How businesses fail to protect customer info
Most Internet users should know by now that personal digital security is in large part our own choice and responsibility.
But in truth, our electronic security is also in the hands of the companies we do business with — and they’re not all taking that fact seriously.
Everyone who gives personal information to an online entity or makes a credit-card purchase in person or provides that card information over the phone is counting on a significant level of trustworthiness. We assume that a business puts the protection of our private data above its goal of maximizing profits.
But with the seemingly weekly revelations of hackers stealing our names, email addresses, credit-card numbers, passwords, and so forth from corporate databases, it’s small wonder many Internet users are scratching their heads and asking, “What the heck is going on?”
This article is about online security. However, it’s not another primer on what steps you should take to secure your data. Instead, it looks at the attitudes and actions companies take to secure your private information. It’s also about what you can do to make companies more proactive at keeping your data secure.
Prodding business to do the right security thing
Smart companies listen to their customers. Although it often takes many customer complaints to change a company’s ways, sometimes all it takes is one. Here’s a case in point. Most of us know by now that we should be using long and complex passwords. But my OfficeMax account would accept only numbers and uppercase and lowercase letters.
I thought that was dumb. Why can’t I use special characters? So I wrote a letter to the CEO of OfficeMax, asking why the company wasn’t doing everything it could to safeguard customers’ private information. I pointed out the weakness in the company’s password rules and requested that OfficeMax allow more password complexity. Just to drive home the point, I also reminded the CEO of past OfficeMax data breaches.
Surprisingly, a few days later the OfficeMax chief technology officer (CTO) called and informed me that my letter had prompted OfficeMax to implement a new password policy that allows customers to use special characters in their passwords. I thanked the CTO, but I also silently wondered why, if the change could be so quickly — and apparently so easily — implemented, OfficeMax hadn’t implemented it a long time ago? Why did a customer have to point out the weaknesses in the company’s password policy?
Contrast OfficeMax’s actions with that of Home Depot. In November 2013, Target’s credit-card point-of-purchase terminals were breached and customer credit-card numbers stolen. Security analysts later published details about how the attack was carried out, and they noted the countermeasures a company could implement so as not to be the next victim.
What did Home Depot do? Apparently nothing. This past April, it was hit by a massive breach that used techniques similar to those of the Target breach — i.e., the hackers attacked point-of-purchase terminals. One has to ask: After the details of the Target attack were published, why didn’t Home Depot immediately perform a security audit and put the recommended security enhancements in place? Target’s breach was a lesson learned; Home Depot’s breach, to my mind, was completely inexcusable. If your neighbor was robbed, wouldn’t you take some time to review your security measures?
And, more important, why didn’t the credit-processing companies require all retailers to implement countermeasures?
Obviously, there’s a lot of money made from stolen credit cards. Every successful breach only encourages others to try the same tactics on other targets. Large retailers give hackers the biggest bang for their malicious bucks. And though individual customers might be reimbursed for their losses, every breach represents a significant cost to all of us. (See, for example, the May 14 Krebs on Security post, “The Target breach, by the numbers.”
Giving customer privacy short shrift
Unfortunately, security policies still vary widely among businesses, both small and large. For instance, after I recently purchased a cellphone from Sprint, I discovered I couldn’t use a secure, complex password for my Sprint account. That made me worry that it’s just a matter of time before Sprint’s customer accounts are hacked.
Even more worrisome is the security of our medical records. A hospital hired one of my colleagues to run a security audit. One of the requested checks was the hospital’s Wi-Fi network. Could he connect to the Wi-Fi system from the hospital’s parking lot?
Yes, he could connect to the hospital’s network from the parking lot — but he could also connect from a coffee house almost two blocks away. More frightening: By using a protocol analyzer, he could connect to the hospital’s network without a password and view unencrypted patient data.
My colleague pointed out this glaring security breach to the hospital’s IT department in his final report and was duly thanked. Although no longer working for the hospital, my colleague periodically performed the same test over the next year — just to see whether the hospital had secured its wireless network. It hadn’t.
A disclaimer here: I told my colleague that his “unofficial” testing was probably illegal. While under contract, he had permission to connect to and analyze the hospital’s network. But once he’d submitted his report and the contract was complete, he had no right to perform the additional tests. I recommended that he stop his extra curricular activities and instead file a report on the U.S. Department of Health and Human Services (HHS) website.
According to the site, people who feel their health-information privacy has been violated, based on Health Insurance Portability and Accountability Act (HIPAA) laws, can file complaints with HHS. The HIPAA laws offer legal protections to anyone who makes a legitimate complaint.
