Identity Theft Prophylaxis

or… You are going to get screwed, so let’s minimize the repercussions

There are lots of guides on the Internet on how to safeguard your personal information as a means of preventing Identity Theft. This is not one of those guides. That horse has left the barn, and you are well and truly screwed. Between the breaches at Anthem[1], Equifax[2], US Office of Personnel Management[3], Alteryx (Experian contractor)[4], and countless other small companies who haven’t realized or reported being hacked, your personal information is out there. It’s far too late to keep your SSN, job history, medical history, and recent credit reports off of ‘dark web’ information trading sites. If your information hasn’t already been sold for $2, it will be. If you have kids, their information is available for $300[5]. There is nothing you, the US government, or I, can do to stop that. But you’ve got free credit monitoring as a result of a breach, right? Damn near useless, as I’ll explain below.

It sucks. No doubt about it. If there is any comfort to be had, it is that this is not your fault. The way the privacy laws work in the US, there is no way you could have prevented these companies from amassing so much personal data about you. The penalties for having lost control of that information are laughable; therefore, few companies are investing in Security the way you rationally expect them to. Once you’ve let the fallout from that knowledge bomb settle, we can get on to the business of making that information less useful to fraudsters. There are a few common attacks that a fraudster will engage in to make the most of your details:

  1. Applying for credit in your name. This could be credit cards, payday loans, a car, etc.
  2. Altering your existing accounts. By adding new names and addresses to your existing accounts, fraudsters can have duplicate cards issued to them.
  3. Hijack your cell phone account. By intercepting your text messages they can get past Multi-Factor-Authentication that you have on your accounts.
  4. File a tax return in your name. Submit a return with inflated income, but just enough real data to pass the basic checks.

Remember: Your information is out there. The attacks are coming. Do not wait until you are under attack to go on the defensive. Following the instructions below will save you countless hours cleaning up after a successful identity theft!

Attack: Applying for credit in your name
This is by far the easiest, and probably the first thing the fraudster is going to try. They can use your details to apply for credit on-line, safely away from pesky human interaction. They will apply at every company that targets high-risk applicants, because they know those companies already turn a blind eye towards questionable credit histories. This approach increases their chance of success even when the victim has poor credit. They will also target banks where you already have accounts, hoping the bank will fast track the application of an existing customer. Then all the fraudster has to do is wait for the cards in the mail. Well, they won’t be waiting for your cards… They will have a patsy on the hook for that. More on that below.

Defense: Credit freeze and fraud alerts
The nuclear option is to place a “Credit Freeze” at all three major credit reporting companies. This will cost you $30 ($10 at each of the big three); because while it is your information they reserve the right to charge you money for cutting down on the profits they were going to make selling it. I call this the nuclear option because while completely effective at preventing a vendor from doing a ‘hard inquiry’[6] on your credit report, it makes your life more annoying in the future when you want to take out credit in your name. You will have to temporarily remove the freeze whenever you want to buy a car, house, etc; and then remember to put it back. That said, you should definitely launch this nuke.

Update (2018-09-15):  Credit Freezes for consumers are about to become free.  You have no excuse for not locking down your report!

You can place a freeze by clicking the links, or calling the numbers, below. Personally, I found getting through the process on the websites to be less annoying than going through the automated telephone systems:

Call, or visit the websites, yourself and retain confirmation numbers for your freezes.  Don’t trust ‘an app’ do to it for you.

Whatever you do, save the PINs you set up for the freeze! These PIN numbers will be useful when you need to remove that freeze to apply for credit. Use an encrypted data-store like 1Password. Not only is it useful as encrypted local storage for website passwords, but it can also store free-form notes. It’s perfect for keeping track of things like unlock PINs, and you can sync it with your smart phone so you have that information with you wherever you need it.

But wait, there’s more! You can also put a fraud alert on your credit files. This is free. It is less of a sure thing than going full nuclear if done alone, but it also provides a mechanism by which a company is supposed to contact you before issuing credit in your name. Fraud alerts come in three flavors: 90 day, seven year, and active duty military. The initial 90 day alert can be done with a phone call to one of the above numbers, or via web page. You only need to do this at one agency, and they are responsible for alerting the others. There is no reason not to do this in addition to placing freezes on your reports.

