Posts

Is CHIP & PIN Credit Card Security Worth $100M? (Are You Serious?)

,

I’ve had dozens of media requests for interviews and countless more email inquiries from people concerned about the Target data breach.  At first, everyone just wanted to know details of how it happened, how big the breach was, and what they should do about it if their credit cards were at risk.  Now that the initial shock of it is over, we are on to a bigger question:

How do we keep breach from negatively affecting so many Americans? 

Breach will always happen. If it’s digital, it’s hackable. It’s coming to light that the Target breach may have been due to the computer access an HVAC WORKER (no, not an entire company, an individual WORKER) had to Target’s systems. While there is no guaranteed way of preventing fraud, there is a pretty reliable answer out there, and it’s been around for decades.  That answer is for the US to finally catch up to more than 80 countries around the world and start using chip and PIN enabled credit cards, also known as EMV, smart cards, or microchip cards.

By placing microchips in credit cards, it makes it much harder for criminals to clone the cards than the relatively easy-to-crack magnetic stripes.  Chip cards take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. So in the case of the Target breach, the stolen data couldn’t be used to easily create duplicate credit cards, drastically reducing the value of the stolen data. The possibility for online abuse of the numbers (known as Card Not Present transactions) would remain a threat from the breach, but it would be a fraction of the problem (and solvable in other ways).

France has been using this technology since 1982, the UK since 2001, and Canada since 2007. In the first five years after the UK started using chip & PIN, fraud went down 70%.  In that same time period, the cost for fraud in the US had DOUBLED. It’s not that the technology is perfect, it’s that the increased security convinces criminals to target those who don’t use the technology (which to this point has only been, well, the United States). 

If there is such a great guarantee on fraud reduction by switching to chip and PIN cards, why is the US resisting it?  The answer:  MONEY.  Banks, credit card companies, and retailers have been caught in a battle of wills for many years now, with retailers not wanting to spend money on installing new chip-friendly card readers unless banks are committed to spending money on issuing new cards.

The cost of implementing the card system can be staggering. Target is expected to spend around $100 million to install new chip card readers in an effort to protect against cyber theft.

So is it worth $100 million to implement chip and PIN technology?

Without question. And even Target thinks so, or at least it did ten years ago when it was at the forefront of implementing chip & PIN technology.  From 2001-2004 they spent $40 million to adopt chip-based credit-card technology and installed 37,000 new point-of-sale terminals to handle chip cards across its U.S. stores.

Ultimately they backed out because their marketing strategy at the time just didn’t catch on with consumers and because it was taking “A FEW SECONDS” longer per customer to get through the line.  I don’t know about you, but I’d wait an extra two seconds in order to know my data is secure.  And I bet Target victims would take back the time it is taking them to change their credit card information with every online site or monthly automatic payment company their now-compromised card was used for.

To put the cost in perspective, $100 million is about $1.00 per Target breach customer. I bet the average credit card holder would be willing to foot the $1 bill to dramatically reduce their risk (even if it’s not a perfect solution). In fact, the cost of fraud gets passed on to customers anyway (higher credit card rates, higher retail prices), so why not spend that same money (or far less, in fact) on securing the transactions in the first place? 

  • A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.  The Credit Union National Association said these costs most likely do not include any fraud losses, which are likely to occur later.
  • In 2012, the Ponemon Institute’s annual study showed the average cost of a data breach in the US is $188 per person notified.
  • For credit issuers, the average cost per record breached is set at $280.
  • Aite Group reports that card fraud in the U.S. already costs the card payment industry (primarily issuers) $8.6 billion a year.

 You tell me if it’s worth it! (Seriously, I want your thoughts and comments below)

How do we get there?

It seems crystal clear to me that fraudsters have gotten so sophisticated that we either need to join together (retailers, banks, and credit card companies) or we will fail to stop this trend of Mega-Breaches.  Pardon the pun, but clearly we have put the “target” on our own backs; criminals have increasingly focused on the US because we are so far behind.

James Dimon, CEO of J.P. Morgan Chase sees this as an opportunity for real change.  He said,  “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade.”

