[BreachExchange] When It’s Your Turn To Be Hacked
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Apr 4 20:00:00 EDT 2016
http://dailycaller.com/2016/04/01/when-its-your-turn-to-be-hacked/
Willie Sutton said he goes after banks because that is where the money is.
Hackers go after retail databases because that’s where the data is.
Willie’s banks knew they’d been robbed when they heard bullets hitting the
wall. Today’s retail outlets may get a firewall breach alarm but
confirmation comes when banks start telling the retailers about consumer
charge card anomalies.
If they are lucky, consumers are alerted by a call from their credit card
issuer. If they are unlucky, they receive a summons to appear in court for
fraud they allegedly committed months ago. It may be due to identity theft,
but try explaining that to the police, judge and your legitimate creditors.
It’s time to forget peace of mind, get a good attorney and launch your
multi-year journey of credit repair.
Criminal hackers seem to prefer retail stores who keep customer’s name,
credit card number, social security number, and any other financial
tidbits. Government and health care sites hold other data that are valuable
to hackers, such as the millions of federal employees’ data stolen from the
Office of Personnel Management.
Time Warner Cable reported that the email identity and password for 320,000
of its customers were stolen. Hackers generally want more valuable data
from the theft, but they can inflict substantial mayhem with email and
passwords.
A year ago, the IRS reported to some innocent parties that criminals had
filed fraudulent tax refund requests in their names. To validate the
innocent taxpayer’s identity in the future, the IRS gave each a six-digit
Identity Protection PIN. This year, some of those victims were attacked
again – the PINs had been stolen and used to file false refund requests,
again.
In 2015, a cyber theft hit 80 million customers of Anthem, a health
insurer. The stolen information included names, birth dates, street and
email addresses, medical IDs, Social Security numbers, and employment
information, including income data. That’s a good starter kit for identity
theft.
Hackers stole personal data for 32 million customers of Ashley Madison, a
so-called infidelity and cheater site. The hackers have posted some
customer’s embarrassing details online, including credit card transactions.
The hackers’ motives are unclear, but the pain to be experienced by many of
the customers is crystal clear.
Hacking can also take gruesome forms, such as hacking medication pumps or
heart regulator implants or hacking into baby camera monitors. Hacking the
control systems for autonomous cars is a particular concern for automakers.
Each of these can expose consumers to physical harm and violation of
privacy.
Criminals are behind most of these attacks. Some famous attacks (Stuxnet
attack of Iran’s centrifuges, North Korea’s Sony Pictures hack, Russia’s
Pentagon hack, OPM’s employee hack, and Ukraine’s electric grid hack) are
the work of state-sponsored hackers trying for economic and military
advantage.
In the wake of a retail cyberattack, gauging the economic damage is
difficult. We don’t know when the last attack-related problem and its
implications have surfaced. It costs a lot to hire attorneys to handle
court appearances, argue with the merchants, take time off work for
appearances, muscle the credit reporting agencies, monetize the reputation
damage (such as the loans you were denied, and the job interviews and
offers that never came). Expect to come out of this with a deep loss.
Unfortunately, we must not pretend hackers will be apprehended and forced
to reimburse our damages. Our justice system emphasizes protecting the
rights of hackers more than the rights of victims.
Against that sour backdrop of reality, we should be very concerned with how
much information we give to anyone operating a customer information
database – be it a retail store, health provider, or government agency.
Until database operators feel a substantial part of each hacked consumer’s
pain, they will not have enough compulsion to implement the best-available
security.
The fact is that Merchants aren’t required to put in place firewalls on
their servers, to use data encryption, or even to have virus and malware
protection to stave off hackers from your credit card and transaction
information, if they store it. Yet, some merchants are keeping consumer
transaction data for longer than necessary in order to use consumer
information for marketing. Fortunately, there is proposed legislation that
would require merchants to more adequately protect the consumer information
they collect and store.
If a website demands personal information before it will let you use its
services, check the end user license. Make sure the license promises
thorough indemnification to you for any consequences related to the release
of your personally identifiable information from its systems. If the deal
offered doesn’t protect you, just move on to a better website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160404/3c131a9d/attachment.html>
More information about the BreachExchange
mailing list