To place a seven year extended alert you need to send a request by postal mail, and include documentation including a copy of your ID and an identity theft report. (Un)Fortunately, just about anyone in the United States can visit identitytheft.gov and file a report thanks to the various breaches I mentioned in the first paragraph. This report can then be used to activate a seven year fraud alert. You can find more information about how to file for the extended fraud, or active military, alert at the links immediately above.

Attack: Alterations to exiting accounts
This attack takes a little more personal effort, because the fraudster needs to convincingly play you on the phone with a support agent. And by more effort, I mean only slightly more than no effort at all, since the attacker is armed with your credit history and whatever else was part of the ‘dox package’ they purchased. Most customer support agents love to get a happy customer, who seems ashamed they don’t remember their account number, and might have to be asked easier verification questions. That kind of customer is much nicer than the screams they have to put up with when the real customer calls in later. The best part about this attack, for the fraudster, is that when they fail a question they make a note to look up that answer and they just call back and get another call center worker. Once the fraudster gets past the security questions, they put a new email address, phone number, postal address, and name on the account. The next day they call and ask for new cards to be mailed to their patsy. They claim the originals were damaged, not stolen, so they don’t trigger the deactivation of the real account holder’s cards. This kind of attack can go undetected until the real customer sees their next statement, especially if the fraudster made their phone number the point of contact for the fraud department’s calls about a sudden change in spending habits.

Defense:
Visit the websites for all your financial institutions and turn on every alert available in the communication preferences. You want to be alerted when your contact information is updated, when new names are added to the account, etc. This is your early-warning system in case a fraudster manages to impersonate you on the phone.

Add verbal passwords to your accounts. You will likely need to call customer service for this, but it is worth the hassle. This is a password you have to give to an agent before they will discuss your account with you. Never use your mother’s maiden name, or your first girlfriend, or anything you’ve ever seen asked in one of those silly social media quizzes. Use something unique for each bank. Use something immediate and random, like the last book you read, or the last store you shopped at; and then store this password in the password manager you are using for your credit freeze PINs.

Have flags put on your account so that changes can only be made in person. This is the most drastic option, and only works if your bank has a local branch. If you can do this, and your bank honors it, it is worth it. It stops fraudsters in their tracks, for this particular type of attack.

Add Multi-Factor-Authentication (MFA) to all your accounts. Multi-factor is typically ‘something you know’ like a password, and ‘something you have’ like a key-fob or cell phone that has an authenticator app or can receive text messages. That way, if an attacker can guess your on-line account passwords from information in your credit history they are still thwarted when they try to get into your on-line banking.

Avoid SMS MFA where possible, to protect against cell number hijacking attacks.  Time-based rotating MFA codes (TOTP) that you generate locally are more secure.  There are multiple smartphone apps that can be used as MFA providers for websites that support it.  Some of the popular ones are:

Attack: Hijack your cell phone account.
While it is commendable that many companies have added MFA to customer accounts, the reliance on cell phones and text messages is a dangerous trade-off between security and convenience. An attacker could get your phone number transferred to another phone, or use an SS7[7] hack to route your text messages to them. Too many companies will offer to text you a one time code if you fail security questions, and then the attacker can bypass account passwords and PINs.

Defense:
Call your cellular carrier and have an additional password put on your account. This will prevent changes to your account, including transferring your number to a new phone.

If T-Mobile is your cellular provider, call them up and have them enable NOPORT on your account.  With this setting on your account, someone needs to show up in person in a T-Mobile store and present ID in order to make changes to your account, including getting a new SIM issued.

I don’t have any easy answers on preventing a SS7 attack; sorry.

Krebs on Security has also posted a fantastic article on defending against number porting attacks.  You can read it here.

Attack: Filing a tax return in your name.
This attack involves the fraudster using the information they have on you to file a fraudulent tax return in your name. In 2015 the state of Minnesota detected a high number of fraudulent tax returns being filed, which led to TurboTax temporarily halting electronic submissions of state returns[8]. It is easy to infer that if there were a large number of fraudulent state returns being filed, there were likely fake federal returns being filed as well. This attack works particularly well because the default mode of operation at the IRS is to process all tax returns as submitted, and then go after fraud when suspected. That worked well enough when the primary concern was people trying to cheat on their own taxes, but it falls flat when a fraudster is submitting fraudulent returns using the information of real people.