Here’s another unfolding story. A well-respected, IT-security professor was preparing for a class lecture. One of his Google searches came back with a link to a server at a major university medical center. Clicking the link revealed thousands of patient personal-health information (PHI) records.
Doing what he considered the responsible thing, he informed the medical center’s IT department that they were leaking PHI. Although he never received a reply to his emails, within several hours the patients’ data was no longer accessible. Feeling he’d simply done a good deed, he thought nothing more of it.
But about a month later, the professor discovered that the medical center was accusing him of unethical behavior. Not only did the medical center take this story to the press, it contacted the professor’s college and demanded that he be fired. The medical center claimed he’d used hacking tools to show students how someone might access protected data via the center’s website. It also stated that he’d published instructions for the hack on the college’s site. I know that he did nothing of the sort.
I think the university/medical center put out this false information to hide its own failure to protect patient information. The university never contacted the FBI or other law-enforcement agencies to report this alleged crime. In fact, once the professor retained an attorney, the university appeared to back away from the charges. It will longer answer the attorney’s letters. Let’s hope that’s the end of this episode.
This example highlights the two-part nature of corporate breaches and a company’s response once data theft comes to light. The victim of an attack must first secure the breach; it must then quickly and clearly tell customers what has happened and what will happen next. The medical center’s IT department obviously responded quickly, but the university failed the public-relations side miserably. The organization could have simply said: “Oops! Thanks for letting us know.” Instead, it took the unwarranted step of attacking the messenger.
Given the potential costs of a breach, it’s surprising that businesses are slow to learn from previous security failures. Again, Home Depot could have prevented its massive breach if it had immediately implemented recommended counter measures. And if businesses are slow to implement credit-card protection, card-processing companies such as Visa and Master Card should require retailers to rapidly upgrade their point-of-sale systems.
That change won’t be cheap, but it will come. It must. Cyber thieves are constantly looking for new and easy targets. As with any “business,” these hackers want the largest return from the least investment.
Though the expense of a breach is initially borne by the compromised business, ultimately consumers pay the price. As noted in a Security Affairs post, a Ponemon security report states that the cost of a breach to a U.S. company in 2014 is about $201 per lost record — up from $188 in 2013.
Personally, I don’t think new laws are the answer to cyber crimes. Rather, we need to hold accountable those whom we trust with our confidential information. For some companies, data theft might be considered just “part of the cost of doing business.” But it’s our data and our cost. That careless practice also guarantees we’ll have to cope with ongoing data breaches.
Tips for protecting our credit cards
There are many sources for information on how to help keep your credit card secure. For example, see the U.S. Federal Trade Commission site, “Protecting against credit card fraud.” It lists best practices and notes how to report a lost or stolen card. Another page discusses how to secure your personal information.
Of course, Windows Secrets has covered personal-security issues in our Top Stories and On Security columns. See, for example, Susan Bradley’s July 3 Top Story, “Revisiting the WS Security Baseline: Part 1.” An online search using “protecting your credit cards” will turn up many more tips from numerous sources.
Also, as my OfficeMax experience demonstrates, if a company you do business with appears to have inadequate security — such as allowing only simple passwords — feel free to complain to the company loudly and often. You’ll improve the security not only of your own confidential information, but also that of hundreds or thousands of other customers.
A final note on an old but ongoing scam
By now, nearly everyone who goes online should have at least heard of the infamous Nigerian-letter email scams. So you might be surprised to hear that these scams are still quite successful. There are reports that the perpetrators have netted about a billion dollars per year — for many years. In fact, a music video featuring a Nigerian singing “I go chop your dollar” became an international hit. (The song can be found on YouTube; I have to admit it’s catchy.) The song is about Nigerian email scammers.
Success, of course, always breeds competition. Now folks in Ghana are competing for scam victims. In a practice called Sakawa, Ghanaians mix email scams with religion. Sakawa Boys pay a local priest or witch doctor to help them make lots of money. Some of these scams involve online dating services.
Often money goes to Africa via local grocery stores that offer international money transfers. Clerks I’ve talked to state that someone sends money to an unknown recipient several times a week. When I ask clerks whether they suspect the money transfers are scams, they say, “Yeah, we know; but company policy prevents us from saying anything.” Some clerks say it breaks their hearts because they know the victim won’t have enough money left to buy food.
In many (if not most) cases, the victims are elderly — folks with too little income and too much trust. If you have elderly friends or relatives, talk to them about scams — and do what you can to keep them from getting ripped off. For more information on new scams, check out Scanorama (whose motto is “Why should scammers have all the fun?) and fraudaid.com.