Random Thoughts – Randocity!

Marketing, Facebook & Data Privacy

Posted in botch, business, california by commorancy on April 14, 2018

FacebookLockHow is marketing related to Facebook and data privacy? These all fall under the same umbrella. Should you be concerned? Yes, you should be. Let’s explore.

Email Marketing

Let’s start with email marketing first, the precursor to social marketing. I’ve worked in the email marketing industry for the last 17 years at an operational level. I’ve worked on general email systems for over 25+ years. So, I fully understand at all levels how email and email marketing works and what is required to make it continue to work in today’s world.

Email marketing became a “thing” in the mid-late 1990s in earnest. Before that, people dabbled in email marketing to the chagrin of many early internet users. It was around this time that the term ‘spam’ was coined to denote unwanted / unsolicited email.

Over the years, email marketing has evolved into a big business with firms now utilizing marketing automation systems. These systems help you marketers manage their email marketing campaign efforts.

In the beginning, as a marketer, you had a list of emails and you sent content to those addresses. The content was the same to each user. There was no thought to personalization, tailored content or privacy of any of this data. Emails were sent using cron jobs via command line tools using Sendmail. This was initially the most basic form of email marketing. This would have been in 90s.

Evolution of Email Marketing

By the 2005, email marketing had evolved from its simplistic roots into more sophisticated systems using dedicated email marketing software from companies like Port 25 and OmniTI. These email server solutions facilitated the trend of building sophisticated marketing automation UI systems on top of these robust, fast, scalable and customizable email delivery systems.

By 2018, these underlying email softwares now include the ability to send push notifications to apps and also offer sophisticated clustering systems to allow for highly scalable, highly available infrastructure offering incredibly fast delivery times.

On top of these infrastructures sit today’s marketing automation solutions. These systems offer such features as list management, drip marketing, recipient nurturing, automagic feedback reporting and detailed reporting of how each campaign is doing.

List Management

Back in the early days, list management was a chore. You had to deal with adding and removing new entries yourself manually. In reality, few marketers ever practiced real list hygiene. Most would add new entries, but never remove people who didn’t want to see that content. It was just too much of a hassle culling through thousands of email addresses. This is why email marketing got such a bad rap. Marketer didn’t take the time to remove users from their lists.

As of today, it is now legally required to remove recipients timely from lists in most countries. If you don’t remove addresses timely, your company (and possibly even you personally) may be held liable for failure to remove an address.

If you use a legitimate email marketing company today (one that upholds legal compliance), they will automatically handle opt-out requests for every email you send. No need to worry about if you’re compliant as email marketing firms automatically add links to handle all of this for you, as long as you use their database.

Recipient Likes and Preferences

Email marketing has a huge drawback (well, two actually). The first and biggest drawback, the inability to understand the user’s likes and wants. There’s just no real way to get that level of detail out of a particular recipient simply because email interactions are so few and far between. You can’t get what you need out of email marketing to effectively target each individual user in a way that makes sense for their likes, product preferences, location and personal information…. at least, not without using more advanced features like drip marketing and advanced real-time feedback. Email marketing is typically just too hands-off for this type of experience. Enter the second problem…

Evolution of Social Marketing

The second drawback is that while email marketing today is still a very valuable form of communication, it is becoming old and dated technologically. Email clients haven’t been updated in a very long time, technologically and interactively speaking. Basically, the features that were commonplace in email by the late 90s are still the standards that we’re rocking today. In other words, email clients don’t support updated technologies like video and audio content right in the email. You have to click to a web page to see this type of interactive content. The best an email can do is an animated GIF, and that’s of little consolation when you’re wanting to offer much, much more interactive content.

In comes social media. Sites like Twitter and Facebook and Snapchat and, to some degree, even YouTube offer better ways to find like-minded folks and advertise to them. Marketers also have a lot of the same tools at their disposal, like list upload to find their existing users on Facebook. Unlike email which is pretty much a one-way system, social media offers two way interaction. People share their family information, their favorite products, their favorite restaurants, their friend information and so on. All of this sharing means more ways for marketers to mine that information about a specific individual. This information is, in fact, a gold mine for advertisers. It means that instead of the mostly one-way interactions and guessing with email, advertisers can now utilize the two way interactions of social media and find out what a user likes very quickly.

Amazon follows this trend with its own systems by targeting users with product ads that third parties purchase. It’s a way to target users with products and services the user is most likely to be interested in.

Of course, these are not perfect systems. There’s still a certain amount of guessing involved. Social marketing are only offering seemingly relevant best guess suggestions based on other people’s social and purchasing habits. However, social guesses at least based on actual data of purchase history and other shared information, rather than a near completely blind guess that email marketing uses.

Facebook and Privacy

In order for these suggestion systems to work, they must have enough information about your buying habits, what you already own, how many people are in your family, their ages, if you have pets, what car you drive and so on. The more companies know about your personal habits, the more they can target products that make sense to you. It’s a catch-22 though. The more they know, the more dangerous it is for you. Sharing your personal information means someone could learn about you and your habits and then steal your identity.

Enter Facebook. Facebook collects all of this data and more about you. They then mine this data on behalf of their advertisers. Advertisers submit their product(s) to Facebook for advertisement on its platform. The system then finds folks, based on their shared content and interests and displays an ad for a product you might be interested in. If you talked about cancer in a wall post, an ad might pop up for oncology services.

This heavily personalized advertisement system is a far cry from the old cold guess email marketing. However, social marketing was born from the idea of email. Email has now been trying to catch up and compete with this more interactive and interest-based advertising system. Unfortunately, email is firmly entrenched in the past. It’s great for individual communication. For predictive communication, email sorely lacks. Worse, it’s not likely to ever catch up in this area. Though, it’s still a good medium when combined with social marketing. Meaning, if you can mine people’s interests out of social platforms, you can then target them with products and services via email.

Data Privacy

Here’s where Facebook has failed time and time again. When someone uses a social platform to share information, it is expected that that information will remain private and only be shared with those folks whom have been allowed to see it. Or, more specifically, shared with people licensed to see it based on the agreed terms and conditions.

However, Facebook only offers a very basic permissions system. Extensive permissions systems have been available on operating systems for years. Yet, Facebook’s platform didn’t start out that way and still isn’t anywhere close. Facebook started with no privacy at all. Your data was published for everyone to see. As time progressed and people complained, Facebook added more and more user controllable permissions.

For each step that Facebook took, it consisted of tiny baby steps. They’d add incremental protection of that data, just enough to satisfy a single complaint. But, they’d leave plenty of other data exposed. As they would take more baby steps, they would implement one more control, then another, then another and on and on to where we are today. Instead of designing a system that offered robust privacy from the beginning, Facebook opted to build it piece by piece as they went along… sometimes backtracking in certain areas,

While Facebook’s user privacy controls were fairly robust by 2014 (user to user), Facebook still didn’t have much in the way of privacy when using its application programming interface (API). Developers could sign up and extract data via this API with far fewer boundaries. It wouldn’t be until later when Facebook, yet again, took another baby step that they would limit what developers could extract. By then, it was too late for Facebook to do anything about Cambridge Analytica, a company whose data brokerage business model is all about selling collected data.

Abuse

Email marketing has long recognized abuse to be a big factor in the industry. Handling abuse is what distinguishes good actors from bad. Sites such as Spamhaus exist to watchdog and prevent such email abuse and enforce industry best practices. While email marketers have had to grow much more knowledgeable about email marketing best practices, Facebook is entirely new territory for marketers with no such outside policing as Spamhaus. Even new email tools such as DMARC, DKIM and SPF have grown to help protect and legitimize the email marketing industry. Nothing like these exist for social marketing.

