Is CHIP & PIN Credit Card Security Worth $100M? (Are You Serious?)

,

I’ve had dozens of media requests for interviews and countless more email inquiries from people concerned about the Target data breach.  At first, everyone just wanted to know details of how it happened, how big the breach was, and what they should do about it if their credit cards were at risk.  Now that the initial shock of it is over, we are on to a bigger question:

How do we keep breach from negatively affecting so many Americans? 

Breach will always happen. If it’s digital, it’s hackable. It’s coming to light that the Target breach may have been due to the computer access an HVAC WORKER (no, not an entire company, an individual WORKER) had to Target’s systems. While there is no guaranteed way of preventing fraud, there is a pretty reliable answer out there, and it’s been around for decades.  That answer is for the US to finally catch up to more than 80 countries around the world and start using chip and PIN enabled credit cards, also known as EMV, smart cards, or microchip cards.

By placing microchips in credit cards, it makes it much harder for criminals to clone the cards than the relatively easy-to-crack magnetic stripes.  Chip cards take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. So in the case of the Target breach, the stolen data couldn’t be used to easily create duplicate credit cards, drastically reducing the value of the stolen data. The possibility for online abuse of the numbers (known as Card Not Present transactions) would remain a threat from the breach, but it would be a fraction of the problem (and solvable in other ways).

France has been using this technology since 1982, the UK since 2001, and Canada since 2007. In the first five years after the UK started using chip & PIN, fraud went down 70%.  In that same time period, the cost for fraud in the US had DOUBLED. It’s not that the technology is perfect, it’s that the increased security convinces criminals to target those who don’t use the technology (which to this point has only been, well, the United States). 

If there is such a great guarantee on fraud reduction by switching to chip and PIN cards, why is the US resisting it?  The answer:  MONEY.  Banks, credit card companies, and retailers have been caught in a battle of wills for many years now, with retailers not wanting to spend money on installing new chip-friendly card readers unless banks are committed to spending money on issuing new cards.

The cost of implementing the card system can be staggering. Target is expected to spend around $100 million to install new chip card readers in an effort to protect against cyber theft.

So is it worth $100 million to implement chip and PIN technology?

Without question. And even Target thinks so, or at least it did ten years ago when it was at the forefront of implementing chip & PIN technology.  From 2001-2004 they spent $40 million to adopt chip-based credit-card technology and installed 37,000 new point-of-sale terminals to handle chip cards across its U.S. stores.

Ultimately they backed out because their marketing strategy at the time just didn’t catch on with consumers and because it was taking “A FEW SECONDS” longer per customer to get through the line.  I don’t know about you, but I’d wait an extra two seconds in order to know my data is secure.  And I bet Target victims would take back the time it is taking them to change their credit card information with every online site or monthly automatic payment company their now-compromised card was used for.

To put the cost in perspective, $100 million is about $1.00 per Target breach customer. I bet the average credit card holder would be willing to foot the $1 bill to dramatically reduce their risk (even if it’s not a perfect solution). In fact, the cost of fraud gets passed on to customers anyway (higher credit card rates, higher retail prices), so why not spend that same money (or far less, in fact) on securing the transactions in the first place? 

  • A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.  The Credit Union National Association said these costs most likely do not include any fraud losses, which are likely to occur later.
  • In 2012, the Ponemon Institute’s annual study showed the average cost of a data breach in the US is $188 per person notified.
  • For credit issuers, the average cost per record breached is set at $280.
  • Aite Group reports that card fraud in the U.S. already costs the card payment industry (primarily issuers) $8.6 billion a year.

 You tell me if it’s worth it! (Seriously, I want your thoughts and comments below)

How do we get there?

It seems crystal clear to me that fraudsters have gotten so sophisticated that we either need to join together (retailers, banks, and credit card companies) or we will fail to stop this trend of Mega-Breaches.  Pardon the pun, but clearly we have put the “target” on our own backs; criminals have increasingly focused on the US because we are so far behind.

James Dimon, CEO of J.P. Morgan Chase sees this as an opportunity for real change.  He said,  “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade.”

I see 4 overarching steps that need to be taken:

  1. Retailers, credit card processors, banks, VISA, MasterCard and American Express need to stop focusing on their own self-interest (profit) and start to work together for the common good. Of course, they won’t do this without incentive, so…
  2. Congress should create  a U.S. equivalent of the U.K. Card Association that sets policy and has the authority to fine those stakeholders who fail to act.
  3. In other words, we will need legislation to ensure that the “liability shift” dates projected for 2015 are met.  This means that if credit card companies have issued chip and PIN cards, but retailers have not installed machines to read them, the merchants would be held accountable for any losses due to fraud.
  4. Everyone needs to understand that there will be costs associated with the change, just like there are costs when you install a security system, a lock on a door or a vault in a bank.

