Zero Day Threat

Ben Rothke writes "Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity is an interesting and eye-opening look at how banks and credit card companies make ID theft and fraud rather elementary. But with all that, this book must be read in the larger context of how today's society deals with, and is often oblivious to, risk. When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes. With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud." Keep reading for the rest of Ben's review. Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity author Byron Acohido & Jon Swartz pages 304 publisher Union Square Press rating 9 reviewer Ben Rothke ISBN 978-1402756955 summary Excellent overview on the epidemic of indent theft The internet and web have indeed revolutionized society, and there is hardly an industry that has not been positively affected by the net. On the down side, the net is the new conduit for criminals. For example, in the few years before the web became ubiquitous, U.S. and international law enforcement nearly had a noose around the child pornography industry and brought it to a near standstill. After the web, authorities have given up hope that child pornography can ever be contained.

Similarly, white-collar crime and fraud has been exacerbated by the net. Zero Day Threat details the various loopholes that criminals use to carry out their attacks and crimes. Each of the book's 18 chapters is divided into 3 section, exploiters — which details how the crime lords and their teams carry out the crimes, enablers — which details the history and current practices of credit card companies, banks, credit bureaus, and data brokers, and expediters — which recounts how technology and technologies enable these crimes. I found that the breaking up of the chapters into such triplets is occasionally confusing, and you are left wondering what story you are in.

The book is based on the premise that the payment industry, namely the credit card companies, banks, credit bureaus and data brokers have created an infrastructure that is pliable, nearly endlessly extendable, but paper-thin when it comes to security. The system is built for ease of access, ease of granting credit, but without a robust security infrastructure or privacy controls.

Consider that the PCI Security Standards Council was not created until late 2004, and that will give you an idea how security is anathema to the industry. The outgrowth of PCI is the PCI Data Security Standard which is the first uniformly created set of comprehensive security requirements for enhancing payment account data security. While the industry debates the efficacy of PCI, attackers are busy at work running innumerable fraudulent schemes.

The authors paint an honest appraisal of the lack of security in the industry and have their facts in order, although an occasional hyperbole does creep in, for instance when the authors repeatedly state that the hackers in question went weeks without sleep. But a huge error is where they state in chapter 11 that PCI is controversial, with some merchants complaining that it is too costly to implement. There is nothing controversial about PCI, and the security controls it requires are sorely needed. While merchants express their discontent about security and its associated costs, attackers steal from underneath them. The quicker the merchants get that they needed security, the quicker the attacks will stop. But as the book shows, that will not happen anytime soon.

Part of the reason why identity theft will not go away anytime soon is similar to the problem in the air traffic control industry, as detailed in Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It. There are too many players in the game, all of which focus on their own interests, and no one wants to take responsibility for the problem. The fact that the Social Security number (SSN) is still used as a key personal identifier, combined with the ease at which an individual 's SSN can be obtained and misused should be enough to give anyone pause.

The primary purpose of a SSN has been to track individuals for taxation purposes. But in the last decade, the SSN has become a de facto national identification number. When established in the 1930s, the Social Security Administration meant for the SSN to be used as a way to track a person's earnings for Social Security benefits. Despite its narrowly intended purpose, the SSN is now used more for non-Social Security purposes, than for the reason it was created. Today, SSNs are used for identity verification, and are the de facto identifier for the credit and financial services industry. With SSNs being aggregated by the millions, they are the fodder for the stories in the book.

Book such as Silent Spring, which helped launch the environmental movement, and The Jungle, which exposed the corruption of the American meatpacking industry, were watershed books that changed America. While Zero Day Threat is not in the same category as either of these books, it is highly unlikely that the level of outrage it will create will be much, nor the indignation significant. Because as bad as identity theft is, and as much grief as it causes, there are far too many politicians, powerful companies, lobbyists and more that are in the way of any change.

Nonetheless, Zero Day is a most interesting look at the many players that work together to facilitate the countless identity theft rings. The book is an absorbing look at the many international players and their enablers involved. While identity theft is not going away anytime soon, Zero Day Threat details the problem, and shows what you can do to ensure that you are not a victim.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Review ?

[Arthur+B.]

When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes. With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud.

Is this a book review or a political tract ?

Re:Review ?

[neapolitan]

More than that, it's essentially meaningless. Americans are not "oblivious" to obesity, and do not "tolerate" drunk-driving deaths. Cursory references to large problems like that weaken your opinion and make the reviewer sound flippant rather than bolstering a real or arguable opinion.

American society tolerates 200,000 deaths per month! Most of these are due to heart disease! Why should we care at all about economic systems or fraud?

The answer is we care about both, and heart disease receives a great deal of attention from the best and brightest students and gets a large amount of public and private financing. That need doesn't obviate the need to avoid fraud, or remember your wife's birthday, or all of the other small stuff in the world. Now, let's discuss the book.

Re:Review ?

[Shakrai]

in the end they do nothing to improve their condition.