While Spamhaus helps to protect and prevent unwanted spam from random third parties, there is no such watchdog to protect your data from unwanted prying eyes within companies like Facebook or Twitter. With email abuse, there are also organizations like MAAWG to also help manage that email abuse. Again, there’s nothing offered on Facebook, except whatever Facebook decides is necessary. You’re at the mercy of Facebook to give you those tools, and currently their solutions are limited and swayed entirely to Facebook’s best monetary interests.

On the one hand, most people are very protective of giving out their email address to random people. Yet, on the other these same folks are completely willing to log into Facebook, Instagram, Snapchat, Whatsapp and Twitter and give up their every day lives, their pet’s name, their employer, their spouse’s name, their location and sometimes even their phone number, email address or other personally identifying information (PII). Worse, Facebook now requires the use of what appears to be a valid First and Last name, though you can put any data you want into those fields and there’s no way for Facebook to verify this. Other social platforms don’t require this. This Facebook requirement ensures the lack of privacy and that users can be targeted by outside third parties. It also ensures that data can be e-pended by outside parties.

Abuse of email has real tangible penalties behind it. Abuse of social networks only has a single company behind it, like Twitter or Facebook. There are no industry standard watchdog groups out there helping guide marketing organizations towards best practices. In fact, such a watchdog group couldn’t really exist because, unlike email, there are no sanctions that could work to stop bad actors short of asking their ISPs to stop routing traffic for those companies. Such a move would likely be met with a huge legal backlash from the company. After all, the ISP did sign contracts to supply service to Facebook. If they cut off peering to them, Facebook would have them for legal lunch. Nope, there’s no sanction against a company like Facebook that could work. Not even a lawsuit could be all that effective.

Instead, these unstoppable organizations are in it to make money off of your data. For this reason, this is why companies like Cambridge Analytica can come to exist on Facebook and steal 87 million (or more) users’ data. This is why there’s nothing Congress can do to Facebook. No laws means nothing to enforce. The only thing Congress (or each state) can do is enact laws to protect each person’s data and force Facebook to become legally compliant with those laws. Of course, Facebook might face other laws they could have run afoul, but because the US has no real data privacy laws, there’s nothing here to enforce… even with companies like Cambridge Analytica.

Protecting Your Privacy

Only you can protect your privacy and your data. You can’t leave it to companies to do this for you… particularly if you live in the United States. If you want to share everything you do with the world, then you can’t easily protect your privacy. Note that even if you never put a single piece of personally identifying information online, you still may have shared enough other minimally identifying information that when put together, someone can eventually identify you.

For example, if you visit Starbucks every day to take a photo of your coffee cup each morning, someone could find that particular Starbucks and stalk your movement there. They could hear you give the cashier your name or other personal information. They might listen for your name to be called. They might bump into you intentionally to make you drop your stuff. They might watch you get into your car and take down your plate number. They might even follow you home. This is why sharing your everything you do online can be dangerous.

Even if you never give your real first name, last name, address, phone number or other information, you (or your friends) may have shared enough photos, locations and friend information to eventually identify you. This information isn’t considered personally identifying information alone, but when pieced together, it is. With enough data pieced together, someone might find out who you are, where you live, your address and possibly even your phone number… maybe even other data such as SS#, CC# or anything else were they to obtain some of your mail.

This is, of course, all made worse by companies like Facebook that don’t take data privacy seriously and only produce half-baked “security theater” mechanisms designed to look like they protect you, but that in reality they don’t. You’re continually putting your data into the hands of folks like Mark Zuckerberg who has, time and time again, shown that his platform cannot be trusted to store personal data.

Security Theater

While email marketing now has a robust set of industry checks and balances, technological measures, industry watchdogs, laws and best practices… social marketing offers very limited controls. The reason for this 1) it’s so young, 2) it doesn’t interact with third parties like email and 3) Systems like Facebook won’t offer such controls. Email must interact with many unrelated parties along the way to get your email to an inbox. Social marketing has a captive audience inside a single platform operated by a single company, whether inside of Twitter’s network or Facebook’s network or whomever.

This means that while email marketers must comply with laws, technical standards, best practices and other data collection and use controls, sites like Facebook face far fewer data handling laws. This means that your data is effectively open to the highest bidder. Yes, Facebook claims to have taken strides to help protect and safeguard your personal data, but you don’t know if that’s true or not. No one audits Facebook to make sure these claims are, in fact, true.

With email marketing, it’s crystal clear when a customer uses an inappropriately collected list. With Facebook, there is no way to know whether your data has been appropriately or inappropriately used because Facebook gets to make the rules. Rules that can change one day to the next.

I’ve worked for enough high tech companies to know that most companies create lot of security and data privacy theater in place of actual mechanisms. Meaning, they state in their policies that they do something, but the technological measures to back up those policies don’t always exist. This facade, otherwise known as “theater”, is what let’s companies get away with policy breaches unaware. It’s usually driven by a case of “Easier said than done”. Implementing technical measures to enforce a policy isn’t always easy, particularly if said data is terabytes in size. Instead, companies perform it on a case-by-case basis. It also might take them weeks to complete the task. The policy is may be written into the legal terms and conditions. However, when a customer actually wants to know if that policy is enforced, the company will then manually enforces that policy on that person’s data, assuming they even give you an honest response to your question.

You’d be surprised to find that this situation happens a lot more often than you might be aware. Even many legal teams are unaware of this situation in their own companies. They think that what’s in the policy is always carried out every time. In fact, that’s not true much of the time. This is simply because legal teams rarely carry out internal audits to ensure that written, published policies are being followed internally. Even then, some legal teams are both aware and complicit in allowing the technical teams to not follow the policies to the letter.

I would also be remiss by not mentioning that some legal teams write data policies without informing the necessary internal teams of the policy changes or additions. Without buy-in and support from the appropriate technical teams, the written word can’t always be translated into functional technical procedures. This means that the legal team is out of step with what is technically feasible. Legal teams should always propose and write policy in conjunction with the teams that must support those policies. As a lawyer on an in-house legal team, you can’t just write policy because it sounds good and then assume it can be implemented easily. That doesn’t always work. Hence, security theater.

Data Deletion and Right to be Forgotten Laws

Here’s the outcome of security and data privacy theater. If you request a company to delete your data, you won’t know if your data has been irrevocably deleted. Many companies hang onto long term backups for exceedingly long periods of time. This means that while your personal data may no longer exist on a live hard drive and may not longer be visible via a web interface, it could still exist on a long term data backup solution the company uses. It might even exist via an API system. Note that some data backup solutions exist on live disks, such as using the Cassandra or Elastic database system or even such reporting systems like Splunk or Elastic’s ELK. Some of these internal systems may never or rarely get purged. Even basic text log files, which may contain some or all of your personal data, may be retained for years due to Sarbanes Oxley and other data retention requirements.

Early in the life of email marketing, you might not expect to be unsubscribed. Today, laws require email marketers to remove your email address from their list within 10 days. The word remove is subjective. The actual term is unsubscribe. Even after unsubscribing, the company can continue to hold onto your email address in their database so long as they never email you. In fact, an opt-out request is simply to unsubscribe you from their mailings. It doesn’t ensure your email address will be deleted from their list. This is how your email address can accidentally be mailed again in the future despite a previous opt-out request.

Data deletion has no laws in effect in the US. US companies are not obligated to delete your data even if you so request it. They can leave it on systems within their organization. This, unfortunately, leaves your information vulnerable to data breaches by unauthorized persons. This is why you can request a company to delete your data and later find out your data was involved in a data breach years later. Or, you may find identity theft from a data breach where you had asked a company to delete your data. There are no laws that require companies to delete data when requested… at least, not in the United States. In the UK and EU, the right to be forgotten laws have been written and will apply to UK and EU citizens under the GDPR. Whether those laws continue to exist after Brexit in the UK, I’m unsure. Canada appears to be working towards (or has enacted) a similar data purge law for its citizens.

