ITaaS – Identity Theft as a Service with FileThis
It’s not often I look at a product or service and say “I really really hope this isn’t real, and it’s an elaborate fake“. Alas, this day has come. It’s time for a look at something which cropped up on my radar today, namely a service called FileThis. I won’t do them the search-engine-ranking honor of providing a direct link to their site, but a quick search will find them, and their app on the Play Store and iTunes store.
With the increasingly-moronic “cloud” ecosystem of endless venture-capital funded start-ups, all trying to make your life easier (while getting their grubby mits on your data), why single out FileThis? Quite simply – they must be in the running for either the most naive and stupid product of the decade (I feel confident in saying this only half- way through the decade!), or they have pulled off one of the best “fake” product launches I’ve ever seen, as a parody to raise attention to a cause. In either case, they deserve some attention! I mean, isn’t that the goal of every start-up?
What is it?
FileThis aims to make your life easier by helping people to become organised. They do this by retrieving your bank statements, insurance certificates, credit card bills, investments details and bills, and storing them in the cloud for you. It’s effectively a web scraper (to quote the PC World review of it, from 7th January). Except this is not like any other web scraper. It’s a web scraper which you provide the login information for your bank accounts and credit cards to. In fact, FileThis claims to support “over 400″ different sources of paperwork, which they can retrieve and hold for you.
So What?
The only problem with gathering all these bank and credit card statements, insurance policy documents, and other bills (such as contract phone bills, and subscription satellite or cable), is that you’ve now just created a single point of failure. You’ve given all your passwords to a private company. But who are they? Why should you trust them? Would you hand over your bank statements to that man who stands outside the subway station on your way to work? Would you give your health insurance documentation (which could easily include details of claims and similar) to the disheveled beggar with the guitar outside Starbucks? I don’t know about you, but I wouldn’t do either. At risk of this appearing irrelevant, let’s take a look at who FileThis really is. Going from their website, a whois check on their domain name doesn’t reveal much. It confirms the domain is registered by a “Loyal Bassett”, of “FileThis.com”. Keep this name in mind, we’ll return later. There’s no physical address given, and the site is hosted on Amazon’s infrastructure. The real world equivalent of this is most probably “no fixed abode”.
Let’s recap – a company of no clear abode is asking you to trust them with your bank statements and other financial information, as well as the login details for these websites! Does this sound a good idea?
Digging a Deeper Hole
With the above revelation, I took things a bit further – they have an EMV SSL certificate, which means their corporate existence was verified by the certificate authority which issued the certificate. Sadly, this means little in the days where new companies can be formed and closed at the drop of a hat, and the signing of a few forms. Eventually, I stopped trying to find more about where they were based, and looked more at how they were funded.
It turns out FileThis isn’t just any old company, but a private company, which currently has debt-financed itself to the tune of $1.4 million. That’s quite a lot… Would you give out your credit card bills and bank statements to someone who was in a million dollars’ worth of debt? I wouldn’t. Not even if I trusted them! While there’s nothing to indicate that FileThis have any criminal intentions (nor is there anything to indicate the contrary), you wouldn’t do it in person. I wouldn’t give my best friend a bank statement, if he was even $1000 in debt…
In the process of investigating their funding, I came across their filing with the Securities and Exchange Commission, which at least confirmed they had a physical presence and existence. But it wasn’t exactly forthcoming. Interestingly, their website shows their management team. None of them are the above-named “Loyal Bassett” who appears to own their internet domain. Having looked through their brief biographies, it’s clear they have set up shop with:
- “a 25-year veteran of the software industry and passionate entrepreneur”… making no specific reference to any relevant experience in security or privacy
- a former Adobe programmer with a Computer Science bachelor’s degree from a state university. Who juggles what appears to be all the coding in the entire company, including security
- A marketing guy
It’s almost like the start of the traditional bad joke – three of the least likely people to protect your private data, are asking you to hand over your online banking passwords.
Other Problems?
Something else that is worth considering is that using a service like FileThis is really not a good idea. You’re liable for any transactions that are carried out using your bank login credentials. It’s also often against the terms and conditions to give your login details to anyone else. While not an expert in US banking, it’s clear from my very quick research that, for transactions made via online banking, you are responsible for them, if your credentials were used. Similarly, fraud prevention liability guarantees (such as that by Bank of America), state specifically “don’t share personal or account information with anyone.”
By giving login credentials to your bank, you’re exposing yourself to immense risk of identity theft. Anyone gaining access to your cloud storage would have access to all your statements, policies, and personal documents. Would you upload your bank statements to Dropbox (and again), or Evernote (again) or Box? Because that’s what they’re suggesting. Alternatively, you can store your files with them… Them, with only one person claiming any kind of computing qualification. Who appears to juggle security along with his other 2 main tasks. Is that enough to protect your data?