I see 4 overarching steps that need to be taken:

  1. Retailers, credit card processors, banks, VISA, MasterCard and American Express need to stop focusing on their own self-interest (profit) and start to work together for the common good. Of course, they won’t do this without incentive, so…
  2. Congress should create  a U.S. equivalent of the U.K. Card Association that sets policy and has the authority to fine those stakeholders who fail to act.
  3. In other words, we will need legislation to ensure that the “liability shift” dates projected for 2015 are met.  This means that if credit card companies have issued chip and PIN cards, but retailers have not installed machines to read them, the merchants would be held accountable for any losses due to fraud.
  4. Everyone needs to understand that there will be costs associated with the change, just like there are costs when you install a security system, a lock on a door or a vault in a bank.

Will chip and PIN cost retailers? Yes. Will chip and PIN cost banks? Yes. Will it cost consumers? Yes. Will it cost (in total) as much as the fraud resulting from even a single major breach like Target. NO. It’s time to start thinking about security from a long-term perspective, and long-term profitability will follow.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Cyber Security Expert John Sileo on Fox Money

Facebook knows what you said, EVEN IF YOU DELETE B4 POSTING!

delete keySelf-censorship on Facebook

Do you ever delete the words you type on Facebook before you hit post?

Have you ever started to type a status update that you thought was hilarious…until you realized your boss might not appreciate your 8th-grade humor? So what’d you do? You quickly hit the delete key and watched your comment disappear forever, right? Not exactly.

What if you are ready to make a snarky comment to Greg, the upperclass jerk who stole your high school girlfriend (and is about to get a divorce, ha ha), but decide to take the high road just before hitting the “post” button and instead, wish him well on his pending journey of love (despite the fact that it’s bound to fail)?

No harm done, right?  You never hit the post button, so no one ever saw it! Well, it turns out that’s not quite how it works in Facebook Land.

Sauvik Das, a Ph.D. student at Carnegie Mellon and summer software engineer intern at Facebook, and Adam Kramer, a Facebook data scientist, conducted a study of 5 million English-speaking Facebook users in which they studied aborted status updates, posts on other people’s timelines, and comments on others’ posts.  Specifically they looked at what they called “self-censored” texts, entries of more than five characters that were typed out, but not posted.

Now, let’s make it clear that the researchers did not reveal what the actual content of the posts they analyzed were – just how common it is for self-censorship to occur.  You see, Facebook stores information as you type, much like Gmail saves draft messages automatically as you type them.  In other words, it is definitely  possible for Facebook to store information on what you typed, whether you post it or not!

Why wouldn’t they want to see what you deleted – it’s the most honest version of what you think (and then think better of sharing as you step back a bit).

So far Facebook has not used the information for their own benefit, but they are very interested in it nonetheless.  As Das and Kramer put it: “Last-minute self-censorship is of particular interest to SNSs [social networking services] as this filtering can be both helpful and hurtful. Users and their audience could fail to achieve potential social value from not sharing certain content, and the SNS loses value from the lack of content generation.”  In other words, Facebook could be making money off of what you aren’t posting through lost advertising opportunities.

The lesson is a good one – be mindful of what you type on any social networking site, as it will always be somewhat public, permanent and powerful, EVEN IF YOU DELETE IT BEFORE POSTING. 

John Sileo makes privacy and security sticky, so that it works. He is the CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security as well as media appearances on 60 MinutesAnderson Cooper, Fox Business and The Rachael Ray Show. Contact him directly on 800.258.8076.

Identity Theft Speaker Shares Latest Statistics on Cost of ID Theft

id theft costI got my start as an identity theft speaker. I write and speak on the importance of being vigilant about protecting yourself from identity theft and online fraud from many angles: the stress of trying to reestablish your credibility, rebuilding relationships, regaining control of your personal information, perhaps even fighting to stay out of jail as I had to do. So while I’m an identity theft speaker, my motivation is always completely human. We as humans make flawed decisions about how we fail to prepare for things like identity theft. We as humans are the ones that make the difference in fighting this crime. As it turns out, our wealth is at risk.

