulnerable or not vulnerable. motivation n to the of the attacker. the attack surface, the more data we put out, whether you're adult or a teenager. where the dataow goes, right? at the end of the day, it comes down to some extent on what the wants. >> >> the next question, speak to that, this one is to alan. paper in 2011 on on-line identity and consumer that what is ng ur7bd threat is not just pecific credentials but the layer of the identity of the
internet. tech art of the orbing chur and it merged through like inked in, facebook, four square, whatever. how well can you protect your of putting le sort yourself through the different portals. this is why i hate the term "identity theft." if i'm going to still her water bottle. one, if you take her water bottle, we're going to a bit of your anatomy and we're going to chop it off. then you also said, abby, why did you leave your water bottle by alan? we understand we have a responsibility to mitigate theft. it can't all be law enforcement. don't park in the neighborhood. doors.ur have insurance. these are things we intuitively
nderstand being part of the theft model. ut what we're talking about is more the case of me going to andy, i'm ying abigail. can i have my water bottle, please. that looks like abigail's business card. sure, here it is. wanted to stop that, go after me with the big knife or dotted line. what can we do to help andy to better decisions on whether or not the person claiming to be abigail.s there, one ishings to be broader response to fraud or the more complicated frauds. we've consumer protection laws in this country. of actually t fought against by the early card companies but now
turn out to be their best friend. not afraid to america.edit cards in now we're made whole, right? it's inconvenient. we have to go back. hey, i haven't made that purchase. but most of the responsibility, financial burden rests on the banks who are in decision to alignry response kt. the broader question such as goods and ct sisz to services, all of the social security number withes and that information. you're a teen, i can tell you're born.e why isn't anyone saying, hey, that person is a teenager. possibly have a mortgage with that social security number. we want to put that in the decision-making process. there's a financial conflict of interest here.
>> i can take a stab at that. of all, 76% of all data breeches we investigate and the -- around the world, the attacker leverage weak or stolen cent den shls. an idea.ou authentication solves that statistic from our perspective. mitigating factor. employ two factor mitigation, pieces of malware that have unique capabilities sort of bypass some attack -- some capabilities more ophisticated for targeted attacks. this, then, points back to how do i become you without interacting with you. it goes back to somewhat extent, phishing. 5% of allstate sponsored acts that we investigated had a state phishing.on, leverage right? we did a -- we partnered with a
ompany that contributed to our data rich report last year. hey found phishing education and training for global organizationings. executives and the rest of the xen, the phishing would to see how many click. the first e-mail, around 22% click rate or so. you uh are getting 90%. in reality, your attacker only your send you or organization 7 to 8 e-mails to have a tie success rate. talking about the return on investment for them. nowing that the lack of two-factor authentication continues to work. e need to employ a strategy to help them change that behavior. apps m looking through the on my phone. i have google authenticator. works for my google account
blog.rkpress.com facebook and twitter, it works well. code if ill send me a log in from an unusual place. the problem is when i don't have the option. i'm ai should have known, fios customer. does verizon have two-set verification? >> i don't work in the fios department, sorry. >> i don't know. that's the thing, it's great when it's there. to be not, you're going left hoping that they have all of the important data about you will offer it sometime soon. knowing a not really lot about the burden involved and setting this up internally. it's going to be a common place thing after you set user name and password. give them the mobile phone number. as a company e take great strides, right? and security efforts to protect
privacyumer data in the of the customers there, right? that weook at solutions create and provide. we build solutions. we take a look at what's happening in the threat landscape. what is failing around the world. and how do we offer solutions to right?e that, one of the things we do is offer rate. a lot of authentication strategies for the noble device. an important problem that we as a company committed to solving. two-step rings out for that will n to work be palatable, you can't have it all the time. log in on my desk top, the the furniture i entered blog for, i get the code. it's a only asks me if strange location or a new computer.
for that to work, they ask a whole lot of trust. be peeking what i am doing all the time. a z you know when something, log-in that's probably me is probably not. > all are fraught, none are simple. but i can say, for example, the take when you s apply for a credit card on-line, you -- i'm sure moels of you know at this point, maybe some of you don't. you apply for the credit card on-line. cookie on that machine for a credit card on-line. a charge case, an dieted case. people in n about 25 ew jersey, new york, and
pennsylvania. mostly in the northeast that applied for and received tens of of credit cards. this is not a tremendously fraud.ful they had a huge network. dozens or hundreds working for them. they would apply for credit cards on-line. runners come out, collect the credit cards. use them for a decent period of time. up the credit, slowly, and eventually bust them out. credit card ive bust out case and the tremendous amount of evidence that we have obtain is to say
rom this machine, 44 were applied for from this machine. query why from the same machine, a sort of automatic rejection. >> fair enough. thing ape plies in stolen identity refund fraud. of you know how many know about stolen identity refund fraud, this is something all of us very irect lip because it's money united states. it's real people social security filing of tax returns using the numbers of people. -- usually now --
hey fill out tax returns to make sure they croix a revund. runners go out, collect the refund trucks, deposit them into accounts that chiefs kronl and stenned the money. you might be shocked to hear stolen identity cost the year.try $2 billion a every year. amound.that's a shocking that's huge. centered on s puerto rico citizens because they have social security numbers but not required to file 1040s unless they do work in the continental united states. 2
2we broke up in a ring i was in real losses to the united states treasury. which is it that -- and, again, irs knowles where the on-line tax refund i'm sorry, where the 1040 -- the 1040s are being from. were filed l you 56 from the same computer. one in the bronx filed hundreds applications.ds if you can tell that there are applications being filed from one computer, why anything beyond the first? you want to say h&r block would file hundreds of computer?ns from one then fine, all tax preparers
have to register and say, you this ip is -- >> we're -- we're -- look, all continuum, s are a right? corporations, the government, everything we're moving towards security and it's the cat and mouse game that was to before. and lots of steps can be taken secure and make t a lot more difficult to monetize, i think fraudulent information. id the difference between theft the other day it seems if you could compare the routines issuers with what seems to be in effect at the as, you wonder if the irs is good as catching fraud at say the american express. would we have? to one extent, can you improve hat given that more effective
irs enforcement gets people upset a little bit. >> that's exactly right. issue.resources the -- the -- it was said earlier, right? effectively 1k50e78, a surf stonen fraud scheme, you need together.to work you also need, quite frajly, you rourkers.ed postal so what we'll see with -- the service -- without too much detail, the postal service stuff.e to track this you see that 700 tax refund checks fraudulently obtained refund checks are being delivered among the same mail that mean, oes right? >> all of this stuff is so reactive. you have to see that. we start in the bottom where the carrier.
tried to flip the mail carrier and now get to the next step and next step. the people in the top of the pyramid are really sophisticated. get all of those layers. >> sounding like an episode of "the wire" here. >> our case was a great case. not great the problem problem.million the people like me on the lite able to oing to be solve that cyst gnatically. the e of the reasons we do the data bridge report, we try evidence-based risk approach to the problem. for nations or what duals to understand is the try knowledge of the land skaip. our ve to understand attacker and the effort of
you can't have a one-size-fits-all model. >> it comes down to as we evolve. we look at the landscape. changing.antly with that changing model, you do it yourself. i'm trying to tell some point, itat goes back to individuals as well. you're your best intelligence source, right? a lot of the threats and things that happen to us from a usurity standpoint happen to that we don't know about. and the efforts here, we talked about the red flags piece, the us to look at ourselves internally to focus on what is happening to us so that then detect things, right? look at data breach
notification, 86% were else.ified by somebody that is the important part. i red flags portion of it, think that's a big point of the options. understanding the landscape outside of us and in.hing back the recommendation i like, on't use social security numbers so often. healthcare.gov, i had to provide it both times. you can't get around it. point e's an important with how we build systems. social security is critical. to use them and we have them. e have to treat them as an identifier. you know me as alan friedman. that's not a secret. i have a book , coming out. but the distinction is we also it's also say, well, an a authenticateever.
how the e same thing computeever looks you up in a system. you. is only one john smith -- slight duplicates in social security number fls. we also say you ear the only one that uses it and use it in authenticateever. that's the real danger of where we switch. you pull out your social security number, your card, it use in them not for identification purposes. them for ided to use identification purposes but we eeded further layers to help provide that support. and they funnel the interesting study. it's predictable. a function of when and where you were born in the first five digits. wonderful study that basically went from taking a picture of actually being able to
accuracy, the of irst 25 digits by doing facial recognition, mapping it to on-line social network profiles. have your hometown and birth date, you have a good thece at guessing just from statistics. that demonstrates it data we have. private. ssume it's >> thinking of what a clear i posted on face linkedin and twitter. ext question, so much as changed in the past five years in terms of, you know, ways to find information about people of data collected activities ases and on-line. i don't know. i didn't check your licenses. you could be. four, whatelists, you would they say are the biggest
changes they've seen in their business their own model, how they go about their work such as it is. >> i would say i want to look data stores.ed i want to be able to leverage on my more return investment. i'm going to focus on the easy prey. day, i still the ave to have and make sure i maintain the relationships in help derground to facilita facilitate. >>. [ indiscernible ] >> that's right. if i have to land cape the underground, i'm going to be cog any seventh of the organizations i range. i'm going to try the'siest way to get in and steal the data else. i do anything i may have sophisticated means,
but i'm not going to share them to. you if i don't have i can save that tool in the tool box for a later date when i come up with an add verse sars that's more secure -- defensive. >> abigail? >> i don't know enough about the it. end of the many terms of opportunities that people have shared their information and so and can o do provide them a lot of value. it's out e and more there. so just a lot more that you can i would think. backend.t know if the >> it challenges the method of rity kind of went out style after sarah palin's e-mail got hacked. research a lot of that
stuff easily. alan? so happy automatic -- we've we havem data breeches, giant pass word files. it's easy not to run a every word ttack to in the language. but you've run all of the pass used for zappos. seegarden variety where you the more insidious climbs. one, thick ideas have become a global business. unanimously driven by american university students so veryan get large amount of good quality instead of having someone in their basement, with a plant e that's going to make them for you. there's anecdotal evidence using the defenses that we set up as attack.immune
of ethos. that if you would get in and prove ur skills and yourself to the community that you are in -- let's not fool ourself, right? folks who are in communities. they know of one another. a more tight knit community than you might think at the higher levels. yourself, you show you get in, get out, demonstrate exfiltrate data. cybercriminals have become more professional. that's a trend we're trying to deal with. we'll continue to. i s gotten away from the -- don't know if there was an group, but there's more dedication to getting paid
than there used to be. that's a good capitalist. talking about the landscape rom the criminal profession is changing. the russian government came out ecently and stated if you're a cybercriminal and hacking against other countries, you should not travel outside of russia, right. countries cially to america has treaties. he law enforcement around the world is working together and i think the same is going for the operations urity around the world.
so i changed my operations based upon the regulatory requirements of certain countries and of where the data i want to steal the tes in and i track arrests of bad guys around the world and i understand how they are arrested and so i can how law enforcement is doing what they do around the world. that's an important part. they're students of their craft. honing the skills based upon the lessons learned of those that failed. similarly to the way we do from put out the data breach report. we want to share the lessons learned. you don't know. to be a lot of myths and skepticism of how they arrested.een until they read an affidavit, they're not truly going to know. right? and that information travels very quickly amongst the underground. communicate, you know, in a manner that's much more
than ive and efficient most security games communicate in the private sector. >> last question from me. you all will get your turn. there's a lot of chatter about policies, places like facebook, google plus. i got on line, your aol account could be whatever. its's just a long stretch of muscles. figuring it out -- who are you talking to? how are they dealing with the act that they're making it a little easier for people to figure out the irl, while still, you then know, interact with all of the interesting sites and services an option ust not back in the day.
>> teens are saying they're using privacy settings. they're aware of them. majority said they had them on all of their accounts. there to s room incruise the standing of the settings. but they're clearly made aware those. they're doing other things in terms of their various pass and a variety of pass words as i mentioned before. parents, we did a survey, a service of parents and teens previously. parents think they know more than what their parents are than the teens say they know. a lot of parents are using controls. we had a majority, but there's that.or parents aren't only concerned theft but also about stranger taker and the
safety. the ways of monitoring return to logging on.s of looking at the browser history things.er interesting thing, the parents underestimated their theme and identity theft. hey were thinking more of recreational damage when someone posted a question they didn't like. parents' radar, clearly. hey recognize the kids are focused on it but may not understand the degree that their aware of it. they're enge is encouraging to get a lot of information. so how do they balance? is okay? hat's going to be versus the maintaining the privacy of their own nation. the surveys with they've done, they there are
not always aes but clear -- the social security number is a clear bright line. things are not. 1 i don't think they think of the web of information that available, particularly cross platforms if we had done a survey of the identity thieves learned s, we may have a lot about how we used that. ut you guys know more about that. >> it's critical on-line. the expert. >> not something that we're doing. tumblr, i would argue that countercultural group fire trap.y t's a reverse of what people are doing. twitter is seen as a private
network. limited and facebook is the popular global everyone you ever gets on facebook. and the fascinating city studyes i've seen, in fact i think you involved in them show they do care about privacy. a teenager, privacy is about hiding information from parents. so that is the main issue. control.estion of the point of control which again psychology is important, the most dangerous thing i've seen in security behave yofr is pass is seen as a sign of intimacy.
they care about each other is show they have each other's pass words. > one/3 of teens said they shared the concern about the identity theft. may not be s protecting them. >> identity. >> now is your opportunity to these fine folks. somewhere out there, somebody at who i sant see because the lights are pointed at me. raise your hand. microphone will make its way to you. breeches are the main source of identity theft and raud these days, should there be a law that says breached
to pay damages to breached victims awed matically, perhaps a set amount or actual damages whichever is greater as holders of ent the consumers' data to secure it better? market is emerging. o i think you know as they continue to mature and grow, not to push liability on one or another, rty right? at the end of the day, the organizations are looking at liability and what am i responsible for based upon the set of circumstances that i have to deal with. i think you'll see that market continue to evolve over time. doing ahe government is lot of work and research on that currently.
ago, data loss prevention. i think there's an active set of for organization data boards. see siesh ly area we insurance there kooifing. are very ught there real consequence. breach is not free and it's a cost that it's gotten attention of the council attention ncil gets of senior manager to invest in mitigation and insurance. the real challenge is creating you have ment where insurance not just pushing the isk on the other party but internalizing that so that the insurers are minimizing the overall probability of loss. >> just to add one thing.
i don't want to say about one way or the other in terms of laws should and should hit. think we need to consider who it miekt impact the most. we see a lot of breaches that against a verizon or not at&t.st an companies that have tremendous amounts of resources dedicated to breach prevention. most effective we ee now and a growing trend is attacks of point of scale spent ef miswhich there those.rmation stores on when that's mreeched, you know, chinese as though this restaurant has a tremendous amount of excess cash to be able those risks. if there was automatic liability, you might be hurting
the little guy a lot more than ou might be sort of misincentiveizing, i think. >> we have seen mid sized organizations go bankrupt. bankruptcy.r they can't survive everything hey have to do get through a cybersecurity incident. shifting the focus on regulation law, empowering them on the first place. 86% of the organizations don't the briefs themselves, right? they don't have any control over heir response or over their public messaging, every communications strategy, you or would they would not approach a stradded ji of regulations, right? we should focus efforts not just around -- instead of focusing on liability, focus on mpowering organizations to be able to detect things on the road. >> who has the next question? >> you've fouched on this a
little bit. but can you address more cliff the role of -- umer education and both which 3%. can be done else as consumer advocates? a great tool.s i don't think you can have enough of it. easier and easier to monetize and to leverage, i it's important for us to truly understand and train and the threats. not just the behaviors but the threat exists. awareness we can get around the front. so.can ask do it's one thing to say
pass word must have all of these things. microsoft ol out of research called guess my pat ords or pass word guess, some fair united nations in there. yourself d by -- make the research. but they are encouraging people their classroom letter by letter. what's try to predict the next letter as you enter it. your brainr can read and tell you what your pass word identified it. that type of tool is so powerful. is how i can make a stronger pass word. i have this e6d immediately in immediate feedback. that type of tool is what we at the point of interface where consumers are making decisions and using tools security becomes something that's part of the flow without
being -- follow these rules. >> i think for teens, we talked a little bit about who they want to hear from on this. make them more aware of their own vulnerability. ot just once they're no longer ninors. earing from someone who experienced this, they're 19 or 20, and they went to get their and we were denied because their identity had been breached. credit was no longer clean and good. hearing from someone with sha experience is particularly more for teenagers because it's not as readily recognizable something that could affect them. >> time for one more question. word follow up on the pass
gesser. >> i'm young. i'm 55. peak of my decision making. they say make a difficult pass word. which i accounts for have the pass word. i'm not supposed to write it down. my brain can't remember 30 pass words. you're saying.at but for the average person, that's difficult. >> i hate that advice. >> you should write down your pass word. say it -- you should write it down. it's better to have a better pass word that you write down that your sumption space.s a fairly safe ecause if the bad guy is sitting in front of your computer, you have a lot of other problems. if you can't trust the -- if you trust the people you live with, that is a different thing. ut assuming that's a safe space, it's better to have that.
talk her thing is, we can about the latest advice. first your e-mail address with the most important things. primary personal e-mail should word and be pass changed regularly. hat is a key which if compromised could lead to the compromise of everything else. one, two, good have three classrooms. it's okay to have "the ashington post" and new york times no. need to have that kind of defense. >> one of the best pieces of came from a senator cartologist, put it in your wallet. to keep it safe, the piece of aper that they want is not the oneles with random characters on it. paper.ese pieces of >> a lot of ways you can go with this xvrgs. at the end of the day, whatever
do, we have to be employed. logging, eas are key putting malicious software on your computer to capture every stroke you have. it character pass word if allows you to do it. talking about two factor authentication. right? look at the applications wland measures curity employed. you have to move yourline identity. you have to move -- we call it shell games. i would protect the president. different move him to places, right? to ouldn't want it to beer be the same thing on-line. on-line that and your
persona is going to appear. make it harder if the bank bar to get at the who i am and the things i own. if that's changing your pass word, that might be a strong strategy for you. >> with that, i think we're supposed to -- we have to stop at 11:45. it's 11:44. us offline.wik i want to thank you all and thank you as well. [ applause ]
>> what's going on today comes down to two words. they're not my two words. fundamental transformation. those are obama's words. questions --ple of when you look at the constitution of the power of the president, does the president have the power to fundamentally transform america? of course not. why would you want to transform america? you don't like fundment very much. you don't like capitalizing very much. ou don't like the consumeral system. if you keep hearing the fundamental transformation, hard. is we need more time to change. this is a direct attack on our constitutional system. that is what he's talking about. that's what he means. >> sunday, january 5. lawyer, ing author,
reagan official mark levine will calls in tremendous it 234 depp. s ve this morng, book tv in-depth, the first sunday of c-span 2. on >> we want to know what your favorite >> the outgoing chairman and c.e.o. of general motors said that g. smfment investing more than a billion clars in plants mainly in michigan. he called her rise in the company historic but not surprising this. is an hour.