And why is this a problem? Some people choose to smoke even though they know the risks of doing so. If people choose to live unhealthy lifestyles than I'm not going to get real worked up about it. I don't know about you but I'm growing weary of the war on vice.

Provide people with the information but at the end of the day it's up to them to make smart choices.

Re:Review ?

[sumdumass]

It has nothing to do with the risk assessment. It has to do with one sides inflamed rhetoric being spewed as if it was fact. That is a political rant, not a book or a book review unless the book and review is politically oriented.

Here are a few examples with the truth behind it.

"American society tolerates tens of thousands of drunk-driving deaths" This is false, the truth is that all areas in America assign high/strict penalties to people who get caught drinking and driving as well as those who cause drunk driving deaths. Nobody tolerates drunk driving deaths at all. But just like a kitchen knife that can be used to kill a person, not everyone who gets drunk drives let alone kills someone. The author is insinuating that because we havn't banned anything the could indirectly lead to a death, we tolerate the death.

"gives millions in federal tobacco subsidies" This has nothing to do with risk. Tobacco is used for more the cigarettes and doesn't always cause harm to everyone.

"and is oblivious about near-epidemics such as heart disease, obesity, and diabetes" again this has nothing to do with risk. It is nothing but a political rant about fat unhealthy Americans.

"With all that, it is doubtful that the myriad horror stories Zero Day Threat details will persuade Congress or the other players to do anything to curtail the problem with identity theft and internet fraud." Notice how this political rant mentions a body of politics directly? I mean it specifically says CONGRESS and suggest they should be doing something.. perhaps if he said "think of the children" it would have been more obvious.

None of the things mentioned have to do with banks or threats. None of them are related. And before you or someone else jumps in with "but..but. but Tobacco causes cancer", look at how many people have used tobacco who has gotten cancer. Before you or someone else chimes in with "but alcohol is legal", realize that so are guns, knives, baseball bats, and millions of other things that can be just as lethal if used improperly. In order for there to be a drunk driving death, a person must violate not one, but at least two separate laws if not more. "but. but , but Heart attack and diabetes" shut the hell up. How many people eat a twinky and get diabetes? How many people eat a greasy cheeseburger and have a heart attack. How many people who don't exercise every day or don't stick to some annoying persons latest health fad diet, have diabetes or heart attack? How many people who are over wight according to come damn chart have heart disease or diabetes? And after you figure all that out, compare it to how many people never have one lick of problems.

The comments in the submission were made by a moron too stupid to see he is being manipulated and your too distracted to see when he is getting political.

Re:Review ?

[EvolutionsPeak]

And then after that she found out that there were kidnappers and murderers outside so she was smarter and kept you in the house all day. Such paternalism can be taken too far, and it is. Enter video game bans, smoking bans, gun bans, etc...

The analogy is flawed anyway. A child needs such parental protection because they can't know any better. Adults can and should know better, and if they are coddled they will never learn how to make good decisions. Then that becomes justification for ever more laws to protect them from their own stupidity. Quite the cycle.

Also, the idea that "Provide people with the information but at the end of the day it's up to them to make smart choices." is a Republican mantra is laughable when they are the party that has been against contraception education in schools and want to outlaw abortion. It should be everyone's mantra anyway, at least anyone interested in maximizing freedom.

Re:Review ?

[afabbro]

It's a problem because like smoking and other addictions, such people can become a burden on society.

As a taxpayer, I wish more people smoked. It's cheaper when they die of lung cancer in their 60s than when they collect Social Security and Medicare until they're 90.

Re:Review ?

[belligerent0001]

"Oh stop it. 90% of food at the grocery store does not have high-fructose corn syrup in it."

If it is a processed item it most probably contains either Corn Syrup or HFCS. Granted the produce section is fairly safe as is most of the meat section, however vitamin D fortified milk has small amounts of HFCS added (at least at the stores around me). Even if an item has 'sugar' it will most often have additional HFCS added. Even some 'diet' beverages have HFCS added to them. READ LABELS.

    "That is so non-sensical it's hard to know where to start. You make it sound like the liver is the primary digestive organ. Also, according to you, if I eat some HFCS, I can then eat 20,000 calories and it'll never be processed. Hurray! HFCS is the cure for obesity."

High-fructose corn syrup (HFCS) is a recent invention of the food industry, made by an enzyme-mediated process. Old-fashioned corn syrup is less sweet and contains mostly glucose....

"HFCS contains 14 percent fructose. Never before in history have so many people been consuming so much fructose, and I am concerned about its possible disruptive effects on metabolism. I'd advise you not to buy products made with HFCS...."

From http://www.metnews.com/articles/reminiscing110603.htm
A Los Angeles Times article on March 24 said: "Unlike glucose, fructose is almost entirely metabolized in the liver. When fructose reaches the liver, says Dr. William J. Whelan, a biochemist at the University of Miami School of Medicine, 'the liver goes bananas and stops everything else to metabolize the fructose.' "

    "Sorry, wrong. The reason is the high import tariff on sugar in the USA. That's not the same thing as a subsidy."