Will chip and PIN cost retailers? Yes. Will chip and PIN cost banks? Yes. Will it cost consumers? Yes. Will it cost (in total) as much as the fraud resulting from even a single major breach like Target. NO. It’s time to start thinking about security from a long-term perspective, and long-term profitability will follow.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Cyber Security Expert John Sileo on Fox Money

Cyber Espionage's Latest Target? Your Baby Cam!

, ,

[youtube http://www.youtube.com/watch?v=QaGhGqcv2JoΩ&rel=0]
Just over a year ago I appeared on Fox Business and wrote a blog about a Texas couple who learned their child’s baby monitor had been hacked when the intruder started screaming obscenities through the device.  At the time the webcam system itself was found to have some glaring vulnerabilities, which were fixed by a firmware update, but I pointed out that the bottom line is that owners had not taken the necessary steps to secure their device and the onus was ultimately on them.

Now the news has broken about the latest in cyber espionage: a Russian website that is streaming footage from thousands of devices, including baby monitors, bedroom cameras, office surveillance systems and CCTV from gyms, in more than 250 countries, including feeds from 4,591 cameras in the United States.  Not only are they streaming the footage, but they are providing the coordinates of where the cameras are located!

Great Britain has taken the lead role in pressuring Russia to take down the site, though they will be working with the Federal Trade Commission in the US to try to force the site to close if the Russian authorities fail to cooperate.  Of course, neither the UK nor the US have jurisdiction in Russia, so it is simpler to warn people about the site than it is to try to take the site down.

Christopher Graham, the UK Information Commissioner minced no words when asked about the incident. “I will do what I can but don’t wait for me to have sorted this out.  The action is in your own hands if you have one of these pieces of kit.”

He went on to say, “We have got to grow up about this sort of thing.  These devices are very handy if you want to have remote access to make sure your child is OK, or the shop is alright, but everyone else can access that too unless you set a strong password. This isn’t just the boring old information commissioner saying ‘set a password’. This story is an illustration of what happens if you don’t do that. If you value your privacy, put in the basic security arrangements. It’s not difficult.”

Here is what Britain’s Information Commissioner’s office is advising:

1.  Change your password!!!!! These hackers are taking advantage of the fact that camera users receive default passwords (which are freely available online for thousands of cameras) to get devices working — such as “1234.”   You often are not prompted to change the password, so you must do it yourself!

2.  Switch off the remote access to a webcam if you don’t need it.

3.  As a last resort, you can always cover the lens if you don’t want to use the camera all of the time.

4. See my previous blog for even more steps.  Do this right after you’ve CHANGED YOUR PASSWORD!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Cyber Espionage Expert John Sileo

Apple Pay Makes Mobile Payments Sexy; But Secure?

, ,

[youtube http://www.youtube.com/watch?v=aVqJBizL90Y&rel=0]

Is Apple Pay going to be secure?

Apple has us ooing and ahhing about the iPhone 6, it’s big brother the 6+ and finally the Apple Watch. But the biggest announcement of all didn’t even have to do with gadgets. The most significant announcement was about a new service that will be built into those devices…

It is Apple Pay, Apple’s own version of a “mobile wallet” that will allow Apple users to pay for items with just a tap or wave of their device. That is if those items happen to be in stores that have agreed to install the technology necessary to allow near-field communication (NFC – no not the football conference, the radio-wave technology) to work. Of course, Apple has done the background work to ensure a lot of big names (MC, Visa, AMEX and retailers such as Target, Macy’s and McDonald’s to name a few) are already on board, which is a significant mark in their favor.  And with the upcoming mandatory implementation of EMV technology, Apple may have just timed this perfectly.

I’ve always been a bit freaked about digital wallets because the Internet giants offering them (Google, Amazon) are the same companies that collect reams of personal data, from search behaviors to my product preferences, and I don’t want any one company having all of that.

Many companies have tried to get mobile payments off the ground in the past without much success. So why might Apple be different (security implications in red)?

