Friday, April 1, 2011

How the Epsilon breach might cause real security problems


By Joe Dolittle

We've been following the data breach at Epsilon, which sends more than 40 billion emails a year on behalf of its more than 2,500 clients including Capital One, Citigroup, Walgreens, and the Home Shopping Network.

Some believe the direct risk is minimal given that only email addresses were exposed. That may not be true, however. It's likely that we'll see an uptick in email phishing and other email-based attacks given the magnitude of email addresses that were compromised. Because these email addresses can be tied to a legitimate business relationship with banks and retailers, the attacks are likely to be more effective.

According to Steve Dispensa, CTO and co-founder of security firm PhoneFactor, there are a number of potential security problems that may come out of the Epsilon breach.

Increased volume

While Epsilon is not disclosing the exact number of emails impacted, we're likely talking about hundreds of millions of exposed email addresses. Because attackers can link these email addresses to banks and retailers the email owner actually does business with, the likelihood of a successful attack is significantly increased.

Phishing emails that appear to come from a person's bank or a retailer they regularly receive emails from are more likely to be acted upon them. Unfortunately it is very difficult for the average person to distinguish between a dangerous and a safe email.

The result is likely an increase in the number of successful phishing attacks over the next few months.

Failed trust

Many of us received several emails over the weekend from various businesses notifying us that our email addresses had been compromised. The emails weren't sent by Epsilon, they came from the companies we do business with. These companies are the ones who are taking the hit in terms of customer trust.

However, it may not be too late if the business and bank victims of the Epsilon attack put out-of-band authentication in place to stop any real-time attacks that try to leverage information obtained through phishing attacks.

Interesting, ZATZ Editor-in-Chief David Gewirtz reports getting one such notification letter from a very famous entertainment company with a "land" in California and a "world" in Florida. Apparently, that company had an email address David uses as a "honey trap," to distinguish spammers from people who should have his email address.

So one of the other outcomes of this breach is we may see just what email addresses major companies have, and how -- possibly -- they've been getting those email addresses. Some, like this entertainment conglomerate, might not have acquired their email database through legitimate means to begin with.