However, no such ‘right to erasure / right to be forgotten’ law has been enacted in the US. Companies in the US are still free to store and keep your personal data for as long as they see fit. Yes, even after your deletion request. This means that your data is still at risk of a data breach, even after you’ve requested Facebook, Snapchat, Whatsapp, Instagram, YouTube, Google or Twitter to delete your data. US companies are just not obligated to irretrievably delete your data. Even in the EU, the laws may not fully protect you from irrevocable deletion of your data. Meaning, it may be enough for a company to actively delete visibility of your data on their web site, but that doesn’t ensure irrevocable erasure from all media in that company’s possession. Worse, as long as that data never surfaces in the future, that company can hold onto it… even if they are considered ‘breaking laws’. The only way to make sure irrevocable deletion occurs is by adding incredibly stiff penalties when the laws are willfully broken.

Social Networks and Marketing

Facebook, Twitter, Instagram, Whatsapp and more bank on their ability to collect your data, store it and use it freely. As long as you digitally agree to their terms and conditions regarding their data collection and use, then you have little recourse against them when a situation like Cambridge Analytica occurs.

In email marketing, selling of lists has been taboo for years and has always been considered an email marketing dubious practice. In fact, list purchasing is considered one of the worst email marketing practices. In Social Marketing, no such rules have been laid down. Facebook has been hitting these walls one-by-one since at least 2008. Each time, they put up yet another road block to stop that particular practice (aka, baby steps). Facebook doesn’t want to stop these practices, they’re just forced to by public outcry, the media and the government each and every time.

They knee-jerk by enacting new policies each time, but only because of duress. Policies, I might add that email marketers have been adhering to for years. Policies that now have laws like the CAN-SPAM Act and individual state laws. Yet, here we are again, reliving this same abuse pattern over again in another form.

Marketing Today

Marketers have always wanted to do the least work possible and gain the most money from their efforts. That’s the whole reason email marketing exists. That’s the reason advertising exists. They want to create the most effective campaign and Facebook allows them to do this with their personalized marketing.

Cambridge Analytica took that one step further. They mined Facebook’s data and stored it in their own offsite database. A database that Facebook claims they thought had been deleted. They then combined that data with other data to create an even more comprehensive profile of each person. Yes, even more comprehensive than Facebook alone. If they had first and last name along with at least one piece of identifying information, they could have gone to LexisNexis and gotten even more identifying information. Who knows, they might have?

Marketers today are looking for the easiest way to target ads to the people they need. Hence, the reason Cambridge Analytica can even exist as an organization. There are many, many data brokerage services available to buy list and user data. Data that can be populated into databases and targeted with ads. Most of these outside brokerage services sell with the intent of using email marketing, but there may be more today that are using Facebook to present their ads. Cambridge Analytica is but one in many data brokerage services that exist on the Internet. You can bet many others also exist and may have taken advantage of Facebook’s situation, just the same as Cambridge Analytica.

That Facebook claimed to believed that a data brokerage service, whose sole business is in selling data, would ever delete data they had legitimately collected from Facebook is entirely naïve and disingenuous. Facebook had to have known the business Cambridge Analytica was in at the time they were extracting data from the platform. One only needs to visit Cambridge Analytica’s web site for a few minutes to understand their line of work. Even then, if you weren’t certain, you could certainly pick up the phone, call them and ask what it is they do. Companies are always eager to talk about their line of business, particularly if they think they’re about to make a sale.

Ad targeting is not going away and is only likely to grow as artificial intelligence systems grow. The data privacy issue will continue to be ever more important as time goes on. To protect yourself, you must ask yourself, what should I share and what should I not? For example, publishing a single cute puppy or kitty photo or video is probably fine. However, many cameras today also add EXIF data to store location data and possibly other information about where and when photo or video was created. Data that might be used to link you to that photo. However, taking a photo every day of your cup of coffee might reveal things about the location that you visit (names, people, location identifiers, etc). These are things when you need to be cautious before posting. Even if the photo appears innocuous, you might want to think twice because someone else might see something that you don’t see.

Social platforms, while fun, are big business for their owners. Don’t be fooled into thinking it’s all fun and games. Those games and fun have a price to pay. That price is what they get to do with your user data. As has been said, if the service is free, you are the product… or more specifically, your data.

Advertisements

How to protect yourself from the Equifax breach

Posted in botch, business, security by commorancy on September 11, 2017

Every once in a while, I decide to venture into the personal financial security territory. This time, it’s for good reason. Unfortunately, here’s a topic that is fraught with peril all along the way. It also doesn’t help when financial linchpins in the industry lose incredibly sensitive data, and by extension, credibility. Let’s explore.

Target, Home Depot and Retailer Breaches

In the last few years, we’ve seen a number of data breaches including the likes of Target and Home Depot. While these breaches are severe problems for the companies, they’re less problematic for the consumer in terms of what to do. As a consumer, you have built-in protections against credit card fraud. If a thief absconds with your number, your liability is usually limited to around $50, but that also depends on the card… so read your fine print.

With the $50 you might have to pay, the inconvenience to you is asking your credit card company to issue you a new card number. This request will immediately invalidate your current card number and then you have to play the snail mail waiting game for a new card to arrive. That’s pretty much the extent of the damage with retailer like Target or Home Depot.

No one wants to go through this, but it’s at least manageable in time… and you can get back on with your life. For breaches like Equifax, this is a whole different ball game, let’s even say, a game changer. Breaching Equifax is so much more than a simple credit card inconvenience.

Credit Reporting Agencies and Breaches

With Equifax breached, this is really where the government needs to step in with some oversight and regulations. What your social security number is the the government, your credit reporting file is to your personal financial health. This breach is a dangerous game… and worse, Equifax is basically taking it lightly, like it’s no big deal. This is such a big deal, you will absolutely need to take steps to make sure your data is secure (and even then, that only goes so far).

First, I’ll discuss what this breach means to you and how it might affect you. Second, I’ll discuss what you can do to protect yourself. Let’s start with some basic information.

There are 3 primary credit reporting agencies (aka credit bureaus):

  1. TransUnion
  2. Experian
  3. Equifax

Unless you’ve never had a credit card, you probably understand what these businesses do. I’ll explain for the uninitiated. These agencies collect and report on any outstanding credit card or revolving lines of credit you currently have. If you have a mortgage, these entities know about it. If you have a credit card (or many), they know. They also know lots of other data (i.e., previous and current address), what loans you’ve had in the past, what bank accounts you have, what balances are on your outstanding lines of credit, any collections activities and the list goes on and on. It also lists your birth date, social security number and full credit card numbers and account numbers.

Based on all of your credit lines, how well you pay and so on, these companies create a FICO credit score. This score determines how low of interest rates you’ll receive on new loans. These companies are not only a bane to actually exist, but they are your lifeline if you need new credit. Even just one blemish on your record can prevent you from getting that loan you need to buy your new house or new car. Without these linchpin companies, lenders wouldn’t be able to determine if you are a good or bad credit risk. Unfortunately, with these companies, consumers are at the mercy of these companies to produce accurate data to lenders (and to protect that data from theft)… a task that Equifax failed to do.

What did Equifax lose?

Equifax lost data for 143 million record holders. While that number may seem small, the damage done to each of those 143 million record holders will eclipse the damage produced by Target and Home Depot combined. Why? Because of how these credit reporting agencies actually work.