  1. Apple is a master at integrating hardware and software. This doesn’t just mean that their payment system will be more user friendly than previous offerings (which it will), it also means that Apple has more control over the security and the privacy of each transaction. For example…
  2. No cardholder data will be stored on the iPhone itself, OR on Apple’s servers. This is a significant divergence from previous offerings (Google Wallet) and is an extremely smart play on Apple’s part. Why? Because…
  3. Apple has basically chosen to stay out of the information collection business to focus on  what they do best, which is produce innovative digital devices and the corresponding behind-the-scenes software that make their devices so practical and useful. Consequently, they will continue to be a more trusted brand than their direct competitors. Unlike Microsoft, Facebook, and Google, Apple doesn’t appear to want to become a data-mining company. Apple executives have stated that they have no desire to collect or share user data. This could change when Apple realizes the profit they are passing up for the sake of privacy, but  in the meantime…
  4. The same companies that have always collected your purchasing data (Visa, MC, Amex and the retailers you buy from) will be responsible for the same sensitive cardholder information they’ve always had access to, and Apple will simply be passing the transaction through, using a unique series of numbers that will reveal nothing of value should the phone be hacked.
  5. Finally, like it or not, Apple will make mobile payments sexy (did I just say that – I think maybe I’ve drunk too much of the Apple CoolAid). That sounds shallow, but their similar effort (iTunes + iPods, iPhone + App Store) revolutionized the music and smartphone industries. Apple has had a knack for getting consumers to warm up to ideas that have been tried before but never really took off (think iTunes, music players, smart phones, and tablets)  Also, they have done what others who have tried mobile wallet concepts in the past have not: they’ve made it sexy.
  6. Instead of a credit card that reveals all of its secrets on a magnetic stripe (no security there), Apple Pay will require a thumbprint scan (which never leaves the device) in order to make a charge. In other words, it utilizes CHIP & PIN technology, which every retailer is required to implement before 2015 ends anyway. Apple’s timing is impeccable – let’s just hope the technology is up to the task.

I’m not in any way saying that Apple doesn’t face huge challenges in terms of security, privacy and adoption of Apple Pay. Of course they do. I’m simply saying that they have the best shot yet at bringing together the hardware, software, industry connections and marketing chops to finally make mobile secure payments, well… pay.

John Sileo is an an award-winning author and keynote speaker who specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes frequent media appearances on shows like 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Apple Pay Mobile Payments

 

Inheritance Scam: Detection Questions You Should Ask!

,

The so-called “Inheritance Scam” is resurfacing in Colorado, but it has a new look.

No longer do you simply receive an email claiming to be from the representative of a long-lost relative. The new format involves what security experts call the “Accomplice Ploy” in which the thieves attempt to engage you through a long series of queries (one method) reaching out to you as if they know who you might be.

We have developed five questions you should ask about any email or phone call you suspect might be a scam. They are called the 5 indicators of the inheritance scam:

Sileo’s Scam-Detection Questions

1. Were you expecting a windfall?

2. Is it too good to be true?

3. Are you being rushed/threatened?

4. Do they ask for secrecy?

5. Do they request more information?

If you can answer yes to any of these, put up your guard!  Because so many Americans are facing financial problems, an inheritance scam holds a special appeal. When first introduced, the scammers behind the emails were earning more than a million dollars a month.  Don’t let them get any of yours!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Screen Shot 2014-08-22 at 7.56.16 AM

Sileo on Fox: Google + DeepMind Artificial Intelligence

,

[youtube http://www.youtube.com/watch?v=UHe8b7o0dwc&rel=0]

Google is purchasing the artificial intelligence company, DeepMind, which will give it the ability to potentially know more about your surfing habits, friendships, travel patterns and private information than even you know. Fox’s Melissa Francis interviews online privacy expert John Sileo and tech analyst Rob Enderlee to learn more.

John Sileo speaks around the world about online privacy.

FoxMoney-MelissaFrancis

Identity Theft Expert John Sileo on The Rachael Ray Show

,
Click to Watch the Video

Click the Photo to Watch the Video on the Rachael Ray Site

We wanted to share some good news! John will be appearing on CBS’s The Rachael Ray Show this Wednesday, January 29 to talk about the latest identity theft trends and threats. Watch a trailer of the show or find out when and where it airs in your area.

Rachael asked John to go into one of their audience members homes and pick it apart from a privacy standpoint. John took a look at everything, from items hidden under the mattress to filing cabinets, trash cans, computers, mobile devices and more. If you want to learn how to bulletproof your home and self against identity theft, tune in tomorrow morning to The Rachael Ray Show (CBS).

John Sileo is an author and keynote speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 MinutesAnderson Cooper and Fox Business. Contact him directly on 800.258.8076.

 

 

Data Breach Expert John Sileo on Fox & Friends – Target Data Breach

,

Data Breach Expert John Sileo goes on Fox & Friends to discuss the 110 million records breached at Target.

Target Data Breach Touches 40 Million In-Store Shoppers

, ,

If you are one of the 40 million customers who have used a credit or debit card at Target stores in the United States between November 27 and December 15, you’d better start checking your accounts for fraudulent activity.  Target confirmed that the data stored on the magnetic strip of cards (customer names, debit or credit card numbers, and card expiration dates) were taken, along with the three-digit security codes  (CVVs) often imprinted on the backs of cards.

The type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines.  Only in store purchases are at risk, so online shoppers need not worry.

Target spokeswoman Molly Snyder would not comment on how customers’ data were stored or encrypted prior to the attack, saying that would be part of the ongoing investigation.  Target immediately notified law enforcement authorities and financial institutions, and the issue is being investigated by the Secret Service and a third-party forensics firm.

