Tag Archive for: Sileo

12 Days to a Safe Christmas: Day 5 – Don’t Tell Facebook You Won’t Be Home for the Holidays

Holiday Security Tips: On the fifth day of Christmas, the experts gave to me, 5 Facebook fixes

In general, we share too much information on social media sites. During the holidays, we are positively intoxicated with the giving spirit! Without thinking, we share our holiday travel plans, click on seemingly charitable links or post pictures of a fun night out. And when you share with friends on Facebook, you are sharing with their friends and ultimately, most of the literate world. The problem is, some of those people aren’t really friends and only want to separate you from your holiday dollars.

Solution:  Apply these five fixes to ALL of your social sharing (not just Facebook)

  1. Customize your privacy settings. Sixty percent of social network users are unaware that their default privacy settings let others into most of their personal information. Facebook does a decent job of explaining how to lock your privacy down(https://www.facebook.com/help/privacy) but you must spend at least 90 minutes going over the settings to properly protect yourself.
  2. Protect your passwords. Don’t let the bad guys take over your account and contact your friends as if they were you. Create a unique, strong, alpha-numeric-symbol password without using a dictionary word, birthdate, pet’s name or other personal identifier. Use this password only for a single site and don’t share it with anyone. Be careful of using your Facebook login for other sites, as those sites gain access to your private information.
  3. Log into Facebook only ONCE each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type www.facebook.com into your browser address bar. Phishing emails and social media posts will often send you to sites that look like Facebook but act like a data criminal. When in doubt, log out.
  4. Beware of free offers, big discounts and requests for charity (even if they come from your friends). If the offer in the post is too enticing, too good to be true or too bad to be real, don’t click. Chances are pretty good that your friend’s account has been hijacked and the hacker is serving you a warm dish of malware. If the post is out of character for that friend, email them and ask if it’s real.
  5. Don’t check in when you aren’t home and don’t post your travel plans. Based on social media feeds and locational check-in services alone (Foursquare), it is simple to map your whereabouts and signal thieves when you aren’t home. If you have to let friends know where you are during the holidays, send a group text or email.

No matter if you’re headin’ home for the holidays or off to Whoville, remember to post your pictures and tell those tales AFTER you’re safely home. On the sixth day of Christmas…

To review our tips from previous days, click here.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

12 Days to a Safe Christmas: Day 4 – Holiday Shopping Quiz – Is Credit or Debit Smarter?

Holiday Security Tips: On the fourth day of Christmas, the experts gave to me, 4 pay solutions!

True or False?

When you use a debit card, funds are more secure because they are drawn directly from your bank.

False.  While it’s true that funds are drawn directly from your bank, it actually makes it harder to get the money reimbursed while the issue is being resolved if fraud does occur.

 You can receive a reimbursement for debit card fraud up to a year later.

False.  Debit cards generally only reimburse fraudulent purchases if you catch them within 60 days.

 It is safer to use a credit card than a debit card.

True.  When you use a credit card, nothing is withdrawn from your bank account immediately. Pending transactions can take several days to clear. In addition, credit cards uniformly give you more protection than debit cards and your maximum liability is capped at $50.

All checks are created equal.

False.  If you have to pay by check, make sure you use high security checks. Security checks should include visible fibers, true watermarking, full-feature hologram (like on credit cards) and protection against multiple chemical alteration agents (not just fingernail polish remover).  This makes it much harder for identity thieves to “wash” your checks with acetone and put their own names in the “pay to” field. Also, sign your checks with a gel-based pen that cannot be easily dissolved.

If you failed this quiz, don’t worry, as long as you remember the answers when you’re shopping!  Wishing you straight A’s this holiday season! On the fifth day of Christmas…

To review our tips from previous days, click here.

 


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

12 Days to a Safe Christmas: Day 3 – Stopping Hackers When You’re Shopping on Wi-Fi

Holiday Security Tips: On the third day of Christmas, the experts gave to me, 3 stymied hackers!

Although you may trust the baristas at your local coffee shop to make that perfect Gingerbread Latte, you can’t always trust the person sitting next to you. Hackers can easily tap into Wi-Fi connections at public hot spots to steal your identity information, including credit card and bank account numbers. This can be especially dangerous during the holiday season when “hotspot sniffers” come out of the woodwork using free monitoring apps like Firesheep.

Solution: Stop shopping online using free Wi-Fi hotspots.

If you must shop online while out in public, take the following precautions:

  • Enable tethering on your smart phone. Tethering connects your computer to the Internet using a Smartphone (or Internet-enabled cell phone). It increases security because the mobile transmission between your cell phone and the cell tower is encrypted (scrambled) and hard to intercept. Therefore, when you use your Smartphone to surf the web, you are accessing a protected connection that probably can’t be sniffed. The connection might be slightly slower than a traditional Wi-Fi hotspot, but it is also much safer. Simply call your wireless provider and ask them if your Smartphone has tethering capabilities. You shouldn’t have to pay more than about $15 per month to put this solution into effect.
  • Make sure that you shop on reputable websites, not just those with the cheapest prices. Your only risk isn’t your internet connection, but the number of scamming sites that pop up during the holidays.
  • Before you hit the Buy button, make sure you’re using a secured site. Look for “https” (not just “http”) in the URL address bar.  Some browsers and websites also change the color of the URL bar (e.g., to green) and add a padlock symbol to indicate tighter security.