Equifax (and pretty much all of these credit reporting agencies) have flown under the radar in what they do. If you go to a car dealer, find a car you want and fill out loan paperwork, that dealership will pull a credit report from one or more of these agencies. Your credit report will contain a score and all loans currently outstanding. It also shows how well you pay your loans, any delinquencies in the past and other financial standing metrics. This credit report will be the basis of whether you get a loan from the car dealership and what what interest rate.

Hackers had access to this data between May and July of 2017. The hack was found on July 29th, but not reported to the public until September 8th. That’s over a month that Equifax sat on this news. It’s possible that they were requested by law enforcement to hold the announcement, we just don’t really know.

What was lost?

According to the Washington Post:

Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information.

According to the New York Times:

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Those dispute documents being PDFs of bills, receipts and other personally identifying information. I’ve also read, but have been unable to find the corresponding article, that the hackers may not have had access directly to the credit report database itself, but only to loose documents in a specific location. However, even with that said, do you really trust Equifax at this point? I certainly don’t.

Why is this such a big deal?

Because the credit reporting agencies have played it fast and loose for far too long. They make boat loads of money off of each credit report that’s pulled. If you pay $50 as part of the loan process to pull your credit report, the dealership will keep part of that money and the rest goes to Equifax. Because many loans applications are processed every day, some credit reporting agency is making money. Making money isn’t the problem, though.

These agencies will pull a report for anyone willing to spend money. This includes people with stolen credit cards. However, that only gets thieves so far before being caught. Instead, breaking into computers at the agency allows them to not only pull credit reports for anyone who has a record, they can get access to lots of sensitive information like:

  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Places of employment
  • Home Addresses
  • Credit card numbers
  • Dispute Documents
  • Etc..

Basically, the thieves may now have access to everything that makes up your identity and could steal your identity and then attempt to divert bills away from your house, create new cards, and do other things that you may not be able to see. If they managed to get access to your credit report, they can open cards out the wazoo. They can charge crap up on those cards. And, they can perform all of this without your knowledge.

Credit Monitoring

You might be thinking, I’ll set up a credit monitoring service and have the credit reporting service report when activity happens. Even that, while only somewhat effective is still subject to being breached. If the thieves have access to all of your identity information, they can request the credit reporting service to do things like, reissue passwords to a new email address and send sensitive reports to a bogus address. These thieves can even undo security setups like a credit freeze and reassign all of that information to their own address. You won’t see or even know about this unless you regularly check your credit reports.

This problem just barely peeks into the can of worms and doesn’t even open it fully. There are so many things the thieves can do with your identity, that by the time you figure it out, it could be far, far too late. So, don’t think that signing up for credit monitoring is enough.

Sloppy Security Seconds

In fact, it wasn’t seconds, it was almost 2 months before the breach was known to the public. A move that not only shows complete disregard for 143 million people’s financial security from a company who should be known for it, Equifax doubled down by creating a lead generation tool in their (ahem) free TrustID tool. Keep in mind that that TrustID tool is only (ahem) free for one year, after that you pay. Though, protecting against new account creation is only half the problem. The other half to which TrustID can’t help is protecting your existing accounts. Because credit reports contain every account and every account number you own, if your data was compromised (and with 143 million accounts worth of data lost, it’s very possible), you need to do so much more.

Even the Security Checking Tool (which was questionably put up on a brand new created domain???) seems to have been a sham and had its own share of SSL certificate problems leading to some browsers showing the site as a scam. Some Twitter users have entered bogus data… and, this checking tool seems to have stated this bogus data was included in the breach. The question is, does that tool even work or is it merely security theater? Yet another black eye in among many for Equifax’s handling of this data breach. To wit…

and then this tweet…

To sign up for Equifax’s TrustID premium service, you have to enter even more personally identifying data into a form of a company that has clearly demonstrated they cannot be trusted with your data. Why would anyone do this? Seriously, signing up for a service with a company who just lost a bunch of information? No, I think not. Instead, Equifax should be required to pay victims for a monitoring service with either TransUnion or Experian (where breaches have not occurred.. yet).

On top of entering even more personal information, the service requires you waive your right to lawsuits against Equifax and, instead, requires binding arbitration. Yet another reason not to sign up.

It’s not as if their credit monitoring service is really going to do you a whole lot of good here. If you really do want a credit monitoring service, I’d suggest setting it up with Experian or TransUnion instead. Then, figure out a way to get Equifax to pay you back for that service.

Can’t I reissue credit card numbers?

While you can do this, it won’t protect you fully. The level of what the thieves can potentially do with your data from Equifax goes much deeper than that. Yes, changing the numbers will help protect your existing cards from access. However, it won’t stop thieves from opening up new accounts in your name (and this is one of the biggest problems). This is why you also need to set up a credit freeze.

Because the thieves can now officially pretend to be you, they can do such things as:

  • Pretend to be you on the phone
  • Call in and request new pin codes based on key identifying information (address, SS#, phone number, etc)
  • With your old address, they can then transfer your bills to a new address
  • They can reissue credit card numbers to that new address

You’re probably thinking, “What about the security measure my bank uses? Won’t that protect me?” That depends entirely upon how convincing the thief can be over the phone. If they can answer all of your identity information and find a representative who can bypass some of the banks security steps, they can get a foot into the door. That’s all it takes for them to basically take over your credit accounts… which is one step away from potentially hijacking your bank accounts. A foot in the door is enough in many institutions to get the ball rolling towards full hijacking.

How do I protect myself?

If your data was involved in the breach (unfortunately, the tool that Equifax provides is sketchy at best), the three bare minimum things you should do are

  1. Contact one of the three credit bureaus and ask for a free 90 day fraud watch
  2. Contact all three and ask for a credit freeze on your records at each credit reporting agency
  3. Set up credit monitoring at TransUnion or Experian

The 90 day fraud watch means they will need to let you know when someone tries to do anything with your credit report. However, this watch is only good for 90 days and then expires. The good thing about requesting this watch is that you only have to do it at one bureau. All three will receive this watch request from your contact with one of them. The bad thing is, 90 days is not nearly long enough to monitor your credit. In fact, the thieves will expect the 90 day fraud watches, wait them out, then go after it hard and heavy after these begin expiring.

A freeze, on the other hand, lasts until you unfreeze. A freeze puts a pin code on your credit record and that pin is require each time a company needs to pull a copy of your credit report. This will last far, far longer than a 90 day watch and serves to stop the thieves in their tracks. To freeze your records, you will need to contact all three separately and perhaps pay a fee of $5-10 depending on where you live.

Setting up credit monitoring means you can be alerted to whenever anything changes on your credit report. But, credit monitoring won’t stop the changes from occurring. Meaning, you’ll be alerted if a new card is opened, but the monitoring service isn’t a preventative measure.

You can contact each bureau as follows to set up any of the above services, including a credit freeze (links below):

  1. Equifax or call 1-800-349-9960
  2. TransUnion or call 1-888-909-8872
  3. Experian or call 1‑888‑397‑3742

Neither a fraud watch nor a credit freeze will impact your credit score. A freeze simply prevents any business from pulling your credit report without having your pin code. Companies for which you already do financial business or have loans established can still pull reports as needed. However, any new loans will be required to have your security pin code.  You can learn all about the details of a credit freeze at this FTC.gov web site.

Unfortunately, because the breach may have been more extensive than it appears, a thief can now contact the credit bureaus over the phone, pretend to be you and have any pin codes removed and/or reissued. Then, gain control over your credit records. This is why this breach is so treacherous for consumers. You need to be on your guard, vigilant and manually monitor your credit report for at least the next 12 months regularly. This is the part no big box media site is reporting. Yes, this is a very treacherous landslide indeed that is at work. Even if you do all of the protections I mention above, thieves can still subvert your financial records for personal gain by knowing your key personally identifying information.

How do I stop the thieves?