According to the Bureau of Justice Statistics (BJS), there is one more important reason to be especially careful: financial implications.   In the latest National Crime Victimization Survey, identity theft cost Americans $10 billion more than all other property crimes.  To be exact, identity theft cost Americans $24.7 billion compared to just $14 billion for household burglary, motor vehicle theft, and property theft combined.  The $24 million is made up of direct losses (money thieves got by misusing a victim’s personal or account information) and indirect losses (such as legal fees and bounced checks), with the majority coming from direct losses.

Now, you wouldn’t dream of going off for the night and leaving your front door wide open, or leaving your car keys in plain sight, but how many of us do the equivalent with our identities? Do you surf on free WiFi at your favorite café, while in the airport or at your hotel? Have you locked down your smartphone with a passcode, limited location tracking and turned on the built-in privacy and security settings? Have you ever customized the share settings in your favorite social network? Maybe not.

Here are some key points from the BJS report:

  • 85% of theft incidents involved the fraudulent use of existing accounts, rather than the use of somebody’s name to open a new account.
  • People whose names were used to open new accounts were more likely to experience financial hardship, emotional distress, and even problems with their relationships, than people whose existing accounts were manipulated.
  • Half of identity theft victims lost $100 or more.
  • Americans who were in households making $75,000 or more were more likely to experience identity theft than lower-income households.

Identity thieves have also begun targeting smartphone and social media users, knowing that user ignorance and the learning curve associated with using sites make it easy to hit the bull’s-eye.

In addition, the increase in occurrences of data breaches puts us even more at risk.   Javelin Strategy & Research found that someone who is a victim of an online data breach becomes 9.5 times more likely to have their identity stolen.

For solutions to these and many other identity theft and data breach problems, check out identity theft speaker John Sileo’s book, Privacy Means Profit: Prevent Identity Theft and Secure Your Bottom Line.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 MinutesAnderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Target Data Breach Touches 40 Million In-Store Shoppers

, ,

If you are one of the 40 million customers who have used a credit or debit card at Target stores in the United States between November 27 and December 15, you’d better start checking your accounts for fraudulent activity.  Target confirmed that the data stored on the magnetic strip of cards (customer names, debit or credit card numbers, and card expiration dates) were taken, along with the three-digit security codes  (CVVs) often imprinted on the backs of cards.

The type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines.  Only in store purchases are at risk, so online shoppers need not worry.

Target spokeswoman Molly Snyder would not comment on how customers’ data were stored or encrypted prior to the attack, saying that would be part of the ongoing investigation.  Target immediately notified law enforcement authorities and financial institutions, and the issue is being investigated by the Secret Service and a third-party forensics firm.

This breach is one of the largest ever of American consumer data, nearly matching that of TJX (TJ Maxx and Marshalls stores), which experienced a data breach in 2007 that affected more than 45 million customers.  2013 has been a particularly bad year for breaches overall.  Overall, one in four Americans have been told that some personally identifiable information has been lost or compromised because of data breaches, according to a recent report from Experian, and the pace of attacks is expected to continue rising through 2014.

In a letter sent to Target customers, Target officials say those who have noticed irregular activity on their accounts should call the firm at 866-852-8680.  In addition, all Target shoppers should:

  1. Review their credit card activity online on a daily basis to monitor for suspicious activity.
  2. Set up automatic account alerts with your credit card provider to quickly detect any misuse of cards.
  3. Visit AnnualCreditReport.com to see if there are any newly established, fraudulent accounts set up.
  4. Cancel your credit card if they notice any suspicious behavior. If it’s a debit card, I would cancel it no matter what given that it connects directly to your bank account. Make sure to transfer balances, miles and to switch any auto-pay accounts to the new card.
  5. Freeze your credit with the 3 credit scoring bureaus.
  6. Consider ID Theft monitoring services to help you keep track of abusive behavior of your information online.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to defend the data that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Interview with Reputation.com on Business Identity Fraud and Online Reputation

reputationcomDo you want to know how businesses can protect themselves and enhance their online reputations?

Would you like to know the answers to the following questions?  

  • Are businesses adequately protecting themselves online? If not, what more should they be doing?
  • What is business fraud and how does it differ from consumer fraud?
  • What should companies be thinking about when they get involved with social media?
  • What can businesses do to monitor their online reputation?
  • Should companies respond to everything negative said about them online? If not, what should they focus on?
  • Should businesses be paying attention to their employees online? If so, how can they do that in an ethical way?
  • What is the most important advice you would give a new business just starting to develop an online presence?

