Who’s In Your Wallet?

Why the breach at Capital One should scare everyone.


Hacking a financial institution is a very big deal. Banks and credit card companies take their security very seriously because they literally have money to lose if something goes awry.

What becomes clear, though, in reading the criminal complaint involving the Capital One hack, is that the weakest link isn’t always the hardware or the software. It’s the geeks who want to show off, or the insiders who earn far too little each year in comparison to everyone else around them, or who are angry at the way they were mistreated through some corporate action/inaction or their boss. No matter how good the security, there is always a way in.

The key is to find the damage quickly, shut down the problem and figure out where the problem was. In the case of Capital One, it appears that none of this happened. In fact, the alleged hacker didn’t even bother to cover her tracks, and the hack was available for the world to see for several months.

The complaint, which was filed in U.S. District Court in Seattle, charges that the hacker disguised her identity using TOR (aka the onion router) and a VPN, and deposited the files she lifted from Capital One on GitHub. That’s data from roughly 100 million customers of Capital One.

So what’s the solution? For one thing, companies need to be watching their data traffic much more closely. That traffic needs to be monitored from inside a system, and there need to be multiple levels of authentication and authorization. No one should be able to get into the front door, or even a back door, and have access to everything. There need to be doors to everything—layers upon layers of them—and accessing certain doors needs to set off alarms.

Most security in the past has been perimeter based. That’s like a fence, and it doesn’t protect anything if there’s an inside job. Beyond that, everything needs to be stored in different layers, and the most important data—the data that can be sold or leveraged for profit—needs to be tucked away under multiple layers of authentication that is constantly changed.

One of the reasons that so many companies are comfortable moving to the cloud these days is that it’s much harder to hack into a system where storing and securing data is the primary business. It’s much harder to hack into an Azure or AWS or Google Cloud server than one hosted by a single IT department working with a limited budget, and this helps explain why more companies are moving some of their most sensitive data to the cloud. The 2017 break-in at Equifax, one of the three main consumer credit reporting agencies in the United States, should have provided enough evidence that security even at major financial firms wasn’t up to snuff. As Capital One has shown, it still isn’t.

Security breaches are nothing new. What is new is that you don’t need a shovel or a wirecutter to get inside anymore, and just assuming that everything is okay because there is no sign of illicit activity isn’t good enough. Sleeper code may take more than a decade to wake up. Hardware may have Trojans that are physically embedded into the system. And even the lowest-budget criminal organizations can get their hands on a scanning electron microscope these days to grind off the package and stick probes into a chip or module for side-channel attacks. No one even knows what kind of damage AI experts can do if they are watching patterns of behavior from inside these systems.

What’s clear is that hackers are moving much faster than the security experts. It’s time to change that paradigm and rethink what gets secured, how it gets secured, and to start recognizing that a well-constructed security architecture that includes every aspect of a system—hardware, software, firmware, network, storage, employee access—is more like crisis avoidance rather than a risk-management plan in a PowerPoint presentation at budget time. Companies will pay either way, and the better alternative is the quiet one.

Related Stories
Creating A Roadmap For Hardware Security
Government and private organizations developing blueprints for semiconductor industry as threat level rises.
Who’s Responsible For Security Breaches?
Part 2: How are we dealing with security threats, and what happens when it expands to a much wider network?
Can The Hardware Supply Chain Remain Secure?
The growing number of threats are cause for concern, but is it really possible to slip malicious code into a chip?
Complexity’s Impact On Security
How interactions between components can compromise AI inferencing models.
Security Knowledge Center

Leave a Reply

(Note: This name will be displayed publicly)