Encryption???
FileThis claim, like most services do, that they employ encryption of your data. Indeed, they actually give some technical details. But from reading through their website, it suddenly becomes much more clear that your data doesn’t seem to be nearly as well-protected as they claim. There’s no mention made at all about encryption when looking at their claims of supporting Box or Dropbox. Both of whom (as mentioned above), have somewhat less than stellar security pasts, Dropbox in particular! FileThis supports syncing with Personal (and Personal seems to use encryption to store your data), but as with most cloud-based products that claim to offer encryption, the web server is able to show your data in the browser, meaning the keys are available to the provider. And, unsurprisingly, given the situation for Dropbox and Box, the Google Drive integration doesn’t encrypt your data.
Besides, while they claim to store data on their systems, they offer their own cloud storage too; (jack of all trades, master of none, springs to mind here)! Anyway, given you can access your data via their website, they are in possession of the encryption keys necessary to decrypt it and view it. Which means if they lose the keys, or if those are stolen, or their service is compromised, an “identity theft 101″ package is all there, and ready for you.
In their terms and conditions, FileThis state that
Protecting your documents and your account passwords and user names is very important to us. We make every effort to ensure that these are secure against unauthorized access and disclosure using a variety of authentication, encryption and security processes and procedures. However, in the Internet Age, there is no 100% guarantee of such security and you understand this and agree that the Service is provided “AS-IS” and without warranty or guarantee.
As a measure of the confidence that FileThis has in its security precautions, all FileThis officers use our service just the way you will.
If using FileThis is a prerequisite to working for them, I can certainly say that their own employee’s confidence in their own product is foolhardily high. The code isn’t open source, so it can’t be audited for flaws. This service is a huge target – if you get a password, you win the ultimate identity theft jackpot – someone’s literal, entire identity, including all the documents you would need to apply for ID and credit in their name, or even to authenticate to their bank as themselves. Just think – when your bank asks for past transaction information for security, anyone with access to your statements can do this! Including your “cloud” statements.
Talking Twaddle
Sadly though, FileThis also talk twaddle, to try to confuse their users with technobabble. They say on their security page that
The credentials to your FileThis account, and to all your account connections are encrypted from the moment they are entered. On our servers and in our database, your credentials are encrypted utilizing AES 256-bit encryption, which is the highest encryption standard available today. Bottom line: even if a hacker could get access to your credentials on our servers (they cannot), it would be impossible for them to read any of the data.
OK, let’s take that at face value, and presume their security is good! The problem is that their service accesses your credentials, in order to log into those sites, and retrieve your data. Anyone breaking into their servers would have access to the decrypted contents, as they would have access to the requests being made to the remote systems (the banks and other companies). Since they can check for new documents when you are not online and logged in, they do not require your password in order to access your account data, meaning they hold the keys to decrypt the data in their database. Your data is encrypted there, using a key which is held within their infrastructure. That’s simply not nearly as secure as they suggest!
If someone gets in, they’ll get your account passwords, and be able to find out which accounts you sync with. While if you sync your data externally, it might not be held on their systems, they still get access to it “in transit” (where an attacker could ex-filtrate these files by carrying out a second access to the files directly, rather than passing them on to the cloud storage service you use). You are therefore entirely reliant upon their one guy, with 3 things to do, being a security expert. I’m sorry, I don’t know him personally, but I don’t believe for one moment he’s good enough at that. We all make mistakes. Him included. And I guarantee he’s made a mistake here, even if that mistake is simply in working for this company.
Is it a Hoax?
I really, honestly, wish this was a hoax by someone from the information security scene, to prove a point, and make fun of peoples’ blind and stupid trust in “the cloud”. But from all the digging I’ve done, I cannot find anything to indicate this is the case. They appear to have gone through with making a working product, with an app on the Android and Apple stores (the latter having relatively stringent approval processes which test functionality). While this idea still seems so stupid I must leave the disclaimer this may still be an elaborate hoax or honeypot, to steal people’s identities (hey, who says being audacious doesn’t work? Just ask them for their details, then you can’t be accused of stealing them!)
But there’s more!
As much as I do hate to sound like an Apple product launch keynote, there really is more! It turns out, upon reading the terms and conditions of the service,
For purposes of these Terms of Use and solely to provide the Account Information to you as part of the Service, you grant FileThis a limited power of attorney, and appoint FileThis as your attorney-in-fact and agent, to access third party sites, retrieve and use your Account Information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person. You understand that the Service is not sponsored or endorsed by any third parties accessible through the Service.