While I admit that you are partially correct here. In ADDITION to high tariffs on sugar there are also substantial subsidies provided to the growers and refiners of corn.

Additionally, If one was to chart the occurrences of obesity and diabetes, heart disease, etc. in the US and compare that to the overall production/consumption of HFCS the lines mirror themselves even closer than that of carbon and global warming. Believe the propaganda that you choose. I know of 7 people who all removed HFCS from their diet and low and behold their blood glucose levels returned to normal, their serum cholesterol dropped to normal levels and the lost a substantial amount of weight. All but 2 had these results without additional exercise or other caloric modifications. The other 2 actually increased the amount of calories and the amount of dietary fat and still lost weight although they did increase their activity.

So get bent ass clown

Re:Review ?

[FreakWent]

"Oh stop it. 90% of food at the grocery store does not have high-fructose corn syrup in it."

Assuming a grocery store is a supermarket and not a greegrocer's, then you are wrong.

I apologise for the payment gate, but there's an hour long lecture on corn in the US food system available here:
http://www.alternativeradio.org/programs/POLM001.shtml

Amongst other things, the speaker details the scientific testing done trying to find processed food with no corn in it. USians should listen to this talk.

If you're referring to a real greengrocer, then you need to check the availability and price of these stores and goods compared with processed foods. I don't think most people can afford a fresh fruit-and-veg diet in the US, or so I've been told.

As for the liver, apparently every cell in the body can metabolize glucose. However, all fructose must be metabolized in the liver. The livers of rats on high fructose diet look like the livers of alcoholics, plugged with fat and cirrhotic. (from http://www.westonaprice.org/motherlinda/cornsyrup.html)

This is probably what the previous poster was referring to.

A tarrif is not the same as a subsidy. However, they have roughly the same effect. Ignoring tarrifs, it remains true that the corn industry, and the oil industry upon which it depends so heavily, are both subsidised by the US taxpayer.

Between 1995 and 2003, federal corn subsidies totaled $37.3 billion. Ethanol makes this even worse.

http://www.slate.com/id/2122961/

There are very big problems with corn in the USA and you should do your own homework; it took me 5 mins to glue some links together.

Oh, and read "fast food nation".

Ummm....

[Otter]

When is comes to risk, American society tolerates tens of thousands of drunk-driving deaths, gives millions in federal tobacco subsidies, and is oblivious about near-epidemics such as heart disease, obesity, and diabetes.

This whole sentence is moronic, but it's easiest to point to the fact that federal tobacco subsidies ended several years ago. If one has to criticize American society, too little hysteria over risk seems like an odd choice.

The really sucky thing is...

[BitterOldGUy]

if you do get your identity stolen, it's up to YOU, the victim, to keep the documentation forever regarding everything to do with the theft - even if it's the fault of some careless company or government agency.

Know this site and this is the ONLY tuly free credit report direct or start here. The other "free" credit report websites are just trying to sell you stuff that you don't need.

To be truly safe from someone opening credit in your name is to freeze your credit - monitoring services are NOT as good. Here's a great guide on how to do it.

On another note and something positive about credit, check your credit card. They may offer to double or more the manufacturer's warranty. Meaning, if you're actually considering an extended warranty, your credit card may give you the same coverage to you for free.

But other than that, the whole credit industry seems to be geared towards sucking us in. I mean, unless you're going to drive and stay with friends and relatives, is it possible to travel without one?

Is it possible to get a job without a credit rating now? They background checks with Choicepoint who gets their data mostly from the credit bureaus.

What about flying? If you don't have a credit rating, are you automatically flagged as suspect?

And as far as SSN is concerned, we're stuck with that beast. I kind of hope it does go bankrupt then maybe we can burn the things!

Wrong, Wrong, Wrong

[mpapet]

American society tolerates...
There is not enough time or resources to protect people from themselves.

identity theft will not go away .... There are too many players in the game
Clearly the author has no immediate experience in the banking industry. The process is designed to minimize business risk. It shifts the consequences to the customer. It's intentional and the industry is quite happy with it.

Utter the words EMV in the U.S. banking industry and you are on the wrong end of a tirade on socialist schemes, government regulation and the kitchen sink's role in harming business interests.

Great more to care about....

[FooGoo]

Great something else I need to care about. Why is everyone telling me that I need to care about something. Global warming, global cooling, global climate change, Obama, McCain, Clinton, Pelosi, abortion, gay marriage, paying my taxes, paying my rent, RIAA, the most recent pop tart to get drunk and flashing her cooch, Colbert, Sterwart, child pornography, identity theft, and on and on. It's not that people don't care or are comfortable with risk it's just there are too many things to care about.

Frankly if someone wants my identity they can have it but you gotta take the whole thing because I don't fucking care anymore.