Wednesday, June 29, 2005
A recent compromising of data related to 40 million credit cards last week dwarfs other data breaches reported this year, yet the security lapse at CardSystems Solutions was avoidable. Public officials exploring ways to respond and stave this year's alarming hemorrhage of personal data need to shift focus away from consumers' privacy. The real "consumer's right" is data security, which legislation must strive to ensure.
Companies have no incentives, negative or positive, to protect our data. They operate with little mind for security because little punishment befalls them should breaches occur. Public embarrassment, such as what we saw with ChoicePoint, goes only so far to halt the bloodletting.
MasterCard, with 13.9 million cards affected by the CardSolutions breach reported on June 17, posted a press release the same day detailing protections available to customers. A June 20 New York Times article (link is to an archive excerpt) by Eric Dash quoted CardSolutions' chief admitting that the company should not have been keeping the information lost to thieves.
Reckless industry policies for handling sensitive information have set the stage for a massive security breach like the one at CardSolutions. I'm surprised this sort of thing didn't happen sooner. Identity thieves prey on easy targets. Complacency works in their favor. They gravitate to shoddy security and exploit lapses in judgment. Consumers enjoy some protections after a theft has occurred, but these are small comforts to victims, who must endure hassles unimaginable to the uninitiated.
The results of a Cyber Security Industry Alliance study, reported last week in ComputerWorld and elsewhere, indicated 97 percent of 1,003 of likely voters think identity theft is a "serious problem." Of respondents to the study, 71 percent "said new laws are necessary to protect consumer privacy on the Internet."
We hear a lot about how identity theft threatens privacy. Consumers want privacy, and politicians know this. Yet the charge is a misnomer. Privacy went the way of the dinosaur many years ago.
Last week, just as news organizations began widely reporting the CardSolutions breach, U.S. Senators jockeyed for the public's attention in efforts to advance competing identity theft bills. The same ComputerWorld article reporting last week's research findings quoted members of Congress, such as Sen. Bill Nelson (D-Fla.), warning that identity theft threatens Americans' privacy.
Politicians and consumer advocates who decry the loss of privacy in the wake of massive identity thefts raise a moot point. The issue driving the identity theft debate should be security. If politicians want to take action on consumer rights, they should pursue legislation speaking to consumers' obvious right to ironclad security that protects personal financial data from those who seek to gain access to it illegally.
Sen. Conrad Burns (R-Mont.) called for required government licensing of all data brokers. A bill proposed by Sen. Charles Schumer (D-NY) and Sen. Nelson looked at recourse such as expanding the Federal Trade Commission to combat rogue, irresponsible data brokers that lose information to thieves.
Other measures would pass a federal law much like California's SB1386, which requires companies and state agencies to inform Californians of any security breach potentially threatening the identities of 500,000 or more people; such a federal law, many insisted, must not supersede tougher state laws.
Susceptible data calls for the armored vehicle's high-tech counterpart. These kinds of breaches are becoming commonplace. The industry storing our information is largely unregulated yet must be closely monitored. The situation is unacceptable, but the only way to turn things around is to pay attention and to start handling people's personal financial data in the same way we handle greenbacks.
Friday, June 17, 2005
Last week, tapes containing the personal data of 3.9 million CitiFinancial customers went missing while in the custody of UPS. Other such tapes have been lost in transit this year. See how easy an inside identity theft job could be?
Massive losses of information are always egregious no matter whether events lead to identity theft. According to Enterprise Strategy Group research cited in a July 13 USA Today article by Jon Swartz, only a small percentage of financial services firms and other companies encrypt information on backup tapes. The same article quoted Rep. Edward Markey (D-Mass.) questioning the apparent lack of security measures.
Data tapes in transit can be easily misplaced. Unencrypted, they are like open books for anyone with moderate computer knowledge and unscrupulous aims. These are precisely the circumstances that make inside jobs easy. Identity thieves are everywhere. Many are employed, and some identity thieves certainly understand the benefits of working for a parcel delivery service or bank.
Encryption is an easy, cost-effective means to protect data from theft. Any aware citizen should be asking questions. Encryption is like ‘Data Security 101.’ It is inexcusable for large companies with the resources to implement such measures not to do so.
In a June 1 article, The Wall Street Journal’s Li Yuan cited January 2005 research from Mazu Networks. The findings revealed “23 percent of 229 U.S. organizations with more than 1,000 employees had at least one internal security breach in 2004.”
Yankee Group research cited in the same Wall Street Journal article indicates about two thirds of the $12 billion spent last year on enterprise security was to protect against external threats despite the growing prevalence of internal breaches.
When it comes to security, computer networks at enterprises large and small are like some kinds of candy: hard on the outside but soft and chewy on the inside. The events of this past year have shown how easily massive identity theft can occur courtesy of companies’ very own employees. The danger of inside identity theft jobs is clear and present, as we have seen with Time Warner Inc. and others.
Tuesday, June 14, 2005
On the heels of data from last month reporting computer users’ unfamiliarity with computer security threats, yet more research now indicates that people don’t know how online privacy works. The level of unfamiliarity with computer security is astounding, but I believe consumers will abandon ecommerce once they understand the danger unless they receive proper education immediately.
