Dealing with Fake SMS ✉️ | Cost of a breached SSN?💵
CyberInsights #86 - Fake SMS in Genuine Threads | It cost US$ 7,500 per Social Security Number (SSN) that was breached
What if a fake SMS inserted itself into a genuine message thread?
Validating the sender of a text message is SMS security 101.
Australia is waking up to the fake SMS scam. Users are receiving fake SMSs that insert themselves into a genuine thread of messages.
Would you trust a message saying “Your account will be disabled” if it is in the same thread that sent you an OTP for validation? Of course.
This is possible when the sender of the message is not validated. The sender (usually a business application) enters anything it wants in the ‘sender’ field. Read this article for the details.
The solution is astoundingly simple. Validate the identity of the sender of EVERY text message. 🙄
Australia is planning to implement sender ID registration. India already has an advanced blockchain based registration mechanism where every sender of bulk messages has to mandatorily register, else they would not be allowed to send messages.
Take Action:
If you have an application that sends out text messages (OTPs, or alerts of any kind), then make sure that you are meeting all government guidelines for such applications.
If you are a regulator and have not rolled out a sender validation mechanism yet, do it tonight. You are already late.
If you are a telecom service provider, ensure that you follow all the registration guidelines.
If you are a mere muggle, who just receives messages, be on the alert. Fake messages can creep into genuine message trails. Don’t believe a message just because it comes from “YOUR_BANK” and has joined the thread of genuine messages.
So, what is the cost of a data breach?
Now, you can answer the question. Each SSN number breached costs you a whopping US$ 7,500 (conditions apply)
This one is for all the cyber risk quantification aficionados.
For years, professionals have been trying to put a dollar value to the cost of a record breached. Various methods have popped up (including a few by your’s truly). Yet, after applying all the statistics and all the probability models, you were really not confident.
This settlement by a Florida based healthcare group, answered the question. The cost of an SSN (Social Security Number) breach is US$ 7,500.
Wait, what??
US$ 7,500?
Did we not read in this “Cost of Data breach report”, by the venerable IBM that in the year 2022, the cost of a data breach is US$ 164? Yes, we did.
There are some nuances for us to consider here.
The settlement base is US$ 225 per valid claim. This is much closer the number reported by the IBM survey. (Although the difference is still very high)
The US$ 7,500 is for ‘extraordinary out of pocket expenses’. This is a legalese for proven cases of identity theft, falsified tax returns, etc. attributed to the stolen SSN.
Take Action:
Use this information in 2 ways:
Showcase this to the board for seeking budgets. Settlement fees are hard evidence and should not be ignored. You can have a reasonable answer to ‘return on investment’
While doing your risk assessment, use this data to understand the cost benefit analysis of implementing controls.