How the Epsilon Breach Hurts Consumers
Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give kudos to Epsilon for coming clean, because, in fact, the breach does hurt me. I want to explain both how it hurts me, and how covering it up would compound that harm. To understand, let me explain part of..
How I protect myself against phishing
I do a variety of things to protect myself from phishing attacks, including bookmarking my banking web sites, and setting up special email addresses that are only given to a single business. For example, Capital One (an Epsilon customer) might think that my email is email@example.com. Now, any email that comes to that address has some special properties. I know that either it came from the expected sender, or there’s been a breach of confidentiality at the sender, the intervening network, or on my systems. In that sense, these addresses are honeytokens. In many instances, the entities I’m working with use opportunistic TLS for email, and so I can be confident that it’s not passive sniffing of the intervening network. Now, since I have technology that makes it easy to see if an email went to the right address, I can ignore most emails claiming to be from financial institutions. I save a great deal of time and energy that way. But for the emails that come into the special mailboxes, I can also save time by going with the assumption that they’re ok, because this defense tends to work.
How the breach hurts me
Since Epsilon was good enough to bring up the breach, and Capital One was good enough to contact their customers, I’m aware that my defenses are less strong than they otherwise would be. I have to expend more energy than I otherwise would have reading URLs in messages in that folder. If the breach had been concealed, then I would be naively vulnerable. I would be vulnerable because respectable experts hadn’t thought about this scenario, and had naively decided that I didn’t need to know about the incident.
The Limits of Expertise
This is one example of the limits of experts to understand the impact of breaches on consumers. There are doubtless others, and we should be willing to question the limits of our expertise to fully understand the impacts of breaches on everyone. We should also question our expertise to decide for them what’s best for others.
Now, some people will argue that there’s “breach fatigue”, and that that means we should select for others which incidents they’ll hear about and which they won’t. While I agree that there’s breach fatigue, that’s a weak argument in a free society. People should be able to learn about incidents which may have an effect on them, so that they (and I) can make good risk management decisions. We don’t argue against telling people that there’s lead paint on Chinese toys even though much of the damage will already have been done by the paint that’s flaked off. We don’t argue against telling the public about stock trades by insiders even though only a few experts look at it. We as a free society encourage the free flow of information, knowing that it will be put to a plethora of uses.
This is just one of the many reasons why I support broad breach notification.
There are some technical details after the break.The break>
So, how this works in practice. The actual procmail I use looks a lot like this. Domains and addresses have been altered.
:0: * ^To: firstname.lastname@example.org capital-one :0: * ^To: email@example.com bank-of-america # I don't think Bank of America uses Epsilon; I want to illustrate the one-off nature of the addresses
So can you do this? If you have access to a domain and procmail, it’s easy. Setting those up is a fair amount of work. You could do something similar with “+ addressing” which some mail providers support, but some web developers break your ability to enter a + in an email address, mistakenly thinking it blocks SQL injection. You could also use a unique address (sdhjfdslfh237232@yahoo is still available!) and check each regularly, but that’s probably more work–one of the nice things about the procmail solution is that it integrates seamlessly into my personal email flow. [Update: If you don’t have a domain, see Kurt’s comment. I wasn’t aware that businesses that did this exist. Note that using them like this adds a party to the trust list.]
Now, I could do more. I could check DKIM signatures before depositing the mail, which would break the ability of the Epsilon attackers to fake me out, and maybe I will. I could do other consistency checking a la tofu. But I wouldn’t have thought about it without knowing about the breach. And in fact, I think this method works incredibly well without that. As long as we have breach notification.