Tag Archive for: Reputation & Trust

Is CHIP & PIN Credit Card Security Worth $100M? (Are You Serious?)

I’ve had dozens of media requests for interviews and countless more email inquiries from people concerned about the Target data breach.  At first, everyone just wanted to know details of how it happened, how big the breach was, and what they should do about it if their credit cards were at risk.  Now that the initial shock of it is over, we are on to a bigger question:

How do we keep breach from negatively affecting so many Americans? 

Breach will always happen. If it’s digital, it’s hackable. It’s coming to light that the Target breach may have been due to the computer access an HVAC WORKER (no, not an entire company, an individual WORKER) had to Target’s systems. While there is no guaranteed way of preventing fraud, there is a pretty reliable answer out there, and it’s been around for decades.  That answer is for the US to finally catch up to more than 80 countries around the world and start using chip and PIN enabled credit cards, also known as EMV, smart cards, or microchip cards.

By placing microchips in credit cards, it makes it much harder for criminals to clone the cards than the relatively easy-to-crack magnetic stripes.  Chip cards take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. So in the case of the Target breach, the stolen data couldn’t be used to easily create duplicate credit cards, drastically reducing the value of the stolen data. The possibility for online abuse of the numbers (known as Card Not Present transactions) would remain a threat from the breach, but it would be a fraction of the problem (and solvable in other ways).

France has been using this technology since 1982, the UK since 2001, and Canada since 2007. In the first five years after the UK started using chip & PIN, fraud went down 70%.  In that same time period, the cost for fraud in the US had DOUBLED. It’s not that the technology is perfect, it’s that the increased security convinces criminals to target those who don’t use the technology (which to this point has only been, well, the United States). 

If there is such a great guarantee on fraud reduction by switching to chip and PIN cards, why is the US resisting it?  The answer:  MONEY.  Banks, credit card companies, and retailers have been caught in a battle of wills for many years now, with retailers not wanting to spend money on installing new chip-friendly card readers unless banks are committed to spending money on issuing new cards.

The cost of implementing the card system can be staggering. Target is expected to spend around $100 million to install new chip card readers in an effort to protect against cyber theft.

So is it worth $100 million to implement chip and PIN technology?

Without question. And even Target thinks so, or at least it did ten years ago when it was at the forefront of implementing chip & PIN technology.  From 2001-2004 they spent $40 million to adopt chip-based credit-card technology and installed 37,000 new point-of-sale terminals to handle chip cards across its U.S. stores.

Ultimately they backed out because their marketing strategy at the time just didn’t catch on with consumers and because it was taking “A FEW SECONDS” longer per customer to get through the line.  I don’t know about you, but I’d wait an extra two seconds in order to know my data is secure.  And I bet Target victims would take back the time it is taking them to change their credit card information with every online site or monthly automatic payment company their now-compromised card was used for.

To put the cost in perspective, $100 million is about $1.00 per Target breach customer. I bet the average credit card holder would be willing to foot the $1 bill to dramatically reduce their risk (even if it’s not a perfect solution). In fact, the cost of fraud gets passed on to customers anyway (higher credit card rates, higher retail prices), so why not spend that same money (or far less, in fact) on securing the transactions in the first place? 

  • A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.  The Credit Union National Association said these costs most likely do not include any fraud losses, which are likely to occur later.
  • In 2012, the Ponemon Institute’s annual study showed the average cost of a data breach in the US is $188 per person notified.
  • For credit issuers, the average cost per record breached is set at $280.
  • Aite Group reports that card fraud in the U.S. already costs the card payment industry (primarily issuers) $8.6 billion a year.

 You tell me if it’s worth it! (Seriously, I want your thoughts and comments below)

How do we get there?

It seems crystal clear to me that fraudsters have gotten so sophisticated that we either need to join together (retailers, banks, and credit card companies) or we will fail to stop this trend of Mega-Breaches.  Pardon the pun, but clearly we have put the “target” on our own backs; criminals have increasingly focused on the US because we are so far behind.

James Dimon, CEO of J.P. Morgan Chase sees this as an opportunity for real change.  He said,  “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade.”

I see 4 overarching steps that need to be taken:

  1. Retailers, credit card processors, banks, VISA, MasterCard and American Express need to stop focusing on their own self-interest (profit) and start to work together for the common good. Of course, they won’t do this without incentive, so…
  2. Congress should create  a U.S. equivalent of the U.K. Card Association that sets policy and has the authority to fine those stakeholders who fail to act.
  3. In other words, we will need legislation to ensure that the “liability shift” dates projected for 2015 are met.  This means that if credit card companies have issued chip and PIN cards, but retailers have not installed machines to read them, the merchants would be held accountable for any losses due to fraud.
  4. Everyone needs to understand that there will be costs associated with the change, just like there are costs when you install a security system, a lock on a door or a vault in a bank.