So there you go! You’ve just appointed a power of attorney over your finances! Did you realize you could grant someone a power of attorney through a click-wrap agreement? Nope; neither did I! Oh well, from this wording I see here, this is effectively a full power of attorney. If they wanted to take all your money, and send it to themselves, you’ve just agreed they can have “that full power and authority” to use your account information to do so. While I don’t believe for a moment that this (hilariously stupid) power of attorney agreement would stand up to even the least technically inclined of judges, it’s still rather shocking that people have signed up for this service and use it!
What if I’m a Business?
FileThis aren’t just trying to target the naive and less technologically inclined consumer. Oh no, for they are also trying to target financial professionals. Their “Pro” service is just as idiotic, but to a new level, since (in theory) your financial advisor or accountant, or tax advisor, is now fair game, encouraged to use FileThis to store their customers’ data. I don’t know about you, but if I can tell you for sure that if I used an accountant (hint, just do your finances yourself, it’s not difficult! Just learn a bit about finance), and they used this service to store my data in some “cloud”, that would be the end of the business relationship. And I’d report them for professional misconduct and negligence in handling personal data.
People go to financial professionals on account of their professionalism. Not of their ability to sign up for (and deposit your private statements) into a cloud based “FileThis Pro” service. If ever there was a data mine to attack, this is it… The data held within these accountants’ accounts (not computer scientists, unlikely to pick a good password) would be people who had enough money to be worth stealing the identity of.
The whole concept of FileThis (and FileThis Pro, for the incompetent “professional” who wants to put their clients at tremendous risk) flies in the face of events of late, where criminals and other nasty people gain access to the accounts of other people on “cloud storage” and steal their files. And it doesn’t matter how it’s done – once your bank statements or credit card/utility bills are stolen, your identity is as good as gone. It doesn’t matter who is to blame – your credit will most likely be ruined, and you’ll have some rough years ahead of you, trying to recover. If someone’s data found its way onto a torrent, it would be around, effectively forever more. It doesn’t matter who is to blame, you will suffer the inconvenience. To even suggest a professional might use a service like this is so unbelievably audacious that I initially felt this was confirmation FileThis was a hoax. But alas, perhaps people really are that stupid as to use it.
Rounding Off
I started this wishing it was a hoax, and I finish it wishing it was a hoax. I’m not sure it really is – there are definitely people out there using this! And it’s (in my opinion) probably the most stupid thing I have ever seen done on the internet. And I mean that, as someone who remembers when the internet was browsed using a text-only browser, and chat meant dialing into a BBS server. And where “file sharing” meant writing a file onto a tape, rewinding it, and carrying it to their house, to have a drink while waiting on it to load up… Only to jam.
If you have used FileThis, I urge you to delete your account with them, and delete your data. Then send them an email, to ensure they really did remove it all. Then go to every account provider you used, and reset your passwords. Then sign onto a credit monitoring system, and keep an eye to ensure nothing strange happens. Then go to your cloud storage accounts, and delete any files it stored there. Then purge them out of any undelete feature or history. The fact is, you won’t be able to get rid of them – they keep backups. So now cross your fingers, pray, and hope for the best for the next few months (and that they do delete backups eventually). This is 2015. You wouldn’t trust a man sitting in the street with your identity and financial life, and nor should you trust some random company, appearing out of nowhere, which claims to look after your data.
Dear internet, please think about this for a minute, and let’s go back to the old days where we were a bit more skeptical of everything. I’m skeptical this service is even real, given just how bad an idea it is. If it’s for real, I just sincerely hope it fails sooner than later, so less peoples’ lives are ruined when their identities are stolen. All your bank statements, credit cards, store cards, utility bills, and insurance documents in one place? Am I going insane – do people really think that’s a good thing to store online, in the cloud? Sadly, today, it seems they do. And that’s just asking for trouble!
Seriously though… How do you know this company is legit? A flashy website? A few well-worded webpages in a quick-to-make WordPress blog? A fancy SSL certificate available to anyone that registers a company? The fact they sent out a press release or two (which anyone can do)? Criminals are not exactly going to call their service “identitytheftasaservice.com” – they would pick something more believable, like FileThis. Stay safe out there, folks. The internet is full of dangerous people, who don’t have your best intentions at heart. And who would like to get you to sign over power of attorney to them.
What do you think about this? Is it a hoax, or is it real? Would you use it? Do you know anyone who’s used it? Share your thoughts below.
Source: FileThis via AndroidPolice (who seem to think it’s a good idea and portray it relatively positively in their article…. go figure!)
The post ITaaS – Identity Theft as a Service with FileThis appeared first on xda-developers.
source: xdadevelopers
0 comments :