Get ready for more data breaches. Many more. Now that the impact of the Target data breach has grown from 40 million card members to 70 million, and to perhaps as high as 110 million, prepare for all sorts of mayhem because this data theft is just the start of things to come.
Yesterday before Congress, Attorney General Eric Holder said, “The Department of Justice takes seriously reports of any data breach, particularly those involving personally identifiable or financial information, and looks into allegations that are brought to its attention.” Those are tough words but as long as cyberthieves operate beyond American borders, apprehension and prosecution will be little more than an empty threat.
Think about it — nearly two months have passed since the breach was announced and today nobody at Target knows the depth of the damage. Worse, when disaster struck, Target exacerbated matters by reversing course on a number of earlier decisions. First we were told that PIN information was safe, but then Target sheepishly announced that it was stolen too. Incomplete information erodes the consumer confidence in brands we have known for years.
The more we discover, the murkier things become. Law enforcement knows that the breach stemmed from malware within Target’s POS system, identified as Kaptoxa, It is designed to scrape and store stolen data for future use by the bad guys. According to press reports, these stolen names quickly went underground into the netherworld of illicit clearing houses, “the chop shops” in the illegal financial industry. Unlike other fraud, this clobbered people right where they live. People burned by the Target breach found that they bounced their mortgage checks, damaged their credit ratings, and turned their lives upside down.
According to a Washington Post article, a Russian teenager has been identified as the malware’s creator. Maybe he wanted to impress a teenage girl. While he did not launch the attack, we know that 60 copies were sold to other cyberthieves. More shoes will drop and major retailers will find themselves stumbling in the dark to assess the damage.
Here is our conundrum. We have a crazy relationship with our technology. One on hand, we swipe our credit and debit cards at gas stations, supermarkets, and other retail and online businesses, never realizing that every time we use them, we open up a new window of vulnerability with each transaction. For example, those who use pay-at-the-pump terminals at gas stations don’t realize that they’re at Ground Zero in the fight against transaction fraud.
Gas pump skimming is where the “small fries” operate. Those with greater imaginations will aim for the larger retailers and will probe and poke until a poorly created password gets them into the front door. Even as EMV (Chip and Pin Cards) are poised replace our mag stripe cards with better security measures, it’s only a matter of time before that gets hacked to pieces too.
So what does the future hold? More breaches will explode on to front pages. We will wake to sad emails from friends announcing that their accounts have been cleaned out by this madness. They will spend days if not weeks on the phone with banks cleaning up the mess. Pundits and other Talking Heads will bemoan the perceived lack of protection while the next Russian, Ukraine, or Czech Math Camp champion launches the next surprise attack.
Senior management at retailers everywhere will forever live under a darker cloud of fear. The Target breach will have a long tail echo and might even drive a decline in consumer confidence. People might think twice about using their debit card at Ground Zero of Retail Fraud, like Target or Neiman-Marcus. Class action suits will flood the courtrooms. Finally interchange, the base cost of electronic transactions, will have to move upwards and that will hurt us all. Costs not absorbed by banks and other institutions will be passed on to merchants or consumers.
Sometimes we’re our own worst enemies. Anybody who fails to walk their card inside a gas station and pay at the counter only courts danger. Gas station breaches take place at the pump, not inside. Many people still use sequential passwords like “1-2-3-4-5-6.” Others use highly identifiable clues like names of family members. Considering that we have so many personal passwords (from our Netflix accounts to online banking accounts) it’s hard to keep everything straight in our heads.
So what do we do? We know that any online fraud will increase. Companies will invest heavily into new fraud protection services because nobody wants to be “Target-ed.” Moving away from the mag stripes used on the back of our cards and going toward a “chip and pin” approach is critical but how long with it take for another Eastern European quiz kid to cook up new trends in stealing your data? Answer: Not long at all.
The death of cash is premature. For all those prognosticators who predicted that dollar bills would end up in museums, think again. You cannot hack a dollar bill or use a smartphone to pickpocket the woman next to you on the train. You have to do it manually. Cash has its limitations, but it in one sense, it is conspicuously safe.
The rise of Tokenization. Many of us at work use tokens to generate dynamic passwords, one time PIN numbers that just as quickly evaporate into thin air and are replaced new passwords. Perhaps that will serve to further narrow our window of vulnerability.
However, the “thin blue line” of fraud protection depends on us. Americans need to purchase in a smarter fashion. We can no longer be so lazy with our passwords and other PINS or else we’ll be stripped clean.
Any password older than 30 days is ripe for theft. We roll our eyes whenever we update our security passwords at work, but we should take that approach to all of our personal passwords and PINS. We should update everything on a monthly basis, and after what took place with Target, I am going make that a priority.