This is the fundamental problem. You can’t, at least not easily. To truly protect yourself, the scope of changes would include all of the following:

  1. Get a new social security number
  2. Reissue all of your credit card and debit card numbers
  3. Open new bank accounts, transfer your money into the new accounts
  4. Close the old bank accounts
  5. Reissue new checks
  6. Change your telephone number
  7. Move into a new address (or obtain a P.O. Box and send your bills there)
  8. Legally change your name
  9. Change all of your passwords
  10. Change all of your email addresses
  11. Set up multifactor authentication to every financial app / site you log into that supports this feature.

Unfortunately, even doing all of the above would still mean the credit bureaus will update your credit report with all of this new data, but your prior history would remain on the report… possibly up to and including all of the old account, name and address information. It is very, very difficult to expunge anything from a credit report.

In addition to the above, I’d also suggest closing any credit lines you don’t regularly use. If it’s not there, it can’t be exploited. None of this is a magic bullet. You just have to wait it and shut the thieves down as things materialize. Being diligent in watching your credit report is the only way to ensure you nip things in the bud early.

Tidal Waves and Repercussions

It is yet unknown the extent of their breach or the extent to which each consumer may have to go to protect themselves from this deep gash in the financial industry. Not only does this gash now undermine each account holder’s personal financial well being, it undermines the credibility of the very industry holding up the world’s economy. This is some serious shit here.

If half of the US’s residents are now available to identity thieves, those organizations who help protect the small amounts of identity theft throughout a normal year cannot possibly withstand a financial tidal wave of identity theft paybacks which could seriously bankrupt many credit organizations. In fact, if this tidal wave is as big as I suspect it could become, we’re in for some seriously rough financial waters over the next 6-12 months. By the time the holidays roll around, it could be so bad, consumers cannot even buy the goods needed to support the holiday season. Meaning, this could become such a disruptive event in the US’s financial history, many businesses could tank as a side outcome of consumers not being able to properly spend money during the most critical season of the year.

This has the potential to become one of the most catastrophic financial events in US history. It could potentially become even more disruptive than the 1939 stock market crash. Yes, it has that much potential.

Since I have no reason to believe that Equifax has been totally honest about how much data has actually been lost, this is the reason for this level of alarm. I’d be totally happy if the amount of data lost was limited to what they have stated, but the reality is, nothing is ever as it seems. There’s always something deeper going on and we won’t find that out for months… possibly at the point where the economy is hit hard.

Equifax Aftermath

Because the US is so pro-business, Equifax will likely get a slap on the wrist and a warning. Instead, this company should be required to close its doors. If it is not providing adequate data security measures to protect its systems, then it needs to shut its doors and let other more capable folks handle this business. This sector is far too critical of a service and that data too risky if lost to allow flippant companies like Equifax to continue to exist in that market.

Tagged with: , , , ,

‘Tis the season to be breached

Posted in botch, business, california, data security by commorancy on December 8, 2014

As we roll into another holiday season just having passed through Black Friday, it’s wise to understand how to best protect yourself from these accidental data breaches at retailers (see: Bebe’s Data Breach). Let’s explore.

What is a data breach anyway?

A lot of people shop with credit cards without first understanding what they are or how they really work. By this statement I mean, I think people understand that the purchase extends credit for the items in advance and then pay the actual bill later to the credit card company. But, that’s not what I’m talking about. I’m talking about what happens when you swipe your card at a terminal. Let’s understand payment processing.

When you enter a store and swipe your card, information is exchanged between the terminal and the cash register. That information is whatever is on the back of the card (the card number, expiration, name, etc). All of that information is now accessible by the register (and cashier). Additionally, stores have networks that connect all of their registers (a type of computer system) to a central controller and ultimately to a company wide network. The company wide network may be connected to the Internet, but may only have direct connections to payment authorization providers.

When you swipe your card and that information is exchanged by the register, a program takes your card info along with the payment amount, securely asks a remote payment authorization service whether the card has sufficient funds to support the transaction (at least this part is secure). If your bank says yes, the transaction is approved and given a transaction number. This is a payment authorization and it instructs your bank to hold this dollar amount aside until the closing paperwork arrives (around 24 hours). If the paperwork never arrives, the authorization falls away and the money being held is released back into your account.

Now, if you don’t have enough funds (or for other reasons), the payment service receives a decline from your bank. The retailer and payment authorization service never know the reason for the decline, only that the transaction was declined. You will need to contact your bank to find out the reason for the decline. Declines can range from not enough funds to bad expiration dates on cards to reissued cards to fraud detection holds. Again, you will need to contact your bank to determine the reason and then rectify it. Note that if you are significantly over your limit and your card hasn’t seen a payment for several cycles, the screen may request the cashier call into a number. The person on the other end might request the card be taken and cut up. This typically means the account has been closed by the card issuer and you are no longer authorized to use the card. It is always wise to pay your bills if you value using that card.

Card Info Data Transit

The problem with data transit on a network is that, depending on the network and who built it, it could be designed to transmit your data as encrypted or in clear text. Let’s understand the difference. Encrypted data means that a key is needed to unlock the data to view it. This means that only devices that have the proper key can view and use the data. However, many network operators don’t use this type of security. A lot of people who build internal networks for corporations feel they are inherently ‘safe’ and choose to use clear text transit. What is clear text? Clear text is just like this blog article. It’s humanly readable without any extra work. Thus, many companies fail to adequately protect data transit between internal network devices under the assumption that no one should have internal access except authorized internal devices. In other words, because of the external border protections such as firewalls that prevent unauthorized inbound traffic, internal networks should be a ‘safe place’, thus adding extra safeguards only serves to slows down processing and, if you happen to be a retailer, could make the customers wait at the register longer.

Internal networks designed with limited or no encryption are a hacker’s paradise. If they happen to get into a network like this, everything is easy to read, easy to find and easy to download. It’s basically a dream come true for the malicious hacker. With little to no constraints on viewing data, it’s a kid in a candy store and that’s exactly how and why data breaches begin.

How do hackers get into a network then?

Because most companies today require their computers to have internet access, especially retailers who need access to payment authorization services, bugs in network and computer devices are impossible to squash. Internally, companies typically hire IT and operations teams to manage their network systems. They also typically hire security teams to help protect their networks. The security teams do their best to mitigate attacks and watch for data breaches, but it is the operations and network teams that manage the network gear and keep them updated. Because the security team and operations and network teams are separate sets of people, getting equipment updated with the latest-greatest version isn’t always expedient. This means that companies could be running one, two or five versions behind the latest version.

It happens for a lot of reasons. It could be old equipment that simply won’t support the latest update. It could be that there are thousands of servers that could be impacted by a single update. It could be that that single update might break custom software written by the company. There are a lot of internal factors as to why any piece of equipment is not on the latest version. Yes, sometimes it’s even a matter of complacence.

How do you protect yourself?

Before strolling into your latest big box retailer, you should arm yourself with knowledge. Knowledge like the above to better understand how your data gets moved around in company networks. Then, you can better understand when to take the risk to use your card and when to use another form of payment.

Use Store Cards

First and foremost, the safest card to use at a retailer is a store card without a Visa/Mastercard logo. These cards can only be used at the retailer where they were issued. They cannot generally be used anywhere else (unless the company owns several retail shops and shares the card among them). So, if you purchase at Target or Macy’s or Sears with a local store card, if there is a data breach, your ‘store card’ card number is no longer the lowest hanging fruit. The lowest hanging fruit are the Visa, Mastercard and Amex branded cards. With store cards, it will take time for a hacker to understand what that card is and how to use it. Also, once they realize that it only works at that single retailer or at that retailer’s web site, it’s much less appealing. Especially considering that many hackers today don’t live in the US. They might be living in China or Korea or Russia where that store may not exist and where they may not ship abroad.

