Think your data is safe? Think again

BY BRIAN GAAR | Saturday, Jan. 8, 2014, 8:34 PM

After a series of high-profile data breaches in recent months, you might be wondering: Just how safe is my personal data?

The answer, a number of data and online security experts say, is that it’s not very safe at all – and there’s not much the average consumer can do about it.

If you’re swiping a credit card at Target, ordering a book from Amazon, using your smartphone to pay at Starbucks or just talking with a friend on Facebook or Snapchat, you are potentially vulnerable to hackers.

There is no such thing as a hackerproof system, experts agree. If someone has the technological skills and really wants to get your personal information, the hacker — much like a determined burglar who stakes out your house — probably can do it.

As the recent data breaches at retailer Target Corp. and social media outlet Snapchat show, it’s a major problem, both for consumers wary of fraud and for businesses who are increasingly having to fend off an ever-larger number of hacker attacks.

A 2013 report from the Symantec Corp. security firm estimates that the global cost of cybercrime is $113 billion annually – enough to host the 2012 London Olympics nearly 10 times. The greatest costs of consumer cybercrime were reported in the U.S. ($38 billion), China ($37 billion) and Europe ($13 billion).

In December, Target said, 40 million credit and debit card accounts were stolen in a data breach that happened between Nov. 27 and Dec. 15. This month, the company disclosed that hackers stole an additional trove of data affecting 70 million people. It was the second-largest theft of shoppers’ credit card data, following the theft of 90 million customers’ data from discount retailer TJX in 2007.

At Snapchat, hackers posted account information for 4.6 million users of the social-sharing app, making user names and at least partial phone numbers available for download.

Incidents like that led to former Homeland Security Secretary Michael Chertoff calling cyberattacks the biggest threat facing America.

“Not only is there a concern about our critical infrastructure … but we are losing billions of dollars of intellectual property every year that is being stolen,” Chertoff, now chairman of The Chertoff Group, a company that advises businesses on cybersecurity-related issues, said in an interview with Yahoo. “It is resulting in job losses and damages to our economy.”

And things might be getting worse, experts say.

‘Sky is falling’

As more and more of our lives are lived online — from bill paying to purchases to social media — opportunities for cybercriminals continue to grow, experts say.

Cybercrime is the fastest-growing type of crime, according to Joe Ross, president and co-founder of Austin-based identity protection and fraud detection firm CSID.

Last year was the worst ever for data breaches, with more than 745 million records lost, according to Jake Kouns, chief information security officer of Risk Based Security, a cybersecurity firm based in Richmond, Va., and president of the Open Security Foundation, a nonprofit group that tracks data breaches.

Four of the top 10 data breaches of all time happened last year, with the all-time leader being software company Adobe Systems. In that case, an outside company found the data of 152 million Adobe customers on a site frequented by cybercriminals.

And, as technology advances, things are likely to get worse, not better, experts say.

“While it may sound like a ‘sky-is-falling’ message, the simple and honest answer is that right now there are not many positive messages when it comes to protecting our information,” Kouns said. “With the prevalence of credit cards and the saturation of associated data, at the moment it is just a matter of time before some of it becomes compromised.”

Ross, of Austin-based CSID, agrees with that assessment.

“It’s very difficult to keep (information) safe with all the transactions that we do online,” said Ross, whose company was retained by the Texas comptroller’s office after a data breach in 2011 and also worked with Sony Corp. to manage a similar data breach.

For one, it’s impossible to create a hackproof system, experts say, because of the way the hacker community continues to evolve. Many communicate with each other via a large underground network, Ross said.

He compared it to a more innocent pastime – playing video games.

“If you get to a certain level on a video game, there’s forums and websites you can go to and say, ‘All right I’m stuck here, how do I get past it?’” he said. “And you’ve got about 20 other kids that have been there, done that, and they tell you how to get past that level and on to the next level.”

Hacker communities operate in a similar way, he said.

“So what happens is, you start attacking a system, you hit something that you’re stuck at, all of a sudden you throw it into a hacker forum — and all of a sudden you have 50 people attacking that problem for you,” Ross said.

That type of collaboration makes it difficult to defend against hackers, whether they’re politically motivated individuals attacking government sites, organized crime outfits looking to steal money or foreign governments looking to snatch government or corporate secrets.

In the case of Target, the cause of the data breach isn’t yet known, but there is speculation it could have been an inside job – in which someone injected malware, a destructive program, into the memory portion of the retailer’s point-of-sale system, Ross said.

That meant credit card information, while not stored on the company’s hard drive, could have been stolen from the system’s temporary memory as customers swiped their cards.

Target’s breach should serve as a wake-up call, JPMorgan Chase CEO Jamie Dimon said this month.

Dimon expects that cybercrimes will become more common if retailers and banks don’t work on security, he said.

“This story is not over, unfortunately,” Dimon said in a recent conference call with investors.

Conventional defenses vulnerable

Against that backdrop, companies are spending ever-bigger amounts of money to address cybersecurity issues.

The worldwide security technology and services market is forecast to reach $67.2 billion in 2013, up 8.7 percent from $61.8 billion in 2012, according to research firm Gartner Inc.

“With security being one of the top IT concern areas, the prospect of strong continued growth is assured,” said Ruggero Contu, research director at Gartner. “The consistent increases in the complexity and volume of targeted attacks, coupled with the necessity of companies to address regulatory or compliance-related issues, continue to support healthy security market growth.”