To learn the answers to these important questions, read the interview I recently did with Reputation.com.

Information Security Speaker: 5 Information Espionage Hotspots Threatening Businesses

, , ,

You and your business are worth a lot of money, whether your bank accounts show it or not. The goldmine lies in your data, and everyone wants it. Competitors want to hire the employee you just fired for the thumb drive full of confidential files they smuggled out. Data thieves salivate over your Facebook profile, which provides as a “how to” guide for exploiting your trust. Cyber criminals are digitally sniffing the wireless connection you use at Starbucks to make bank transfers and send “confidential” emails.

Every business is under assault by forces that want access to your valuable data: identity records, customer databases, employee files, intellectual property, and ultimately, your net worth. Research is screaming at us—more than 80% of businesses surveyed have already experienced at least one breach (average recovery cost: $6.75 million) and have no idea of how to stop a repeat performance. These are clear, profit-driven reasons to care about who controls your data.

Information Espionage Hotspots

Here are 5 Information Espionage Hotspots that your business should address now:

  1. Lousy training. One of the costliest data security mistakes I see companies make is attempting to train employees from the perspective of the company. This ignores a crucial reality: All privacy is personal. In other words, no one in your organization will care about data security until they understand what it has to do with them. Strategy: Give your people the tools to protect themselves personally from identity theft. In addition to showing them that you care (a good employee retention strategy), you are developing a privacy language that can be applied to business. Once they understand opting out, encryption and identity monitoring from a personal standpoint, it’s a short leap to apply that to your customer databases and intellectual property. See the video above for an example of bridging the worlds of personal privacy and corporate data security.
  2. Human weakness. The root cause of most data loss is not technology; it’s a human being who makes a costly miscalculation out of fear, obligation, confusion, greed or sense of urgency. Social engineering is the craft of extracting information out of you or your staff by pushing buttons that elicit automatic responses. Strategy: Immunize your workforce against social engineering and poor decision making. Fraud training teaches your people how to handle requests for login credentials, passwords, employee and customer data, unauthorized building access and an office full of information whose disappearance will land you on the front page of the newspaper. The latest frontier that thieves are exploiting are your employees social networks, especially Facebook and LinkedIn. It is imperative that you have a well-thought-out, clearly communicated social networking policy that minimizes the risks of data leakage, reputation damage and trust manipulation. 
  3. Wireless surfing. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unprotected data being sent from your computer to the web. Strategy: Have a security professional configure the wireless router in your office. Here is your laundry list of things to ask her to do. She will understand the terminology: Utilize WPA-2 encryption or better; Implement MAC-specific addressing and mask your SSID; While she’s there, have her do a security audit of your network; To protect your connection while surfing on the road, purchase an encrypted high-speed USB modem from one of the major carriers (Verizon, Sprint, AT&T) and STOP using other people’s free/fee hotspots.
  4. Inside spies. Chances are you rarely perform a serious background check before hiring a new employee. That is short sighted, as most of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out a “digital door” when no one is looking. Many employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer. Strategy: Invest in a comprehensive background check using a product like CSIdentity.com’s SAFE before you hire instead of wasting much more money cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background jump starts your intuition and discourages dishonest applicants from the outset.
  5. Mobile data. In the most trusted research studies, 36-50% of data breach originates with the loss of a laptop or mobile computing device (smart phone, thumb drive, etc.). Mobility, consequently, is a double-edged sword; but it’s a sword that we’re probably not going to give up easily. Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data wiping capabilities. In addition, physically secure this goldmine of data down when you aren’t using it. Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption, and remote laptop-tracking and data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it.

Your espionage countermeasures don’t need to be sophisticated or expensive to be effective. Targeting the hotspots above is a savvy, incremental way to keep spies out of your profit margins. But it won’t start working until you do.

John Sileo speaks professionally on identity theft, data breach and social networking exposure, and is the author of the newly released Privacy Means Profit. His clients include the Department of Defense, the FDIC, FTC, Pfizer and the Federal Reserve Bank. Learn more about bringing him in to motivate your organization to better protect information assets.