Is spyware the root cause of this data leak?

Linden Lab published this yesterday to remind people about basic internet security.   In a roundabout way it is very forcefully reaffirming Linden Lab’s position that these spam emails are as a result of user machines being compromised.  Unfortunately it ignores what is being said by those who have been affected.  The thread where this is still being discussed is here.

Once I am convinced that this was due to spyware I’ll remove these posts and replace them with a background piece and the actual cause.  At the moment I’m not at a level of comfort to be able to accept the Linden Lab position.

Without knowing how local payments work, what data is required and if you need to access the Dragonfish site to do this rather than via the Second Life web pages (and there’s no way I’m going to test it out), my problems with blindly accepting Linden Lab’s position are:

  • If an email address is used for Second Life only, the last time it was probably entered anywhere was when the email account on the Second Life website was updated – assuming people pull their emails down to an email client or it will be used to log into the mail provider if accessed via the web.  Although, web access does increase the chance that spyware could capture it.
  • Those who have identified the spam emails claim their machines are spyware free.  Although none have yet said if they run scheduled checks and if they’ve reviewed the logs down the last few months to see if anything has been picked up.
  • If it is spyware, then I would expect their non Second Life accounts to be receiving spam as well, I doubt there is anyone who only uses their second life email address, yet I’ve not seen any reports of this.
  • Whilst there is a chance that somehow this spyware is clever and targetted enough to only recognise second life accounts and wait until it has the card holder name from a transaction against a Second Life account to send the data to the data collector to enable the email to be sent out, I wouldn’t consider it likely.

I’m still not convinced this can be brushed aside as user carelessness and I would certainly be asking Dragonfish to explain. As Linden Lab are so publicly committed to protecting our data, I would have expected them to contact those who are currently claiming that spyware is not the cause of this to ask them for the emails, to check their logs to see if any spyware has been removed in the last few months and to ask them where they use the email addresses in question. Just brushing this aside as user carelessness without even going through the motions of due diligence doesn’t impress me. Just saying “contact us” in what looks like a peripherally relevant post isn’t what I would expect of a company who is so committed to protecting our data and believes in good customer relations but of course the only recent Linden Lab employee who publicly demonstrated that commitment and understanding of the basics recently ceased working for the company.

Linden Lab are extremely lucky with their user base, the user base is extremely tolerant of errors, it’s extremely rare that people ever exercise their right to complain to external authorities and they’re easily distracted.  Given another week this will have passed from most memories and this will have been just another blip on the horizon.

However, since I’m not feeling enough confidence in the Lab over this, I’ll stick to avoiding local payments and keep these posts here.

Linden Lab and the Dragonfish data breach

True to form, Linden Lab are now blaming its customers for the leak of card names and email addresses.  They claim that the data breach is due to poor computer security on behalf of those whose data has been compromised.

FJ Linden responded in the form thread (post 31) and said

01-06-2011 05:26 PM

Thanks for raising this issue with us. Protecting our users’ privacy is of the utmost importance to Linden Lab. Based on our investigation, we have determined that the spam was not the result of a security breach or our billing partner selling Second Life users’ data to any third-party.

So, what happened? Unfortunately, it looks to be a case of email addresses collected by spyware, which can happen via a third-party application or website. The advertised site is not a property of Linden Lab or any of our partners. More information about this type of activity, and how email addresses are obtained through third-party software or websites, can be found here.

Again, big thanks for bringing this to our attention.

I say that it’s about time that Linden Lab employed some people who have business experience.

Which was promptly rebuffed (post 34) by one of those affected.

         Reply to FJ Lindenview message

01-06-2011 06:58 PM

1) I received these spam-emails to 3 addresses used for SL. 2 of these are ONLY used for SL. And NONE of my other email-addresses received these spam-emails and I have dozens of addresses. One for each account on some website or other. As I said NONE of these other email-addresses received the spam. It is highly unlikely (though admittedly not impossible) for a spyware to randomly get just 3 addresses that are known to SL and none of the others. If my math is correct then the statistical probability for this is about 0.3%. (8 out of my total of 50-60 email-addresses are known to SL)

2) I know how to take care of my computer-security. I have 20+ years of experience as an IT-professional (programmer and webserver-administrator). NEVER in all those years have I had a virus/spyware on my computers. I use Firefox with Noscript-plugin to keep Java, Javascript and Flash disabled for almost all websites except trustworthy ones. BTW: Stop putting Javascript on s3.amazonaws.com as it forces me to enable Javascript for all of amazonaws.com. This is a security-hole waiting to be exploited. I already posted about this over a year ago when you first started doing this.

3) The fact that the advertised sites don’t belong to LL or some partner of LL doesn’t prove anything. Only a very, VERY stupid spammer would make it that easy for you.

4) We are not just talking about email-addresses here. We are also talking about RL-data associated with the email-addresses. In my case the spammer knew my RL-firstname. In one case reported by someone else it was the combination of an email-address used ONLY for SL and the full RL-name of the credit-card holder used for that account which was NOT identical with the user’s RL-name. I don’t see how any spyware could connect these two pieces of information.

In conclusion: Linden Lab, KEEP LOOKING!!! You are leaking this information *somewhere*.

Logically from the information given by one of those affected, the explanation given by the Linden Lab representative can not have occurred unless the Second Life payment site has spyware embedded in it.  One email was sent to an email address that apparently has only been used as the contact point between Linden Lab and the Second Life account holder, had not used elsewhere and the spam email had the card holder’s name, not the account holder.  The card holder is someone else and therefore the only place the matching of these two pieces of data could occur is Dragonfish.  The fact that card holder names are being used should have triggered alarm bells in Linden Lab.

The most likely scenarios are:

  • Corruption.  The data has been accessed and removed by an unauthorised person/s  working for Dragonfish and has been sold on to other gaming sites for personal profit.

I feel this is the most likely scenario but only Dragonfish can confirm this by checking who has access to the data.

The other possible scenarios are:

  • The emails came from other Dragonfish companies.  This means that Dragonfish is using the data without the knowledge or consent of those affected and in breach of the EU data protection laws.  Financial information (card holder name at a minimum) should never be used this way.
  • Dragonfish is selling the data on to other gaming sites.  Again this is a breach of EU data protection laws.  Financial information (card holder name at a minimum) should never be used this way.
This does look like a breach of internal security and the implications of this are worrying, not just for Second Life users but for all users of Dragonfish.  At the moment we are aware of the card holder details being compromised but it is very possible that the card details have also been compromised.  Assuming that the person/s distributing this data are doing it for personal profit then it may not just be gambling sites the information is being sold to.  This puts everyone who has used the Dragonfish site for a financial transaction at risk of card fraud and/or identity theft.
Third parties being careless with data is nothing new, this year in particular has seen a rise in companies needing to apologise because their third party supplier has not kept their customer data secure.  The one thing all these companies have had in common is they don’t blame their user base as an easy way out but investigate with the third party and take instant action to mitigate the data loss and the damaging publicity.
Linden Lab on the other hand is determined to blame its customers and hope the problem goes away.  It won’t if there is a worker in Dragonfish who is accessing and distributing the financial and contact data in breach of the company policy.  It’s data theft that is the issue here and Dragonfish will not admit this or take action to stop this happening in future unless Linden Lab forces them to.  Rather than just mouthing platitudes at the masses and hoping the problem goes away, I would suggest that Linden Lab actually get the details from those affected, analyse it and then go to Dragonfish and demand an explanation.  That’s what real companies who believe in protecting their customer’s privacy and the organisation’s good name do.

~~~

Unauthorised distribution of financial information is a serious breach and again I cannot urge people more strongly to make a complaint to their country’s relevant data protection commissioner.  I doubt this is the first time data has been leaked from this company and it will not be the last until all offenders are caught and dealt with.  If Linden Lab and Dragonfish will not take action then it is left to consumers to make a complaint to enable the authorities to act.
You should also consider contacting your bank or card issuer to advise them that your card details may have been compromised.  This enables the provider to monitor your card for transactions and stop card fraud before it occurs.

~~~

Within the next few days I would expect to see the following action taken:
  • The culprit/s are identified and are removed from the company ( I do believe it is likely that there is more than one)
  • Data security at Dragonfish is tightened to ensure this cannot happen again.
  • Dragonfish issues a statement where it admits full liability and publicly absolves Linden Lab for the breach
Anything less will imply that Linden Lab is at fault here. So if you don’t see this then draw your own conclusions.

Here are the relevant links to make a formal complaint

A quote from the UK site – I’ve highlighted the relevant reasons for the complaint.

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.