Defense:
The IRS issues a PIN you can use to authenticate your electronic filings. It’s not universally available, so you will want to check with them to see if you can get one at the below URL. The bad news is that even if you have a PIN, it only prevents someone else from electronically filing a fraudulent return in your name; they can still send one in by mail.

https://www.irs.gov/identity-theft-fraud-scams/the-identity-protection-pin-ip-pin

To further protect yourself against negative consequences of this type of attack, be sure to keep all records related to your tax filings. While this has always been the recommendation in case of an audit, you now may need them to prove your return was the real one should the IRS come knocking.

The patsy:
Who is this patsy I keep mentioning? This is a person involved in the enterprise of identity theft who is possibly ignorant of the fact that they are involved in a crime. Their involvement frequently starts when they answer an email or on-line ad promising a work-at-home job as a shipping agent or buyer for an international company[9]. The pitch is that they need someone to locally source computers, and other high-ticket items, because that is cheaper than a business account with some vendors. The company says they will issue corporate credit cards that are to be used for the purchases, and then the merchandise is shipped to a different patsy in the fraud chain. If the police investigate the credit card fraud, the person they find is far removed from the person orchestrating the scheme. The patsy’s plausible deniability starts to fall apart when they’ve received a dozen ‘corporate cards’, that don’t have a company name on them, and they only work for a short while before starting to be declined.

Credit monitoring, and why it’s not a cure-all:
This is the participation award given to consumers when their private information walks out the front door. We get this near worthless salve, presented as a cure-all, while we bleed out from the damage caused by companies that face no lasting repercussions for the careless way they handle the information that could ruin our lives. Anthem paid a $115 million dollar fine for their breach[10]. Seems like a lot, but there were 80 million people who had their information stolen. The loss of our data was calculated to be worth $1.44 per person. Doesn’t seem like much now, does it? We’ll see what happens with Equifax, but as far as I am concerned any penalty they can survive is not harsh enough.  As of this update, it looks like Equifax is going to avoid major penalties for their lax security and oversight regarding your precious data[11].

Update 2019-07-21 – The verdict is in, and Equifax barely got a slap on the wrist.  The FTC penalties they face are $700M[12].  $700M might seem like a lot of money to us mere humans, but let’s put that into perspective.  $700M is:

  • $4.67 per person affected by the breach.  (Data exposed for 150M people.)
  • A mere 20% of their $3.412 Billion in earnings for 2018.
  • A minuscule 4% of their current market capitalization.

So, what does that measly year of free credit reporting get you? At best, it will let you know after someone has opened a new line of credit in your name. You are still stuck with the work of cleaning that mess up. Credit monitoring doesn’t look for address additions and new cards issued on your accounts, and it certainly doesn’t prevent someone from filing a fraudulent income tax claim in your name. It’s little more than an inexpensive way for companies to look like they care about their customers.

By all means, accept any free credit monitoring you are offered, as long as it doesn’t come with strings like giving up your right to sue, or having it turn into recurring billing when the free period ends.  Just be aware of the limitations so you are not surprised when it fails you.

Hope:
I know this sounds bleak, but following the above guidelines will go a long way towards securing yourself against these types of identity theft. Fraudsters are looking for an easy return on their investment when they buy your data. Every obstacle you throw in their way makes them more likely to scrap their attack on you and move on to the next victim.


[1] https://en.wikipedia.org/wiki/Anthem_medical_data_breach

[2] https://en.wikipedia.org/wiki/Equifax#May%E2%80%93July_2017_data_breach

[3] https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

[4] https://en.wikipedia.org/wiki/Alteryx#Data_breach

[5] http://money.cnn.com/2018/01/22/technology/infant-data-dark-web-identity-theft/index.html

[6] https://www.nerdwallet.com/blog/finance/credit-report-soft-hard-pull-difference/

[7] https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

[8] https://www.forbes.com/sites/kellyphillipserb/2015/02/06/minnesota-stops-accepting-returns-filed-with-turbotax-cites-fraud-concerns/#678d6966c4ba

[9] https://postalinspectors.uspis.gov/radDocs/consumer/ReshippingScam.html

[10] https://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML

[11] https://m.huffpost.com/us/entry/us_5a7814f6e4b06ee97af48f8f?ncid=inblnkushpmg00000009

[12] https://boingboing.net/2019/07/20/america-doxed-2.html

Zoomed to Death

You’d think a service based on verifying identities via cryptographic tools could at least keep their certificates in order. Such is the slow demise of Keybase.io under the management of Zoom. I’ve been expecting this since the announcement in 2020, and I’m surprised it has taken this long.