So, sticking with store issued cards is really your safest bet when shopping at big box chains. Using a Visa or Mastercard or Amex branded card, if stolen, can be used anywhere around the globe (unless you call your bank an explicitly ask to prevent its use outside of your country). Note, not all banks can stop international transactions on branded credit cards, but most can. Call your issuing bank and ask.

Of course, should you plan travel abroad, you will need to make sure your bank authorizes international use before you leave. If you forget to call from home before you reach to your destination, you could have problems.

Limit transaction amounts

You can also limit your per day transaction amount to a much smaller amount. This can make it difficult if you want to buy a big ticket item with your card, so you’ll need to weigh just how often you make large purchase (and how big they are). However, lowering your per day transaction amount to $500 or less limits how much a hacker could put on the card per day. Again, your card would then no longer be low hanging fruit. Hackers want cards with high dollar amount transaction limits to they can spend a lot of money per day quickly and get away from it. As soon as a hacker tries to buy something expensive and they get a decline, that card is marked as not usable and they move onto trying another card.

Use gift cards

Because there are now Visa and Mastercard branded gift cards, you can put a dollar amount on the card that you wish to use while shopping. If this card number is lost to a hacker, it’s has limited liability (because of the logo) and it limits how much damage they can do to you financially. Also, because it’s a gift card, there’s limited personal information they could obtain about you in relation to this card. So, identity theft is much reduced by using gift cards. You should read Visa, Mastercard and Amex branded logo gift cards carefully. Some require fees after 1 year. So, you will need to use up the balance on the card within 1 year or you could start losing your balance to the monthly fees.

There are also store branded gift cards without any logos such as iTunes, Sears, Amazon, etc. These gift cards can only be used at their respective issuers. Again, these cards offer limited liabilities if stolen.

Though, if a gift card number is stolen, you will also want to read the terms and conditions with the card issuer. Not all of them assume replacement liability. So, if your gift card is stolen, you may be out whatever money was on them. So, you should always read gift card terms and conditions carefully.

Use good ‘ole cash instead

While cash does have its uses, I don’t believe holiday shopping is really one of those times. Because you’re typically buying large ticket items for holiday gift-giving, carrying a wad of crisp $100 bills around to pay for them can be downright dangerous. During the holiday season, you may be trading your financial safety for personal risk. For example, the first store you visit could lead someone seeing your cash, stalking you and taking your money and gifts from you by mugging…especially if you just happened to walk out of an Apple store. Depending on the city where you live, it’s sometimes not worth trading the potential safety of your financial security by putting your personal safety at risk. If you are mugged, they’ll likely steal your cards too, which also leaves your financial safety at risk.

And, if muggers rip off your cash, there is no replacement at all. It’s gone. Using credit cards, especially Visa, MC and Amex branded cards, these cards offer limited loss liability. So, if someone steals your card number and begins using it, your total loss is quite limited. The bank will pick up the tab on your behalf and then chase down the perpetrators for their involvement attempting to get the money or merchandise back.

Basically, cash is unsafe and insecure if carried in large amounts. Whipping out your wallet and flashing that set of crisp $100s once is all it takes during a busy shopping season to get you mugged.

Use a debit card

Last, but not least, use a debit card. Though, while liability on your debit card might be higher (check your debit card terms), you have a known pin code that is required to buy anything. A pin code is a lot stronger of a protection than a signature on a credit card. Basically, stores are not required to collect signatures from purchases. They can simply state ‘signature on file’ when that may not be true. This is how you can buy with a credit card from Amazon or Newegg without ever having to sign for your purchase. Even some retailers today are not asking for signatures on cards if the transaction amount is under $50.

Debit cards always require a pin for the transaction. With web site access today, pin codes are also relatively easily changed. You can also usually get the pin code changed long before the hackers are dipping into these cards to make purchases. Again, hackers prefer low hanging fruit. This means that most hackers would opt to use Visa, MC or Amex branded cards rather than trying to use someone’s personal debit card.

Though, keep in mind most debit cards issued by banks today contain a Visa or Mastercard logo. So, that means the card can be used like a credit card with a signature alone. Instead, you should ask your bank to send you a debit card without the logo. This card can only be used where debit cards are accepted or at ATM machines. It cannot be used to buy at places that don’t accept debit cards. Again, this keeps your card from becoming the lowest hanging fruit.

Limit your shopping days

When you do shop, keep your receipts so you know the date and time that you shopped and where. Keeping receipts is always smart if you need to return something, but it’s even smarter when there’s a data breach so you know if you may have been affected.

Also, limit your shopping to a limited number of places and keep record of when and where (use receipts or write it down). Four months after the holiday shopping season when a breach is announced, you might not remember that you shopped at that random store that lost data which then subsequently led to some random hacker racking up a large bill on your Visa card. In fact, you might only discover the breach yourself after you notice the large bill on your card.

If you limit the number of times you shop and use cards as suggested above, you can help eliminate your cards as being the easiest to rob.

Shop where breaches have previously occurred

This may seem counter to safe practices, but companies have have endured breaches are less likely to be breached again. This is especially true of big box retailers such as Target, Walmart and the like. These retailers have a whole lot to lose if they are breached a second time. It’s very likely that these companies networks are a whole lot more secure after the breach than before it.

Shopping at companies who have not yet had a breach doesn’t mean that their networks are insecure any more than they are secured. Yes, it could mean that. But, it could also mean that these yet breached companies are lucky not to have been targeted. If hackers focus their sights on a victim, they will chip away at the security until they find a way in. They also have plenty of time to do it. Let’s also note that way into a network may not be through the front door. The hackers could get in just as easily through an executive’s lost or stolen cellphone or notebook or a third party vendor (like HVAC, plumbing or other contractor who’s network might be less secure). Note that hackers may also work on several company networks at the same time until they find one to breach.

What about Sony?

Sony is a bit of an unusual case. Instead of strengthening their network security across the board, it seems their management team may have decided to only tightened security on the division that was compromised. Sony is a very large corporation containing many different entities all over the world. SCEA (the games division) was where the last breach occurred prior to this latest breach on the Motion Picture Group. So, anyone who has read through the MPG spreadsheet of salaries knows that there are at least 6 people in the US alone that are taking home well more than $1 million dollars a year in salary. You would think that these highly paid staff would understand the risks of computer networks and make it their top priority to secure their personnel and other records through best security practices. Nope. For example, an easy best practice is to use a password to open a spreadsheet. Sure, these can be easy to crack, but that’s extra effort required on the part of the hacker.

Unfortunately, these people are not doing their jobs. Some could argue, it isn’t their job. Their job is to be Senior or Executive VP of blah. Part of being a Vice President is to make sure your company is secure. If you can’t ensure that your division is secure, then you shouldn’t be taking home a million dollars in salary. It’s quite simple. These people are way overpaid for the job they perform for Sony. I digress.

Sony is clearly a situation where the left hand doesn’t know what the right hand is doing, and frankly they don’t care as long as they walk away with their pay. So, what about Sony? Here’s the takeaway.

For any company that has been double or triple breached (like Sony), you should stay as far away from that company (like Sony) as you possibly can. Sure, you can buy Sony products at a retailer because the retailer is responsible for the transaction. But, you should not use Sony products that require storage of credit cards for payment. You should also not purchase software from any site that Sony owns. It’s crystal clear, Sony cannot be trusted and they seriously don’t care about data security. If you must purchase something from Sony, use a Sony branded gift card, Paypal, Google or Amazon checkout. These payment systems are not owned or operated by Sony, but can send payment to Sony for whatever it is you need to buy. But, don’t buy directly from Sony (or any other company) that has repeatedly been breached.