Will chip and PIN cost retailers? Yes. Will chip and PIN cost banks? Yes. Will it cost consumers? Yes. Will it cost (in total) as much as the fraud resulting from even a single major breach like Target. NO. It’s time to start thinking about security from a long-term perspective, and long-term profitability will follow.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

10 Times NOT To Use Your Debit Cards this Holiday Season!

As you head into the holiday season, one of the best steps you can take to protect your bank account is to eliminate the use of your debit card. While delivering a keynote speech in Washington DC last week, someone asked me if I could name ten times when you should NOT use a debit card.  I replied, “It’s a trick question because the answer is NEVER!” I seriously do feel that way, but I know there are people who either need to or prefer to use a debit card rather than a credit card or cash, so I want you to be informed about how to use it wisely.

First, make sure you understand the difference between a credit and debit card.  While they appear identical and can often be used interchangeably, remember that a debit card is a direct line to your bank account.  If a thief gets ahold of your debit card information, they essentially have access to your account.  One of the biggest differences comes to light when fraud occurs.  Credit card users can simply decline the charges and not pay the bill.  Debit card fraud comes straight out of your bank account and is much harder to fight or reclaim the money that as been debited. In the meantime, while you prove it was fraud, you’re out the cash.

Here is a Top Ten List of times to choose credit over debit.

10. Booking future travel

If you book your travel with a debit card, they debit your account immediately,. So if you’re buying travel or making a reservation that you won’t use for several months, you’ll be out the money immediately.  Also consider that many large hotels have suffered data breaches.

9. Hotels

Many hotels follow the practice of using your debit card to place a hold on your money (sometimes hundreds of dollars) to make sure you don’t run up a long distance bill, empty the mini bar or trash the room. The practice is almost unnoticeable if you’re using credit, but can be problematic if you’re using a debit card and have just enough in the account to cover what you need.  Be sure to ask about their “holding” policy if you are using a debit card.

8. Expensive purchases

This one is simple.  If something goes wrong with the merchandise or the purchase, a credit card offers rights to dispute and stop payments much easier than a debit card. You have a much shorter window for reporting and resolving an issue and may even be responsible for all charges if you wait too long.

7. Rental or security deposits.

Say you want to rent a car or borrow a Bobcat from your local home improvement store.  Remember that when you use a debit card to put down a deposit, that money is temporarily unavailable to you.  Of course, you’ll get the money back when you return the car or equipment, so this is no big deal if you have the money to spare until that time. But with a credit card, the money is just “frozen” and not actually charged so you won’t ever notice it’s gone.

6. Regular/recurring payments

You’ve heard about someone who quit a gym or discontinued a magazine subscription only to find that they kept getting billed. If you used a debit card for those payments, they’ll just keep coming right out of your bank account.  (Using a credit card is also a good way to ensure you don’t forget to make that monthly debit in your check register!)

5. Wi-Fi hot spots

Never use your debit card for an online purchase while at a coffee shop or other business that offers free wi-fi access.  Many of those businesses have unsecured wireless connections, so it’s much easier for hackers and scammers to log on and steal your data.

4. Restaurants

Anytime the card leaves your sight, you should NOT use your debit card. The waiter coming to your table has alone time with your card, giving them the opportunity to copy your card information.

This also applies to ordering food for delivery.  Restaurants that deliver tend to keep customer payment information on file in order to make future orders more convenient.

Another problem with using a debit card at restaurants is that some establishments will approve the card for more than your purchase amount because, presumably, you intend to leave a tip. So the amount of money frozen for the transaction could be quite a bit more than the amount of your tab. And it could be a few days before you get the cash back in your account.

3. Outdoor ATMs

Outdoor ATM machines provide the perfect opportunity for thieves to skim users’ debit cards.  Skimming is the practice of capturing a bank customer’s card information by running it through a machine that reads the card’s magnetic strip. Criminals place these machines over the real card slots at ATMs and other card terminals.  If the public has access to it, so do data criminals.  Use the ATM just inside the bank where it is under constant surveillance. And no matter what, look for devices or cameras on the ATM machine that aren’t normally there.