And new cybersecurity companies like FireEye and Palo Alto Networks are now competing with Symantec and its longtime rival McAfee for a greater share of a market that is expected to swell to $87 billion by 2016, according to Gartner.

Conventional security defenses — like the antivirus software that Symantec and McAfee built their brands upon, as well as the network firewalls of Check Point and Cisco — have proved vulnerable to determined adversaries. The biggest problem with that older technology, some say, is that it reacts to threats rather than anticipating them.

“Antivirus products are not working right now,” said FireEye head Dave DeWalt, who used to be McAfee’s chief executive. “Companies are spending tens of billions of dollars of their money on a model that doesn’t work.”

Investors are also keen on startups like OpenDNS, which tries to identify suspicious Internet traffic patterns. The company was able to pre-emptively block malware hidden in Yahoo ads recently after it identified dangerous traffic coming from a small Internet service provider.

“We take a satellite view of the Internet,” said David Ulevitch, OpenDNS’s founder. “We don’t wait for the shots to get fired, then analyze the bullet.”

Ross said he’s also seeing hackers bypass firewalls entirely. In hacks like the one against Adobe, the big prize is stealing people’s user names and passwords – which many users recycle and use on other sites.

And in that case, the best firewall in the world won’t help.

“You can do all you want, but if I have the IT administrator’s user name and password, none of that matters,” Ross said. “That’s where these guys are getting a lot smarter about it; they’re not necessarily trying to go brute force and hack through some major firewall — they’re finding other ways in.”

It’s also a topic that companies don’t like to talk about. Often companies will put data breach losses under bad debt or fraud to hide them, Ross said.

Some of the biggest private employers in the Austin metro area – Dell Inc. and Whole Foods Market – declined to discuss their cybersecurity measures. Ditto for San Antonio-based grocer H-E-B.

“We are very aware and do have layers of plans in place, but we don’t discuss our security plans with the public,” H-E-B spokeswoman Leslie Sweet wrote in an email. “It would compromise our strategy.”

Some retail systems are relatively secure, and others are “horribly insecure,” Kouns said. But ultimately there’s no such thing as a hackerproof system, he said, and some vendors continue to put out vulnerable software.

“Companies that do everything right are still having breaches, due to poor security built into the software they have deployed,” he said. “Even then, a dedicated attacker or group will get in, if that is their primary goal. Companies have to fend off tens of thousands of attacks a month and make sure all of the doors are locked, while the bad guys have all the time in the world and only need to find one way in.”

No ‘silver bullet’

The solution for companies is not to build a Fort Knox-like firewall around their systems, said Emmett Witchel, associate professor of computer science at the University of Texas.

“What you need to do is make it hard enough and expensive enough for criminals to try to take advantage of your computer system that they will do something else,” he said.

For example, to combat spam emailers who advertise fraudulent deals, some companies have been working with credit card processors to identify fraudulent transactions. That’s a more manageable task than trying to stop all the emails, and it is a smarter way to staunch the flow of fraud, Witchel said.

And other security measures like two-step authentication – which requires users to enter a security code from their cellphone in addition to their password – might be a minor inconvenience, but provide a high level of security, he said.

“Like anything, there’s not one silver bullet that will get rid of all the bad actors in the world or get rid of all crime,” Witchel said. “But for certain pieces of our digital economy, for certain things like email, there are solutions … that will help reduce the losses due to criminal activity.”

As for consumers, experts say they should be cautious about what information they put online — such as birth dates on social networks. That’s an identifying number that could lead to identify theft.

And while having a credit card compromised might be a pain, card companies are generally good at identifying fraudulent charges and wiping away the problem. Identity theft, on the other hand, can be much more insidious, because victims might not know about it for years – until they find their credit is ruined.

“I would say shredding your garbage is much more important than don’t use your credit card online,” Witchel said.

But despite the rising tide of cybercrime, Witchel doesn’t see it having permanent harmful effects when it comes to innovation.

“Has shoplifting stopped retail? No. Is it part of the cost of retail? It absolutely is,” he said. “Will crime always be a part of the cost of doing business? Absolutely, and it will be true in the cyber domain … as well. But will it severely hinder innovation? No, I don’t think so.”

 

Tips for protecting yourself online

• Don’t give too much personal information on social network sites, such as your birthday or pet names.

• Change your passwords frequently and don’t use the same handful for every site

• Use an identity monitoring service to see if anyone’s opened any accounts in your name.

• If you get an email from a bank, don’t click on the link. Call them instead.

• Monitor your bank and credit card accounts for suspicious activity and check your credit rating regularly.

Source: CSID

Recent high-profile data breaches

• Target said last month that 40 million credit and debit card accounts were stolen in a data breach. The company later disclosed that hackers stole an additional trove of data affecting 70 million people.

• At the social-sharing app Snapchat, hackers recently posted account information for 4.6 million users, making user names and at least partial phone numbers available for download.

• Software company Adobe Systems’ database was hacked late last year and the data of 152 million customers was stolen.

About this story

Following recent high-profile data breaches at Target Corp. and other companies, American-Statesman technology reporter Brian Gaar decided to examine how safe consumers’ data is in an increasingly connected age. He examined past security breaches and talked with multiple experts to research the scale of the cybersecurity threat facing consumers — and whether there is anything we can do to combat it.

Share this post:

Leave a Reply

You must be logged in to post a comment.

Subscribe to our campaign e-mail updates!