Best Practices for Personal Finances

While these are but a few best practices to protect your home finances, there are plenty more common sense approaches to keeping your finances secure. Here are a few top examples of how to secure your own finances:

  • Keep your credit cards in a safe place.
  • Regularly check your bank statements for unauthorized transactions. Some banks now offer email notification of suspicious activity, use it.
  • During the holiday season, make sure you know what stores you shopped by keeping receipts in a handy place.
  • Open a second bank account to move small amounts of money in when you need to purchase items online or in stores. Secure your primary account using limited access to services like debit cards, ACH and other third party access. Use the second account much smaller account for these services. It’s easy to move money between accounts in the same bank using your phone app or on the web, so take advantage of this extra security.
  • Call the bank immediately if you’ve lost or stolen your card. You should write down the number on the back of the cards into your smart phone so you have it in case the card is stolen or lost. Don’t write the account numbers down next to the phone number.
  • Make use of the free credit report you can get once a year and check your credit every year.
  • Don’t purchase from any retailer where they are not following proper credit card practices. For example, they should not have to double swipe your card, write the numbers down or ask for any further information aside from looking at the back of the card.
  • Don’t allow any retail cashier to walk away with your card. They should only need to hold the card long enough to look at it or swipe it once at the register.
  • While it is a regular practice for waitstaff to walk way with cards and bring them back to the table as a convenience, you should be wary of this practice. In fact, it might be best to take the check to the cashier at the place where they ring up your meal and watch them ring up your bill. Allowing waitstaff to walk away with your card out of sight means it could be duplicated, swiped through a cell phone or written down.
  • Throughout the holidays, you should search through a major news site for data breaches at least once a week. As soon as you hear of any store that has breached where you may have shopped, you should ask for a replacement card if logo branded or change your pin immediately if debit. For Visa, Mastercard or Amex logo branded gift cards that may have been used at that retailer, you should call the number on the back to have a replacement sent immediately. Unused gift cards are not a problem.
  • Request your bank place a fraud watch on your account if you suspect anything amiss with your cards. You should also request a replacement card if you have any reason to believe your card number has been lost. Yes, I know that can be a hassle during the holiday season while you wait for a new card, but it can potentially save you thousands of dollars lost to a hacker.

Overall

It is up to you to secure your own home finances. Using the above best practices should help aid you in achieving that goal. But, you should immediately become suspicious of anyone who attempts to do anything out of the ordinary with your card. If a cashier asks to do something with your card that doesn’t make sense, you should immediately ask for the card back and call over the store manager to clarify what’s going on. If they are the only person in the store, you should leave without making the purchase, step out of the store and immediately call your bank and put a fraud watch on your card.

As the Holiday shopping season gets fully underway, you need to be ever vigilant over your finances because the stores won’t do this for you. Worse, because there are many people who need money to meet their own bills and cover holiday shopping expenses, fraud and theft can be anywhere from anyone. That’s not to say that most people working at retail establishments aren’t screened and trustworthy, but for some people, the temptation of all of that money gets the better of them and they resort to taking other people’s money. By far and away, though, data breaches are the biggest problems of all because you don’t know who or where the attacker is. So, this is where you need to watch your finances closely and use your card very limited amounts over the holidays. Use cash where you can, but don’t jeopardize your personal safety by carrying too much cash.

Wishing a Happy and safe holiday season to everyone from Randosity!

Stung by the Target data breach? Here are some tips.

Posted in botch, business by commorancy on December 22, 2013

Target LogoUnless you’ve been living in a cave, Target stores recently disclosed that it had potentially lost up to 40 million credit and debit card numbers when their point of sale systems became infected with malicious software. Let’s explore how to protect yourself from these situations.

Knee-jerk Reactions

A lot of people who are not very tech savvy immediately jump the gun and presume all credit card systems are vulnerable and that carrying and using cash is safer. Unfortunately, this is an incorrect assumption to make. Cash, while useful, is not always safer to carry around. If you are carrying, for example, thousands of dollars on your person, when you get robbed or mugged, your money is gone and is not replaceable on top of whatever injuries you may have sustained when they robbed you.

You’re probably thinking, “How is anyone going to know I’m carrying it?” You have to open your wallet to buy things. People can easily peer in and see how many bills you have tucked in there. It’s very simple. They’re not going to mug you immediately following seeing the money. No, they’ll wait and do it a much more opportune time for them, but when you are most vulnerable (alone in a garage or someplace else similarly alone and dark). So, carrying loads of cash is not the answer. Money is also not replaceable when it’s stolen.

When and what happened in the breach?

Target confirmed that cards swiped through its terminals between November 27th and December 15th were likely exposed in the breach. However, Target hasn’t been forthcoming describing exactly how the breach was accomplished. But, what has been said is that the point of sale terminals appear to have become infected with malicious software. This would likely include both the customer card terminal reader and the register itself since both are connected together. It has also been stated that the hackers only received data contained on magnetic card stripe, which indicates that the malicious software only infected the actual card swiping hardware device.

However, if the entire register and card-reader terminal was infected with malicious code, it’s possible they also captured all input from these terminals which would include PIN codes and signature digital data. So, I’d suggest proceeding on the assumption that they did potentially obtain keyed-in data including PIN codes.

To be the absolute safest in your response to any breach announcement, always assume the worst to take the most appropriate action in anything dealing with credit or debit cards.

Who is Most Vulnerable?

Mastercard, Visa and Amex card holders or debit card holders which contain Visa or Mastercard logos are the most vulnerable card holder types in this breach. These cards can be used anywhere, especially at online sellers without signatures. So, it’s easiest to use these cards all over the Internet.

The least vulnerable cards are Target RED cards without Visa logos. These cards would actually protect you against use. Since these cards are only usable at Target and must be presented at the register to be swiped, they cannot be used at Target without creating a physical card. Because these cards do not look or feel like regular credit cards, they would be a bit harder to duplicate. Though, it’s not impossible. Because the non-Visa RED cards only work at Target, this means that the perpetrators would likely use the ‘low hanging fruit’ first. That is, the perpetrators would opt to use card numbers that can be used anywhere and can be used online without needing to print a card. Or, more specifically, Visa, Mastercard or Amex branded cards. Cards without logos, like Target’s RED cards can only be used at Target which limits where the card can be used.

The RED card can be used, however, at Target.com. This means they could use your RED card on a Target.com account.

What should I do?

If you have a credit or debit card bearing the Mastercard, Visa or Amex logos, you should flip the card over, call the number on the back and ask to have the card replaced. Don’t try to contact Target, don’t ask questions at Target, just have the card replaced immediately. Yes, I know this is the height of the holiday shopping season and may make it inconvenient for you, but just consider how much more inconvenient if the perpetrators max out your card and you have to clean up that mess in addition to not being able to shop? It’s always better to err on the side of caution and replace your card.

If you have a RED debit card, log into Target’s RED card management site and change your PIN. You can get to it from the main Target.com web site. Go ahead right now and do it. I’ll wait. You can finish reading the article when you get back.

So, now that you’re all done changing your PIN to your RED card, that’s really all you need to do. If the perpetrators obtained your RED debit card number, it cannot be used without the PIN code. By changing your PIN, you have now just protected your RED debit account from unauthorized use.

If you have a RED credit card without a Visa logo, assuming this card only requires a signature to purchase, then you are also vulnerable to easy purchases online at Target.com. Even with a non-logo Target credit card, there’s much less that can be done with it as it only works at Target. Still, I suggest you also visit the RED card management portal and choose to replace your RED credit card. There’s a link in the management site to do this. I suggest doing this online rather than trying to call the number on the back and waiting on hold. Due to the extremely high volume of calls that Target is experiencing at the moment, it’s really a whole lot faster to use their web management site. However, before you run off and request a replacement card, I suggest reading the rest of this article first.