2. Gas stations

Every gas pump asks, “Credit or Debit?” these days.  Don’t choose the debit option!  Go inside and pay cash if you choose not to use your credit card!  There are three reasons.  One, it’s fairly easy for a thief to insert a skimmer and then sit nearby with a laptop accessing your information.  Even if the thief doesn’t manage to get your debit card personal identification number, or PIN, from such a device, he still may be able to duplicate the card’s magnetic strip and use it for “sign and swipe” Visa or MasterCard transactions.

Thieves can also sit nearby using small cameras to capture footage of debit card users entering their PINs. Finally, similar to the hotel example above, your debit card may be used to place a hold for an amount larger than your actual purchase.   So, even though you only bought $10 in gas, you could have a temporary bank hold for $50 to $100, says Susan Tiffany, director of consumer periodicals for the Credit Union National Association.

1. Online

Using you debit card online is like asking for your bank account to be emptied. There is just way too much potential for hacking at many different points in a transaction.  It could occur due to malware on the computer, someone could be “eavesdropping” via a wireless network, or it could happen once in the hands of the merchant due to a data breach.  If you have a problem with the purchase or your debit card number is stolen, it’s a huge hassle to get the money restored to your account and make your card number safe and secure again.

Keep it simple and just always use a credit card. I realize that it is easier to spend more money when it’s not coming directly out of your account, but it’s better to resist the temptation to spend for the added security provided. 

John Sileo is an author and highly engaging keynote speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

3 Exposure Lessons Learned Via Anthony Weiner

Just for a minute, put yourself in the shoes of Anthony Weiner. You’ve done something exceptionally stupid, whether it’s sending sexually explicit photos of yourself to strangers you don’t even know, or another unrelated mistake. To compound the stupidity, you involve social networking – you Facebook or tweet or YouTube the act – or even simply email details of what you’ve done.

Everyone of us makes impulsively bad decisions (probably not as bad as Weiner, but bad nonetheless). Prior to the internet, you at least had a chance to recover from your past transgressions, as there wasn’t a readily accessible public record of the act unless you happened to be caught on tape (think Nixon, Rodney King, etc.). But now that pretty much every human carries either a camera or video recorder with them at all times (mobile phones), can communicate instantly with a massive audience (Facebook, Twitter, SMS, blogs), and have access to more information than exists in the Library of Congress just by pulling up Google, the equation of how you control sensitive information about yourself has changed radically. Every stranger (and even friend) is like a full service news station with video, distribution and commentary, just waiting to report on your missteps.

Here are three lessons the rest of us can take from the Anthony Weiner affair:

  1. Fame raises the bar. Celebrity, for all of it’s glory, puts a spotlight on your conduct. When you get paid for attracting attention, you are bound to attract unwanted attention. Unless your brand consciously involves a rebel persona (Paris Hilton, Lindsey Lohan, Dennis Rodman – in other words, the more trouble you get in, the more money you make), you will be held to a higher standard than those of us who fly under the radar. Fame has its faults. Remember when Gary Hart challenged the press to prove he wasn’t a standup guy? Now everyone who has even the most basic tech tools is an instant paparazzi.
  2. Mind the 3 Laws of Posting Online. When you post anything online, what you have published is most often immediately public, permanent and exploitable. You may think that you have a claim to privacy online, but you are deluding yourself. What you upload is only as private as the company or individual housing the data. Once you post, there is no “taking it back”. Weiner removed his tweets quickly, but posts, pictures and videos are backed up, re-tweeted, liked, screen captured and otherwise saved long before you can put a stop to it. Finally, as this case reinforces, what you post online can and will be used against you if it falls into the wrong hands. In Weiner’s case, the wrong hands were those of a political enemy, conservative blogger Andrew Breitbart. Because Weiner chose to make the posts public (even accidentally), Breitbart has a free pass to commit perfectly legal extortion. Before it is all over, the Democratic party will lose one of it’s brightest stars. That is probably a just result, but there is still a question about the forceful nature of the means involved.
  3. Admitting fault early and often. If you’ve done something wrong and it is recorded online, “hang a lantern on it” as quickly as possible. This is a phrase that Chris Matthews used in his book on political survival, Hardball. To summarize Matthews position, if you make a mistake and it goes public, admit to it as quickly as possible, take ownership of the wrongdoing and don’t lapse into the web of lies brought on by panic. Hang a lantern on it – expose it to the light, take your lumps and move on. In the end, what will bring Weiner down will likely not be his obscene tweets or explicit photos. Rather, it will be the fact that he blatantly lied about his posts. Had he come clean immediately, he would be judged as a person who made some mistakes just like the rest of us, not as a Congressman who deliberately mislead his constituents.

And there is a larger, more important lesson in all of this. In a world where your every action is subject to capture, publication and mass distribution, it’s far easier to be a moral, upstanding, well-adjusted individual than it is to attempt to hide a dysfunctional dark side. Ultimately, a bit of restraint, discretion and even therapy will be much cheaper than living a double life.

 

John Sileo speaks, writes and consults professionally on information leadership: managing the exposure of personal and corporate information. His clients include the Department of Defense, Pfizer, Homeland Security and Blue Cross. Learn more at www.ThinkLikeASpy.com or contact him directly on 1.800.258.8076. Expose yourself wisely.

Reputation Gets You What You Want

For six years I have done almost nothing professionally but study and speak on phenomenons that drive companies out of business or otherwise destroy their reputation. In the process, I have discovered what I consider to be an under-recognized and highly powerful maxim that remains relatively untapped both by people (especially leaders), and by businesses. We talk about it, but we rarely take an active role in improving it.

Reputation gets you what you want.

I know this because I have seen countless people’s reputation destroyed by identity theft (including mine when I was thought to be a criminal) and hundreds of businesses’ reputations wrecked because of data breach, social networking over-exposure or reputation hijacking. I know this because I’ve worked as a reputation management partner to companies that aggressively manage what the world thinks of them from an offensive perspective – they cultivate it long in advance of any attack.

Think of Apple – they have had a reputation of producing simple, functional, beautiful gadgets that WOW us. Now, even when they release the most modest of upgrades, we all jump to buy them because of Apple’s reputation. Apple works day and night to protect and project this reputation, but because of the nature of reputation (you can’t blow your own horn too loudly), it is a silent and subtle campaign that accumulates over time.

Reputation is everything. A strong reputation gives you job security even in a shaky economy. It can be your sales team’s best closing tool or worst enemy (imagine BP trying to close its next off-shore drilling deal). It’s a long term asset that is subject to short term manipulation. And in the age of social media and constant access to data, your reputation can be damaged in a minute.

Reputation has traditionally been a defensive art – we don’t think about it or act to improve it until we are attacked. We are reactive and take for granted something that not only defines who we are, but makes us our money. But acting after the attack is far more costly than building a solid reputation foundation that can withstand the occasional threat. Take Reputation Hijacking for example.

Reputation Hijacking

Steve Fezzik is widely recognized as one of the top sports gamblers in the business. He consistently beats the odds in Vegas, and has developed a highly profitable career based on his sterling reputation of winning when others can’t. And Steve Fezzik’s reputation is exactly why someone else purchased the URL of his name (www.SteveFezzik.com), put his picture and bio on the site, and proceeded to sell betting cards (odds on gambling opportunities) using his name and an anonymous PayPal account. Someone else is still cashing in on his reputation and trashing it as they go because they don’t have his skill set for picking winners. His story is sad and all too common. And he is essentially helpless to change the plot, as he would have had to play a bit of reputation offense to protect himself. In his case, the steps would have been rather straightforward:

  1. Trademark his name in relation to the gaming business so that he has a leg to stand on when someone else misuses his identity for financial gain.
  2. Purchase the most common URLs associated with his name and expertise early in the game, before others find a way to use them.
  3. Hire a pit bull of an intellectual property lawyer (in advance of needing them) to immediately and very publicly put a stop to reputation squatting using simple tools like Cease and Desist. I realize that most people don’t have to worry about this level of protection, but if your name is your business, or your brand is your reputation, your way of thinking in the Internet age will need to change.
  4. Offensively develop an online reputation stronghold that serves as a clearinghouse for your voice and reputation. We can learn a great deal from celebrities who develop a significant presence on Twitter, a Facebook Fan Page, a blog, a YouTube channel or another vehicle of digital reputation management to fill in the space where tabloids and Perez Hilton type chatter can easily fill in the void. Most celebrity press releases, for example, are now launched from Twitter, making any other source of breaking news a bit suspect.

In other words, in your absence, someone else will leverage your reputation, especially online, where it is an easy target. Your refusal to manage it in advance already makes your reputation worth less. Would Lady Gaga fail to insure her voice, own her URL namesake or trademark her marketing brilliance? But she’s a star, you say. In the world of social media, instant communication and lack of privacy, so are you. Just make sure you avoid the black hole of reputation inertia.

John Sileo’s keynote speeches train organizations to play aggressive information offense before the attack, including reputation hijacking, identity theft, data breach, cyber crime, social networking exposure and human fraud. Learn more about having a Reputation Management Partner at ThinkLikeASpy.com or call him directly on 800.258.8076.