A number of the tabs in the Keybase app were giving me this error:

This is the error I received when I tried to use that pretty Feedback button:

It seems their are their own issuer for the cert used for this API endpoint, but their own Keybase app doesn’t appear to recognize the cert as valid.

Goodbye, Askimet

I’ve been using WordPress for my site/blog so long I don’t remember when I started. It was definitely more convenient than the html blog I maintained in 1996 and edited with vi; though not as fun and quirky as the website I built with HoTMetaL Pro.

WordPress offers a slew of cool features and plugins. There are thousands, though I only use a few. Pretty much anytime I set up WordPress for a friend, there are two plugins I always install and activate:

  1. Duo for MFA logins, to protect against brute force login hacking.
  2. Askimet to block comment spam.

Both have been free to use within limitations. Duo has a free tier that allows you to have up to ten users, which is more than enough for personal WordPress installs where one or two users is the norm. Askimet is free for non-commercial sites, which is what I’ve always considered this site to be.

This site is a mixture of the occasional security/tech tips, political rants, television show plot speculation, and a bunch of highly personal posts I’ve written and hidden over the years. In short, this site is just my personal bullshit.

Like everyone else who has hosed their own content through the Web 2.0 evolution, I added Google adSense and Amazon affiliate links to my site in the hopes of capturing some of that sweet sweet internet money. But, like I said, this site is bullshit, so it isn’t raking in the ad cash. In the last four years it has made $27 in Google adSense (Less than the threshold necessary for them to pay out.), and since the ads were obnoxious I wound up disabling them. I’ve also made a whopping $0.40 in Amazon affiliate commissions in the last year. I’m Canada rich!

Well, times are hard in the tech world, and that means money grabs. Everyone has heard of Elon and his Blue Check Scam, but there’s a lot of similar money grabs that aren’t making the news. Askimet, owned by Automatic who also owns WordPress, Jetpack, and Crowdsignal, has started scanning websites for any hint of monetization and is categorizing those sites as commercial. I received this email on December 29th:

Thanks for using Akismet to prevent spam on your site, ghostwheel.com

You’re currently using Akismet for free, but the free plan is only allowed on non-commercial sites. 

You are displaying ads on your site, so it does not qualify as non-commercial. 

To continue using Akismet, please upgrade to the $10/month Plus plan

If you continue using the free plan, your account will be suspended. 

If you have any questions or believe that you have received this email in error, please get in touch

Thanks,
The Akismet Team

Ummm… OK… I go and look at my site settings, and I confirm I don’t have Google adSense anymore. Given how much I’m raking in on Amazon I didn’t even think about those instances. After contacting support, they confirmed that the existence of those Amazon links qualifies me as commercial, and that I need to pay them $10/month (US) to keep using their service.

Yeah, nah; that ain’t going to happen. So, I’ve disabled Askimet. Within the first few minutes blog spam started showing up in my moderation queue, which is just the annoyance Automatic/Askimet is counting on to make me shell out $10/month for their service. Rather than give in to extortion, I’ve installed a plugin for managing code snippets, and I’ve activated the built in snippet for disabling comments on all pages. Welcome back to Web 1.0, brought to you by Automatic, makers of WordPress and Askimet.

UPDATE: So, Bob, a “Happiness Engineer”, wrote me back to point out that “For what it is worth, this isn’t a new policy:” Yeah, Bob is right, this policy isn’t exactly new. But, it wasn’t the policy back when I first started using Askimet. Back then the policy was a lot more forgiving: “The free plan is designed for personal sites only. If your site is commercial in nature or involves a business than you need to sign up for one of the paid plans.”  My site is not commercial in nature, and does not involve a business. The prohibition against ads wasn’t added until September of 2019, and as far as I can recall Askimet did not proactively reach out to advise of this change to their policy. So, while the change may not be new, it wasn’t an informed change; and the aggressive campaign of hunting down websites that have a couple of affiliate links is certainly new.