If you own a Target Visa card, you should replace it immediately just as you would any Visa branded card.

Should I cancel my RED card?

The answer to this question is not as simple. If you use no other card than the RED debit card to make purchases at Target, you are actually more protected than any other card you can use. So, I wouldn’t recommending closing out your RED debit card if you want to continue shopping at Target. However, if you no longer wish to shop at Target after this breach, then I would suggest you close out all of your RED cards as you don’t want these cards hanging around unused.

If you own a Target Credit card and especially a Target Visa card, you might want to consider closing these cards and replacing them with a RED debit card instead. Debit cards are protected by PIN codes. Without the PIN, the card is useless. With a credit card, only a signature is required in-store. For web purchases, no verification is really required other than the security code on the back (and not always even at that). With debit cards, your PIN code protects you. With a credit card, very little protects you other than fraud liability coverage and even then you can still be held liable.

The Best Card To Use

The RED debit card is the safest card to carry into Target to shop. It’s safer than a Visa, Mastercard or Amex branded card because it can only be used at Target. It’s safer than carrying loads of cash. It also gives you a 5% discount off of purchases. You won’t even get that discount with cash. It requires a PIN code to use the card and PIN codes are relatively easy to change on the Target management site by the authorized user. It’s not so easy to change by a hacker. The one downside to using the Target RED debit card is that it requires giving Target ACH access to your bank account. But, if you set up a separate account strictly for shopping purposes as suggested in Randosity’s Don’t Trust Paypal article, you can even protect your bank account from unauthorized ACH access by Target.

How do I protect myself?

There are limits to what you can do to protect yourself against technology. We are all vulnerable to attacks every day when using our phones, our computers, at work, in our cars. Technology is everywhere and malicious code is being developed as you read this article. There is no protection against malicious code technologies. Most technologies are written for the greater good, such as checking you out at the store, helping run your phone, helping run bank ATMs, etc. These are all good uses of technologies. However, there are people who’s goal it is to disrupt these technologies for their own pleasure, for political reasons, for terror reasons or simply to disrupt the flow of society.

Basically, sh*t happens. You can’t predict it, you can’t manage it, you can’t really do much about it. This is why your bank cards have limited liabilities and why they allow you to change PIN codes and ask for replacement cards. The banks are well aware problems happen and they have safeguards in place to help prevent these problems.

However, only you can protect you. If you want to be the safest you can be, then monitor your transactions in your accounts closely. Also, choose technologies and technology strategies that help you safeguard your accounts. Don’t expect the banks to do this for you. However, some banks do offer limited monitoring services and will contact you when suspicious activities appear. But, it is up to you to make sure your account information is safe. Basically, if you don’t trust in the current payment technologies, you’ll be left behind. If you do trust the technologies, you have to take the good with the bad. Cash paper money won’t last forever. Eventually, it will be replaced with something else. But, these new payment technologies will continue onward.

For now, cash is one way to handle the technology issue, but it is not the best way. Of course, you could go back to using paper checks, but even checks are vulnerable to electronic attacks. While the paper check is an older concept, it still suffers from technology attacks because checks are scanned by computers and from there they become digitally vulnerable. It can also be difficult to buy things with cash or checks at online retailers unless they accept Paypal. The bottom line, if you choose not to participate in the new payment technologies, you will find it difficult and inconvenient to buy things, especially online. If you choose to embrace the newest payment technologies, you will need to also embrace the new security paradigm that goes along with these new technologies. Target has just unwittingly become a poster-child for these new paradigms.

Tagged with: ,

Security tip: Don’t sign-up for sites without ‘delete account’ function

Posted in data security, security by commorancy on April 2, 2012

As security of data becomes more and more important and as security breaches become more and more frequent, the ‘delete account’ link becomes very important.  So many sites today allow you to import information such as credit cards, birth dates and other sensitive information, but many times they don’t allow you to delete that information (or your account) easily.  In some cases, you can’t delete your data at all.  It’s important to understand why it’s critical to have the option to delete your account (and all data associated with it). Let’s explore.

Account Security

Few people consider account security when signing up for an internet service like Facebook, Twitter, MySpace or even Yahoo or Google.  As more and more sites become victims of security breaches, without deletion of old dormant accounts, your data is sitting out there ripe for the picking.  In some cases, these accounts may have stored credit card, social security or other potentially sensitive or revealing data.  So, when you begin that sign-up process, it’s a good idea to check the help pages on how to delete your account information before you sign up.

Old Dormant Accounts

We all have them.  We signed up for a site 4 years ago and then either never used it or used it only a few times. Don’t leave old dormant accounts sitting unattended.  Delete them.  You don’t need some random hacker gaining access to the account or, worse, obtaining the password through a break-in to that site.  If they obtain an old password, it’s possible that they may now have access to all of your accounts all over the net (assuming you happen to use a single password at all sites).

If you are using a single password, change them to all be unique.  If you can’t do this, then find the delete button on all these old accounts.  If you can’t remember what you’ve signed up for, then that’s beyond the scope of this article.  Still, deletion is the best option at avoiding unintended intrusion into other important accounts, so delete old accounts.

No Delete Function?

Two ways to handle this one.

  1. Delete all data that you can from the account, then find a random password generator and change the password to a randomly generated password.  Do not keep a copy of the password and never use it again.  Basically, you have locked the account yourself.  If someone does access the account through the web, they won’t get anything.  If they break into the site and gain access to the passwords, they will get a randomly generated password that leads them nowhere.
  2. Contact the site administrator and ask to have the account completely deleted without a trace.  Sometimes they can, sometimes they can’t.  Depends on how the site was designed.  It’s always worth asking.

New Accounts at New Sites

When signing up with new accounts, if you cannot find a way to delete the account, then contact the administrator and explain that you would join the site, but you cannot find a way to delete the account when you no longer wish to have one.  If they state that there isn’t a deletion function, explain to them that until they implement this function, you can’t use the site.. and walk way.  Note that there is nothing more important than your own personal data security and you have to be the champion of that security because no one else will.  If sites refuse to implement deletion functionality, then don’t use the site.  There is no site functionality that is more important than your data security.

No Reason for Lack of Delete Function

In fact, there is absolutely no reason, other than sheer laziness, to not implement a delete function in any internet web site.  If it can be added, it can be deleted.  It’s very simple.  I know, some developers are going to say, “Well, it’s not that easy”.   That’s a total crock.  It is that easy.  If you have developed software that is incapable of deleting user account information, then you are either seriously inept as a programmer or you simply don’t understand what you are doing.  There is no excuse at all for not adding a delete function to any site (including deletion of a user account).  To my knowledge, there is no operating system or database that does not have the ability to delete data.  Not adding this feature is just not acceptable.  Always demand this feature if you cannot find it.

Pre-existing Site Accounts

I know that some of you may have joined sites ages ago when data security breaches were less common than today.  Back then, account delete functions may not have been available.  This may have been carried forward and these sites may still not have delete functions.  Demand that the developers add this functionality.  If you are an avid user, you should always demand this functionality.  You never know when something may change that may require you to delete your account at that site… like a data breach.  Security is important and your personal ability to delete your account is your right and should not be undermined.  Again, always demand this feature from the sites you frequent if it is not present.

I challenge you to visit all of the sites you regularly use and locate the delete account function.  I’ll bet that more than 50% of the time, it’s not there.  Demand that this feature be implemented if, for nothing else, than your own personal peace of mind in case you need it.  It’s like that insurance policy you buy, this is the same.  The delete account feature is your insurance policy to prevent unauthorized access whenever you need to exercise this option.  However, you cannot delete your data if the functionality is not there, so always make sure the delete feature exists before you sign-up.

%d bloggers like this: