Is Home Depot Data Breach an Example of the “New Normal”?

Home Depot Data Breach Exposes Our Growing Complacency

When Target suffered a data breach back in December of 2013, you couldn’t look at a news source without seeing a new story about it.  Yet when the Home Depot data breach was revealed recently, it received almost a ho-hum reception in the news.  This, even though, it was the biggest data breach in retailing history and has compromised 56 million of its customers’ credit cards!  It seems we have come to expect these data breaches to the point where we have become almost complacent.

Consumers, like the companies that breach our data, have become apocalyptic zombies, staring unquestioningly forward as we are attacked from all sides.

Even scarier is that it appears the retailer itself had become complacent. Former members of Home Depot’s cyber security team said the company was slow to respond to early threats and only belatedly took action.  It used outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers. These are security oversights that most companies eliminated 5 years ago!

Another issue is that Home Depot performed vulnerability scans irregularly and often scanned only a small number of stores.  The former employees say that more than a dozen systems handling customer information were not assessed.  Home Depot has defended its actions saying that they have complied with industry standards since 2009 and those standards included an exception from scanning store systems that are separated from larger corporate networks.

This brings up a great point: Compliance with laws doesn’t equate to security for customers. And customers leave because of security breach – they could care less about compliance mumbo jumbo.

Yet another smudge on their record is they hired a security engineer, Ricky Joe Mitchell, who had been fired from his previous job.  In April, he was sentenced to four months in prison for disabling the computers for a month at that former employer.

After the Target breach, Home Depot brought experts in from Voltage Security, a data security company that introduced enhanced encryption that scrambled payment information the moment a card was swiped in some of its stores.  However, by that time it was too late; hackers had been stealing millions of customers’ card information and had gone unnoticed for months. The rollout of the company’s new encryption was not completed until last week.

Home Depot has just become a perfect case study of all of the ways that a corporation can fail to protect itself from breach. They make Target look like rocket scientists. In the meantime, those of us who are customers continue to pay their price for their ignorance and inability to take responsibility for their data.

John Sileo is an an award-winning author and keynote speaker on cyber security and data breach. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Anti-SPAM Software

I mentioned anti-SPAM software on a 9News piece regarding email scams and ways to avoid them. The anti-SPAM software that I use (and get paid nothing to mention) is called SpamSieve for Apple devices. In the future, I will review anti-SPAM software more comprehensively.

Target Data Breach Touches 40 Million In-Store Shoppers

If you are one of the 40 million customers who have used a credit or debit card at Target stores in the United States between November 27 and December 15, you’d better start checking your accounts for fraudulent activity.  Target confirmed that the data stored on the magnetic strip of cards (customer names, debit or credit card numbers, and card expiration dates) were taken, along with the three-digit security codes  (CVVs) often imprinted on the backs of cards.

The type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines.  Only in store purchases are at risk, so online shoppers need not worry.

Target spokeswoman Molly Snyder would not comment on how customers’ data were stored or encrypted prior to the attack, saying that would be part of the ongoing investigation.  Target immediately notified law enforcement authorities and financial institutions, and the issue is being investigated by the Secret Service and a third-party forensics firm.

This breach is one of the largest ever of American consumer data, nearly matching that of TJX (TJ Maxx and Marshalls stores), which experienced a data breach in 2007 that affected more than 45 million customers.  2013 has been a particularly bad year for breaches overall.  Overall, one in four Americans have been told that some personally identifiable information has been lost or compromised because of data breaches, according to a recent report from Experian, and the pace of attacks is expected to continue rising through 2014.

In a letter sent to Target customers, Target officials say those who have noticed irregular activity on their accounts should call the firm at 866-852-8680.  In addition, all Target shoppers should:

  1. Review their credit card activity online on a daily basis to monitor for suspicious activity.
  2. Set up automatic account alerts with your credit card provider to quickly detect any misuse of cards.
  3. Visit AnnualCreditReport.com to see if there are any newly established, fraudulent accounts set up.
  4. Cancel your credit card if they notice any suspicious behavior. If it’s a debit card, I would cancel it no matter what given that it connects directly to your bank account. Make sure to transfer balances, miles and to switch any auto-pay accounts to the new card.
  5. Freeze your credit with the 3 credit scoring bureaus.
  6. Consider ID Theft monitoring services to help you keep track of abusive behavior of your information online.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to defend the data that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

10 Times NOT To Use Your Debit Cards this Holiday Season!

do not use debit cardAs you head into the holiday season, one of the best steps you can take to protect your bank account is to eliminate the use of your debit card. While delivering a keynote speech in Washington DC last week, someone asked me if I could name ten times when you should NOT use a debit card.  I replied, “It’s a trick question because the answer is NEVER!” I seriously do feel that way, but I know there are people who either need to or prefer to use a debit card rather than a credit card or cash, so I want you to be informed about how to use it wisely.

First, make sure you understand the difference between a credit and debit card.  While they appear identical and can often be used interchangeably, remember that a debit card is a direct line to your bank account.  If a thief gets ahold of your debit card information, they essentially have access to your account.  One of the biggest differences comes to light when fraud occurs.  Credit card users can simply decline the charges and not pay the bill.  Debit card fraud comes straight out of your bank account and is much harder to fight or reclaim the money that as been debited. In the meantime, while you prove it was fraud, you’re out the cash.

Here is a Top Ten List of times to choose credit over debit.

10. Booking future travel

If you book your travel with a debit card, they debit your account immediately,. So if you’re buying travel or making a reservation that you won’t use for several months, you’ll be out the money immediately.  Also consider that many large hotels have suffered data breaches.

9. Hotels

Many hotels follow the practice of using your debit card to place a hold on your money (sometimes hundreds of dollars) to make sure you don’t run up a long distance bill, empty the mini bar or trash the room. The practice is almost unnoticeable if you’re using credit, but can be problematic if you’re using a debit card and have just enough in the account to cover what you need.  Be sure to ask about their “holding” policy if you are using a debit card.

8. Expensive purchases

This one is simple.  If something goes wrong with the merchandise or the purchase, a credit card offers rights to dispute and stop payments much easier than a debit card. You have a much shorter window for reporting and resolving an issue and may even be responsible for all charges if you wait too long.

7. Rental or security deposits.

Say you want to rent a car or borrow a Bobcat from your local home improvement store.  Remember that when you use a debit card to put down a deposit, that money is temporarily unavailable to you.  Of course, you’ll get the money back when you return the car or equipment, so this is no big deal if you have the money to spare until that time. But with a credit card, the money is just “frozen” and not actually charged so you won’t ever notice it’s gone.

6. Regular/recurring payments

You’ve heard about someone who quit a gym or discontinued a magazine subscription only to find that they kept getting billed. If you used a debit card for those payments, they’ll just keep coming right out of your bank account.  (Using a credit card is also a good way to ensure you don’t forget to make that monthly debit in your check register!)

5. Wi-Fi hot spots

Never use your debit card for an online purchase while at a coffee shop or other business that offers free wi-fi access.  Many of those businesses have unsecured wireless connections, so it’s much easier for hackers and scammers to log on and steal your data.

4. Restaurants

Anytime the card leaves your sight, you should NOT use your debit card. The waiter coming to your table has alone time with your card, giving them the opportunity to copy your card information.

This also applies to ordering food for delivery.  Restaurants that deliver tend to keep customer payment information on file in order to make future orders more convenient.

Another problem with using a debit card at restaurants is that some establishments will approve the card for more than your purchase amount because, presumably, you intend to leave a tip. So the amount of money frozen for the transaction could be quite a bit more than the amount of your tab. And it could be a few days before you get the cash back in your account.

3. Outdoor ATMs

Outdoor ATM machines provide the perfect opportunity for thieves to skim users’ debit cards.  Skimming is the practice of capturing a bank customer’s card information by running it through a machine that reads the card’s magnetic strip. Criminals place these machines over the real card slots at ATMs and other card terminals.  If the public has access to it, so do data criminals.  Use the ATM just inside the bank where it is under constant surveillance. And no matter what, look for devices or cameras on the ATM machine that aren’t normally there.

2. Gas stations

Every gas pump asks, “Credit or Debit?” these days.  Don’t choose the debit option!  Go inside and pay cash if you choose not to use your credit card!  There are three reasons.  One, it’s fairly easy for a thief to insert a skimmer and then sit nearby with a laptop accessing your information.  Even if the thief doesn’t manage to get your debit card personal identification number, or PIN, from such a device, he still may be able to duplicate the card’s magnetic strip and use it for “sign and swipe” Visa or MasterCard transactions.

Thieves can also sit nearby using small cameras to capture footage of debit card users entering their PINs. Finally, similar to the hotel example above, your debit card may be used to place a hold for an amount larger than your actual purchase.   So, even though you only bought $10 in gas, you could have a temporary bank hold for $50 to $100, says Susan Tiffany, director of consumer periodicals for the Credit Union National Association.

1. Online

Using you debit card online is like asking for your bank account to be emptied. There is just way too much potential for hacking at many different points in a transaction.  It could occur due to malware on the computer, someone could be “eavesdropping” via a wireless network, or it could happen once in the hands of the merchant due to a data breach.  If you have a problem with the purchase or your debit card number is stolen, it’s a huge hassle to get the money restored to your account and make your card number safe and secure again.

Keep it simple and just always use a credit card. I realize that it is easier to spend more money when it’s not coming directly out of your account, but it’s better to resist the temptation to spend for the added security provided. 

John Sileo is an author and highly engaging keynote speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Elder Fraud Expert Answers: How do I prevent & resolve it?

seniors on computerThe past two blogs have outlined why seniors are targeted, what signs to watch for, and some common schemes.  Now for the truly important info: How to prevent elder fraud from happening and what to do if it does happen!

  • Report actual or attempted elder fraud (or any type of fraud) via Fraud.org’s Online Complaint Form.
  • Change the phone number if a senior is receiving excessive sales calls.
  • Change the bank account or credit card numbers if they have fallen into the hands of thieves.
  • Avoid getting on sucker lists. Don’t fill out contest entry forms at fairs or malls—they are a common source of “leads” for con artists. Ask companies you do business with not to share your personal information with other marketers.
  • Know your “Do-Not-Call” rights. Under federal law, you can tell a telemarketer not to call you again and you can file a complaint on the Do Not Call website.
  • Make sure you know the company you are dealing with. If it’s an unfamiliar company or charity, check it out with your state or local consumer protection agency and the Better Business Bureau.
  • Screen your calls. Use an answering machine, Caller ID, or other services that may be available from your phone company to help you determine who you want to talk to and who you want to avoid.
  • Never sign blank insurance claim forms.
  • Never give blanket authorization to a medical provider to bill for services rendered.
  • Ask your medical providers what they will charge and what you will be expected to pay out-of-pocket.  Get it in writing.
  • Carefully review your insurer’s explanation of the benefits statement. Get an annual “Benefits Request Checkup” from your insurance provider to see a list of all benefits and services paid in your name.  Call your insurer and provider if you have questions.
  • Do not do business with door-to-door or telephone salespeople who tell you that services of medical equipment are free.
  • Give your insurance/Medicare identification only to those who have provided you with medical services.
  • Keep accurate records of all health care appointments.
  • Use caution when purchasing drugs on the Internet. Do not purchase medications from unlicensed online distributors or those who sell medications without a prescription. Reputable online pharmacies will have a seal of approval called the Verified Internet Pharmacy Practice Site (VIPPS), provided by the Association of Boards of Pharmacy in the United States.
  • Always ask for and wait until you receive written material about any offer or charity. If you get brochures about costly investments, ask someone whose financial advice you trust to review them.  Remember, even a classy brochure can be a hoax!
  • Always take your time making a decision. Legitimate companies won’t pressure you to make a snap decision.
  • Don’t pay for a “free prize.” If a caller tells you the payment is for taxes or shipping fees, he or she is violating federal law.
  • Never send money or give out personal information such as credit card numbers and expiration dates, bank account numbers, dates of birth, or social security numbers to unfamiliar companies or unknown persons.
  • Get a second opinion!  When filling out important forms or making a big financial decision, ask someone you trust to look it over and talk it over before giving away any personal information.
  • Get help when using the internet, especially concerning financial transactions.  NEVER give out personal information such as SS numbers or credit card information. Remember that older grandkids make great resources when it comes to using the Internet because they are true digital natives.

Remember, you’ve worked hard to reach a point where you can enjoy your golden years.  Don’t let someone else enjoy the fruits of your labor.  Be vigilant and be protected!

John Sileo is an author and highly engaging speaker on business fraud, internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 MinutesAnderson Cooper and Fox Business. Contact him directly on 800.258.8076.