Has technology outpaced our ability to prevent or decrease cybercrime?
The idea that credit card information, and even our identity, can be stolen is nothing new. The level of sophistication by which our personally identifiable information (PII) can be compromised is new.
Links in emails, tweets, posts and online advertising may contain malware that helps cybercriminals infiltrate networks and access data. Furthermore, the prevalence of subcontractors or third-party vendors in the business world increases the risk of a data breach.
This is not simply a problem for corporate America. The majority of data breaches happen to companies of 100 employees or less. Small businesses and individuals alike should be proactive in protecting data and personal information.
The U.S. Government has sought to increase awareness through a campaign called “Stop.Think.Connect” launched in 2010 by the Department of Homeland Security.
In summary, the three tips suggest:
Stop: Keep your software, web browser and operating system current.
Think: Use long and strong passwords plus security questions when offered.
Connect: When in doubt, throw it out. Do not open a link in an email, tweet, post or online advertising if you are unsure about the source.
In other words, think before you click!
The Target Data Breach
On December 18, 2013, KrebsOnSecurity first reported the data breach at Target.
Cybercriminals from Eastern European and Russia breached Target’s U.S. point of sale (POS) devices in December 2013, stealing the credit card numbers of 40 million shoppers and the PII of an additional 70 million shoppers, totaling 110 million shoppers.
Target provided its third-party vendor in Pennsylvania, a heating, ventilation and air conditioning (HVAC) company, open access to its network in order to do maintenance on systems in their stores. This cost-saving measure is typical in the retail industry for maintaining the proper temperature in stores.
The cybercriminals infiltrated Target’s network via malware-laced emails sent to employees at the HVAC vendor in Pennsylvania, then installed malware into the POS devices and then began doing data drops to locations in Florida and Brazil. From there, the cyberattackers accessed the data and sold what they could on the black market for a hefty profit.
How do you react to this story?
First, it is worth noting that businesses typically grant vendors access to their networks for various functions.
Second, these vendors can have data either hacked directly from them or they can be a gateway into a larger data pool, as in the Target breach.
Third, Target was viewed as having a good, secure network.
Fourth, Target was, in essence, a victim of the hackers as well.
To date, the cost of the Target data breach is $236 million with a reported $90 million in insurance payments and a consistent drop in share prices.
The story of how and why Target was hacked illustrates that a data breach, large or small, may be prevented or decreased with a bit of vigilance and common sense. It also shows us that even after taking proper security measures, outside vendors, which are used by most businesses, may become a gateway for hackers to access our data.
After the Target debacle, changes began taking place in the United States. New laws were enacted, new insurance policy wordings were drafted and consumers began to take a closer look at where they shop and how they pay.
There is something to be said about our American resilience. We learn from disasters or high profile cases, we pause, we take notice, we make the necessary adjustments—then we get on with our lives.
So, are we overly concerned about cybercrime? Will our concern pass once we sort out our cybersecurity action plans?
For those people who’ve been victims of identity theft, it will take more time to recover than for those of us who’ve had our credit card information compromised. The actual damage or harm to victims of a data breach is usually inconvenience, and perhaps emotional distress.
Those profiting from a data breach are the hackers as well as counsel defending insurance companies from the lawsuits that arise. The biggest loser is the entity that has been hacked, particularly if they do not have cyber insurance to help alleviate some of the cost.
For those of us using online transactions, here are10 tips for preventing cybercrime:
1. Review your receipts.
2. Reset your passwords.
3. Review your bank statements.
4. Be vigilant and notify your bank of any unauthorized transactions.
5. Request a replacement card if you find unauthorized transactions.
6. Report illicit transactions within 60 days to avoid paying more than the $50 limited liability amount.
7. Monitor your transactions online if you used your card during a period when hackers were active.
8. Call the credit card issuer and report anything suspicious.
9. Contact one of the three major credit bureaus to establish a free fraud alert on your account if you see unauthorized transactions.
10. Order a free copy of your credit report annually from each of the three credit bureaus and be vigilant when reviewing them and report any discrepancies.
If you follow these tips, you will less likely become a victim of cybercrime.
Keep in mind that cybercrime is big business and growing every day. It is said that there are two groups: those of us who have been hacked and those of us who will be hacked. The alarming reality is that you may not be aware of cybercrime until it is too late.
Are you taking steps to protect yourself and your business from cybercrime?