Squeezing more life out of Apple hardware

Planned obsolescence is theft. That’s the perfect distillation of my feelings on the topic. If I spend my hard earned money on a product I don’t think the manufacturer gets to tell me when I have to stop using it. And yet, there are countless cases of this:

Don’t get me wrong, I’m not some crazy person who thinks Apple should still be selling parts for the Apple II+ my uncle has in his attic. There does need to be a line drawn somewhere; just don’t ask me where.

Ask yourself this: If you just spent $5,999.00 USD for a MacPro (that’s the base model, with no upgrades), would you feel a bit ripped off in seven years when Apple won’t even sell you replacement parts?

Bare bones Mac Pro, 2022-08-28

What if you were really crazy and bought a full decked-out Mac Pro for a whopping $54,384 USD? Yeah, well, Apple is still going to cut off your support in seven years.

Maxed out Mac Pro, 2022-08-28

The thing is, everything Apple sells with a Pro moniker comes with a premium price, and it doesn’t seem too outlandish to expect them to support these products for a reasonable amount of time. What makes for a reasonable amount of time? I’d say that if a bunch of hobbyists on the internet can support a product, then one of the world’s most valuable companies can probably manage it as well.

For instance, I have a Mid-2010 Mac Pro (MacPro5,1). The last supported OS for this model was Mojave, but some of the nifty features like Handoff were expected to be broken since Yosemite due to the Bluetooth module used in this model. Apple would have you believe that the Bluetooth incompatibility was un-fixable, and that no OS past Mojave will work on this model. And yet… via a series of upgrades over the years, I’ve got this twelve year old machine running Monterey just fine, and even Handoff works. So much for impossible.

I owe a lot of my machine’s lifetime to the folks at macvidcards.com, who have been providing custom flashed video cards, and other bits, for years. While you technically don’t need a Mac EFI driver flashed video card to run most versions of MacOS, you do need it if you encrypt your boot drive with FileVault or you won’t get the screen to unlock the drive’s encryption. For a security wonk such as myself, full disk encryption is absolutely necessary. So far, I’ve installed the following upgrades:

So, all of that got me up to Mojave. I did have some fun little issues, like MacOS claiming that FileVault was not supported on my Mac Pro and refusing to encrypt my drive after installing Mojave. I solved that by moving my SSD to an external enclosure, booting my laptop on it, and enabling FileFault. Funny, my Mac Pro booted from that FileVault drive just fine, and hasn’t had a problem since.

My adventures have not been without pitfalls, though. The roughest being when I installed Big Sur, because that point I had to give up using VMWare Desktop. The version of VMWare Desktop I ran under Mojave wouldn’t run on Big Sur, and pointed me to a newer version. That newer version would not run on my hardware because my installed CPUs lacked a particular instruction set. This was a bit of a blow, particularly because when I tried Parallels Desktop it would seem to import my VMWare systems, but then they wouldn’t boot. So far, there doesn’t seem to be a way around this. If you’ve got any suggestions, please comment below!

Up until this point, I thought Big Sur was as far as I’d be able to take it. Shoehorning Big Sur on had taken experimenting with a few different EFI bundles, from several forum and blog posts, where the takeaway was that Monterey was too problematic. But then… I saw this slashdot post: Devs Make Progress Getting MacOS Venture Running On Unsupported, Decade-Old Macs

I was aware of OpenCore, but I couldn’t recall if I’d come across the OpenCore Legacy Patcher. Reading through the docs, it looked pretty simple. Could it really be this easy? I deviced to give it a try and dropped a spare SSD into my machine. I’m not going to detail the steps I had to go through, as they are all very well documented here, but I will say that an hour later I had a functional Monterey installation on my Mac Pro complete with hardware graphics acceleration for HVEC and h.264 encoding!

OpenCore Legacy Patcher is proof that my twelve year old Mac Pro is capable of running modern MacOS, and that Apple’s planned obsolescence is not a technology issue.

I use Amazon affiliate links in some of my posts. I think it is fair to say my writing is not influenced by the $0.40 I earned in 2022.