Posts

Sileo Deflates ePickPocketing Hype on Fox & Friends

, ,

John appeared on Fox & Friends this morning to set the facts straight about the real and perceived risks posed by Electronic PickPocketing.

It is true that Identity Thieves are able to steal your credit card information without even touching your wallet. The technology exists, is readily available and can be assembled for under $1,000. But that doesn’t necessarily make it an efficient means of stealing credit card numbers.

RFID, or radio-frequency identity technology was introduced to make paying for items faster and easier.  All major credit cards that have this technology have a symbol (pictured below). It means that your card can communicate via electromagnetic waves to exchange data (your credit card number) between a terminal and a chip installed inside of your card (or passport). Thus, by getting within a few inches of your credit card, a thief is able to obtain your credit card number, expiration date and maybe your name.

So we have established that stealing credit card numbers this way is possible, but is it feasible?

The Electronic Pickpocketing video circulating around YouTube makes it look that way. But the reality is a bit different. First, take into account that the news story in the video was focused around a gentleman and a company that makes money by raising your fear about this type of theft. The gentleman they interview runs a company that makes shields for your credit cards and passports to stop electronic pickpocketing. I’m not saying that the products don’t work or aren’t somewhat valid; I’m saying that you have to take the context of the story into consideration before buying the hype.

The reality is that electronic pickpocketing is extremely time and resource intensive. Most thieves are smart enough to know that they are better served hacking into a database with hundreds of thousands of records rather than collecting them one at a time.

Here are just a few reasons why this threat, though real, is overblown:

  • While the RFID scanner itself can be purchased for under $100, you also need $500-$1,000 worth of additional equipment (laptop, blue tooth transmitter, cables, power supply, etc.) to make it a practical, mobile kit.
  • Once the thief has the kit, they need to get within 2-3 inches of your purse or wallet for 3-5 seconds on as many victims as possible without getting caught. This might be easy on a subway, but it gets much more difficult as people spread out.
  • When a thief steals this information from you, they generally get your credit card number, expiration date and quite possibly your name. They DO NOT get your 3-digit security code or address. This is the same amount of information that the average waiter or retail clerk gets simply by looking at your card.
  • Because they don’t get your 3-digit security code or address, it is much more difficult for them to use the credit card number to make purchases on the internet, as most sites require some form of address verification or 3-digit security confirmation.
  • Only a fraction of cards utilize the RFID/Contactless Swipe technology, lowering your chances significantly.
  • As long as you catch your card being used fraudulently (see the protection suggestions below), you will not be held liable for the losses, the business that accepted the illegal card will. Even if your information is used to make a new card, if you are monitoring your identity properly, your out of pocket will be minimal.
  • Fraud departments in credit card companies have come a long way. Most credit card companies are able to detect fraud on your card faster that you can. More secure credit card companies will call to confirm suspicious purchases or purchasing patterns.

But it can happen, and it’s worth preventing. Which is simple:

  • First, check to see if you even have credit cards with the ability to beam your information to an RFID receiver (look for the circled symbol in the photo to the right). If not, stop worrying and just monitor any future cards you receive.
  • Next, set up account alerts and monitor your statements to cover yourself in the small chance that it happens to you. That way if your credit card is compromised, you can detect it immediately and take the necessary steps to contact the bank, report the fraud, and cancel the card.
  • If you are worried about having a credit card that can transmit your personal information, call your credit card company and ask them to send you a card that doesn’t transmit or have RFID capabilities (you know it transmits if it has the small broadcast or sonar icon circled to the left). Get rid of the source of the fraud!
  • Never leave your purse or wallet in an easy-to-scan place. Get rid of all of the excess credit cards that you don’t use and lower the chances that one of them will be compromised.
  • For added protection, especially for your Passport (which carries a much higher volume of very sensitive information), consider purchasing a sleeve or shield that makes RFID scanning less likely.

But whatever you do, don’t buy into the hype and paranoia just because a video has gone viral on YouTube.