This breach is one of the largest ever of American consumer data, nearly matching that of TJX (TJ Maxx and Marshalls stores), which experienced a data breach in 2007 that affected more than 45 million customers.  2013 has been a particularly bad year for breaches overall.  Overall, one in four Americans have been told that some personally identifiable information has been lost or compromised because of data breaches, according to a recent report from Experian, and the pace of attacks is expected to continue rising through 2014.

In a letter sent to Target customers, Target officials say those who have noticed irregular activity on their accounts should call the firm at 866-852-8680.  In addition, all Target shoppers should:

  1. Review their credit card activity online on a daily basis to monitor for suspicious activity.
  2. Set up automatic account alerts with your credit card provider to quickly detect any misuse of cards.
  3. Visit AnnualCreditReport.com to see if there are any newly established, fraudulent accounts set up.
  4. Cancel your credit card if they notice any suspicious behavior. If it’s a debit card, I would cancel it no matter what given that it connects directly to your bank account. Make sure to transfer balances, miles and to switch any auto-pay accounts to the new card.
  5. Freeze your credit with the 3 credit scoring bureaus.
  6. Consider ID Theft monitoring services to help you keep track of abusive behavior of your information online.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to defend the data that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Welcome to the Surveillance Economy!

,

traffic camera3It seems I’ve spent a lot of time lately writing about the Surveillance Economy.  This may be a strange expression to some, so I’ll define it as the use and exploitation of our location information derived from traffic surveillance cameras, new technologies like Google Glass and cell phone GPS tracking, among others.  Recent topics we’ve covered include the NSA PRISM scandal, hacking Google Glass, Homeland Security’s seizures of electronic devices when crossing borders, and even drone use.  Some of those may seem to be out there in a world that doesn’t affect us directly, but here’s one that hits very close to home for anyone who owns a vehicle.

The American Civil Liberties Union released a report in July of 2013 entitled You Are Being Tracked that outlines the use of automatic license plate readers.  These devices, which can be mounted on police cars or on objects like road signs or overpasses, use small, high-speed cameras to photograph thousands of plates per minute.  They effectively collect and store information about not only vehicles of potential or known criminals, but everybody who drives a car!

The study shows that the number of license tag captures has reached the millions and that police departments can keep the records for several years or even indefinitely.  Unlike using GPS to track a car (for which a judge’s approval is needed according to a 2012 Supreme Court ruling), there are very few regulations in place governing license plate readers.  In fact, only five states have such laws.  Click here to see a map that lets you see how police in your state use license plate readers to track people’s movements.

Proponents assert that gathering such information aids in criminal investigations and is crucial sometimes in going back to solve a crime because the data can be used to place criminals at the scene.   It is also extremely efficient because officers can “maintain a normal patrol stance” while capturing up to 7,000 license plate images in a single eight-hour shift.  Harvey Eisenberg, assistant U.S. attorney in Maryland, said, “At a time of fiscal and budget constraints, we need better assistance for law enforcement.”

The program in Maryland read approximately 29 million plates in a five month period last year  and 1 in 500 of those were suspicious. Many of these were wanted for petty crimes such as having a suspended or revoked registration, or for violating the state’s emissions inspection program, but advocates stress the information could be used for aiding drug busts, finding abducted children and more.  It would even enable the IRS to verify tax deductible mileage claims against license plate scans.

The ACLU, however, argues that this “collect it all” approach that law enforcement seems to have has made it easier to create a “single, high-resolution image of our lives, whether we are guilty or not.  When you combine license surveillance with phone records, Google searches, drone images, street cameras, etc., is there really any way we can protect our privacy as innocent citizens?

The ACLU is calling for adoption of legislation and law enforcement policies that adheres to these principles:

  • License plate readers may be used by law enforcement agencies only to investigate hits and in other circumstances in which law enforcement agents reasonably believe that the plate data are relevant to an ongoing criminal investigation.
  • The government must not store data about innocent people for any lengthy period. Unless plate data has been flagged, retention periods should be measured in days or weeks, not months and certainly not years.
  • People should be able to find out if plate data of vehicles registered to them are contained in a law enforcement agency’s database.
  • Law enforcement agencies should not share license plate reader data with third parties that do not follow proper retention and access principles. They should also be transparent regarding with whom they share license plate reader data.
  • Any entity that uses license plate readers should be required to report its usage publicly on at least an annual basis.

History shows us that the mass collection of detailed citizen information (even if the purpose isn’t known at the time of the collection) generally ends up being used unethically by those in power. I was reminded of that recently when I visited the Dachau Concentration Camp. Those in power at the time surveillance begins aren’t necessarily those who will abuse it in the future. Consider yourself, as a voter, forewarned and forearmed. I’d let your Congressperson know your thoughts.

John Sileo is a keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.