Last month, a Ponemon Institute study suggested that people are failing to grasp the dangers of spyware. Last week the University of Pennsylvania’s Annenberg Public Policy Center released the results of new research, which finds that respondents are unaware of how Web sites aggregate and use visitors’ personal information.
According to a PC World article published on June 1, many respondents share an inaccurate understanding of online privacy. Of participants in the Annenberg study, 75 percent answered, for instance, that any posted Web site privacy policy automatically means the organization displaying it will not distribute visitors’ personal information to third parties—an incorrect assumption.
People don’t know how online privacy works—or, more accurately, how it doesn’t. Just because a Web site may display a ‘privacy policy’ doesn’t mean a visitor’s personal information—which is collected—is safe from distribution and reuse. It’s in the fine print, but who reads the fine print? Many computer users have no clue.
The Annenberg findings also revealed that 49 percent of participants were incapable of spotting phishing e-mail scams. Authors of the Annenberg study, titled “Open to Exploitation: American Shoppers Online and Offline,” offered a number of measures to combat apparent shortcomings in public awareness.
Any intelligent discourse about how to fix the problems of online security is a positive development. The Annenberg findings, ironically, seem to support the lackadaisical, irresponsible approach industry has adopted. The banking, computer, and online retailing industries clearly aren’t bearing the brunt of online threats because awareness is nil. Consumers, oblivious to a lack of security online, continue to use the Web indiscriminately.
We must relentlessly advocate education to stave an ‘identity theft apocalypse’ and strengthen online security. Right now, industry is running on borrowed time. Additional recent research hints that consumers will wise up sooner or later to the gravity of online threats and leave the Web in droves.
Monday, June 06, 2005
New scams continue to beset the Internet. The emergence of a new rendition on ransomware demonstrates how criminals remain a step ahead of the public's awareness.
Ransomware steals data from computers. It then employs encryption, a technology typically—and ironically—for the security of online activity, to disallow victims from regaining their personal information until they pay a ransom.
What's maddening about ransomware is the way it steals personal information by using a technology that's also the backbone of Internet users' security. This is not an original ruse. The concept behind ransomware is nothing new, and many have attempted it. But the latest iteration is the first to utilize an automated program as the vessel.
Exploiting a vulnerability in Microsoft Internet Explorer, a malicious site that the unsuspecting user visits downloads and runs code, a Trojan Horse, to the compromised computer. This downloader then connects to another Web site, which downloads, renames, and runs an encoding application that performs a series of actions to steal the victim's personal information.
The problem with ransomware is not with the security response. Officials are familiar with this ploy, a favorite of savvy computer coders, and automation adds no significant hurdles for security response. Ransomware's victims, however, probably haven't heard of the scam, just as most people had not heard of phishing until recently. The problem is in the awareness—or lack thereof.
The consumer's learning curve will give ransomware perpetrators the time they need to do damage. Yet another scam threatens to dissuade people from participating in ecommerce. The computer, banking, and retail industries need to develop and implement a major initiative to educate current and potential customers on how to be safe and secure online.
Thursday, June 02, 2005
A survey of consumers suggests that confidence in online commerce may be faltering. The research indicates a noticeable dip in the number of people who bank online. I was warning of this possibility long before a string of watershed identity thefts and security breaches rocked nearly all corners of industry this year. After all, faith in the security of online transactions is the backbone of all ecommerce.
The study, conducted by Intervoice, found that 17 percent of UK respondents surveyed no longer use online banking services. The reason: fears of identity theft. It also found that 13 percent of respondents had ceased buying from online retailers. It’s easy to look at these findings and draw the logical conclusions. The computer, retail, and banking industries stand to lose millions if consumer confidence in the security of online commerce is declining as this research suggests.
Identity thefts and breaches of security continue:
-A laptop computer containing the credit card information of approximately 80,000 U.S. Department of Justice employees was stolen during early May, according to a May 31 ComputerWorld report. The incident occurred at a travel agency that the DOJ uses.
-According to a May 25 Associated Press report, a May 11 computer breach at Stanford University has attracted an FBI investigation. Thieves stole the personal data (e.g., letters of recommendation and Social Security numbers) of nearly 10,000 people. A California law, which Siciliano supports, required the school to inform potential victims.
-On May 23, ComputerWorld ran an IDG News Service report about the theft of a laptop computer that contains information (e.g., Social Security numbers) on approximately 16,500 former employees of MCI Inc., owner of the machine. According to the report, a financial analyst for the company had authorization to keep the information on the laptop, which she had left in a car parked in her home garage.
-A May 23 Associated Press story that ran in The Detroit Free Press and elsewhere reported that a hacker gained access to the computer system at Michigan’s Jackson Community College and may have stolen as many as 8,000 Social Security numbers. According to the article, the school uses Social Security numbers as default passwords. Students, who are encouraged to change their passwords, tend to use the defaults anyway.
People pay attention. They’ve heard about all the identity thefts and security breaches, much of it involving computers, that have plagued industry this year. It only makes sense that consumers would begin to avoid the circumstances necessary for ecommerce.