John Sileo speaks professionally on identity theft, data breach, social networking exposure and fraud. His clients include the Department of Defense, FTC, FDIC and Pfizer; his recent media appearances include Fox and Friends. Learn more about having him deliver a high-content keynote speech at your next meeting or conference. Contact him on 800.258.8076.

Data Breach Protection: Laptop Theft Best Practices

laptop-theftLaptop theft and mobile data theft (tape backups, iPhones, BlackBerries, USB drives) account for nearly half of the cases of serious corporate data breach and workplace identity theft. Your corporation’s data breach protection will be significantly improved by educating your staff on the following mobile data best practices:

Before you save sensitive data to any mobile device, it is your responsibility to:

  • Determine if your organization allows you to remove the data in question from the office in the first place. Are you allowed to save that database, Excel file, Word document, customer list, employee record, intellectual capital, etc. on your laptop, thumb drive or other mobile device?
  • Decide if it is absolutely necessary to remove it from the more highly-controlled and secure environment of the office. In many of the major cases of reported data breach, the data stored on the mobile device did not actually need to be there in the first place.
  • Verify that you have been authorized by your supervisor to place a copy on your device. When in doubt, check with your manager, supervisor or privacy officer to determine the correct course of action.
  • Exhaust all other lower-risk alternatives for accessing the data. In many cases, it is possible to utilize a secure remote access connection to access the data so that it never leaves the company premises. You lower your personal liability when you access the data through centralized, highly secure methods.

As you save sensitive data to the device, it is your responsibility to:

  • Minimize the number of records you transfer. If you don’t need the entire contact database, take only the records that you need. In case of a breach, this minimizes exposure.
  • Minimize the corresponding fields for each record transferred. If you only need names and phone numbers, don’t transfer additional account information such as address, account numbers, etc.
  • Consider de-identifying the data to render it anonymous. For example, if you track medical records using a Social Security Number but are transferring the data to do a high-level analysis of overall profitability, there is no need to include the SSNs in your transfer. Exclude that column from the data you take with you.

Before you leave the office, it is your responsibility to:

  • Attempt to encrypt the individual data file. In addition to encrypting the data device itself, it is possible in many software programs to encrypt the individual data file, giving an added layer of protection.
  • Make sure your data device has been encrypted. This will most often be the responsibility of your IT department, but it is your responsibility to verify that they have done their job.
  • Protect your device with a strong password that utilizes letters, numbers, symbols and upper/lower case characters where possible?
  • Protect the individual sensitive files with a separate, strong password. The programs that allow you to encrypt individual files will also allow you to assign individual passwords to the file.

Once you have left the office, it is your responsibility to:

  • Utilize a secure wireless internet connection only (e.g., in airports, hotels, coffee shops, etc.). Make sure your IT department has enabled WEP wireless encryption on your wireless device.
  • Run a secure firewall between your laptop and your connection to the internet.
  • Email sensitive data only when absolutely necessary and even then, use an encrypted, password-protected format?
  • Physically secure (lock down) the device when in transit (e.g., in your car, in the airport, in your hotel room).
  • Utilize [intlink id=”399″ type=”post”]Laptop Anti-theft Best Practices[/intlink]

When you no longer need the sensitive data on your device, it is your responsibility to:

  • Remove and electronically destroy all remnants of the sensitive files on your device (e.g., digital shredding, low-level formatting and occasionally, like in the case of DVDs, CDs and tape backups, complete physical destruction). If this task falls under the responsibility of your IT department, it is your responsibility to make sure, to the best of your ability, that they do their job.

If this seems like a great deal of responsibility, that’s because it is. In the information economy, our most valuable assets are the information that we collect, store and protect every day. As executives or employees of our respective organizations, it’s not just profitable to protect sensitive information; it’s also the right thing to do.

John Sileo speaks to corporations about data breach protection. His clients include the Department of Defense, Pfizer and the FDIC. Contact John directly on 1.800.258.8076 to learn more.