So take a break from the craziness to enjoy that java, but watch the Wi-Fi and spend securely! On the fourth day of Christmas…

To review our tips from previous days, click here.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

 

12 Days to a Safe Christmas: Day 2 – It’s Beginning to Look a Lot Like Christmas- at the Mall!

Black Friday and Cyber Monday will be here before you can say “Man, I ate a lot of turkey!”  Malls, stores, restaurants and cafés are exceptionally busy places during the holidays. This breeds a perfect environment for data thieves to make off with your identity goodies while you shop, dine or relax. It only takes a second to steal a purse from a shopping cart, a briefcase from your car or a smartphone, iPad or laptop from an unattended café table.

Solution: Lighten your load and leave excess identity at home. 

  • Consider taking only your mobile phone, driver’s license and one or two credit cards with you shopping to minimize the number of identity storage devices you might misplace. If you can fit the items in your pockets, your security increases. If you must have a purse, use one that zips and hangs in front of you, or consider using a backpack that stays on you at all times.
  • As a last resort, hide your wallet, purse and digital devices in the trunk before you park at the mall, as thieves looking for valuables commonly monitor parking lots for potential victims placing valuables in their trunk.
  • Since you are still likely to take your technology with you (don’t worry, so do I), keep it in a pocket or secured bag at all times. In addition, log out of your online accounts when you are not actively shopping, and password-protect your smartphone, iPad and laptop in case they do go missing.
  • Finally, when shopping, be careful about giving out any personal information when it can be overheard, and cover the PIN pad when entering your number at checkout stands and ATMs.

Taking these two shopping tips (okay, you knew I couldn’t stop at two, so there are actually four), will save you a lot of holiday headaches and let you truly sing that carol within your heart! On the third day of Christmas…

To review our tips from Day 1, click here.

 


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

 

12 Days to a Safe Christmas: Day 1 – Prevent Holiday Identity Theft

Holiday Security Tips: On the first day of Christmas, my expert gave to me, the keys to secure my privacy.  

If I could give the world a gift this holiday season, it would be to make the world a safer place to trust. You deserve to know whether or not you can trust the politicians you elect, the advice you receive from your doctor and whether or not you can entrust your privacy to the websites and businesses you use every day.

Identity theft, cyber stalking, and “big data” surveillance—these byproducts of the information economy make it hard to rest easy. Every day in the news we hear about another scam, another breach of corporate data that victimizes more than 11 million Americans a year. But you don’t have to be a statistic!

 Solution: Give yourself a gift by paying attention to prevention.

Let me be totally clear: you do not need to fear information over-exposure if you protect yourself before you get hit. Here is the secret to making peace with the privacy of your sensitive information:

  • Adopt a preventative mindset and exercise before the information heart attack.
  • Re-accumulate privacy over time, changing habits one step at a time to regain what you’ve given away.
  • Make data privacy an attitude rather than a one-time checklist. Share with care, and only when totally necessary.

Over the next several weeks, Sileo.com will share 11 more tips on protecting your identity, your privacy and your hard-earned money during the holiday season. The 12 Days of Christmas will help you re-accumulate your privacy in time to be safe for whichever holiday you celebrate. Check back every few days for the next tip, or subscribe to the Sileo.com RSS feed.

In the meantime, happy shopping… and don’t stand under any pear trees (you can never trust those partridges)! On the second day of Christmas…


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Delete Your Facebook After Cambridge Analytica?

I’ve written A LOT about Facebook in the past.

  • What not to post
  • What not to like
  • What not to click on
  • How to keep your kids safe
  • How to keep your data protected
  • How to delete your account

ETC! Search specific topics here.

And personally, I’m ashamed of myself for knowing exactly how social networks like Facebook take advantage of users and our data, and yet still have a Facebook profile. I’m not just sharing my information, Facebook is also sharing everyone of my “friends’” Information through me. I’m currently thinking that the only way to protest this gross misuse is data is to delete my profile (which still won’t purge my historical data, but will stop future leakage).

And yes, I’ve written several times about how Facebook is allowed to sell your privacy.  Now, it turns out the practices I have warned about for years are taking over our headlines with a “little” news bit about how Cambridge Analytica has used data obtained from Facebook to affect the 2016 U.S. Presidential election.

Here’s a brief timeline:

  • In 2014, a Soviet-born researcher and professor, Aleksandr Kogan, developed a “personality quiz” for Facebook.
  • When a user took the quiz, it also granted the app access to scrape his or her profile AND the profiles of any Facebook friends. (Incidentally I was writing about why you shouldn’t take those quizzes right about the time all of this data was being gathered!  And, it was totally legal at that time!)
  • About 270,000 people took the quiz. Between these users and all of their friend connections, the app harvested the data of about 50 million people.
  • This data was then used by Cambridge Analytica to help them target key demographics while working with the Trump campaign during the 2016 presidential election.
  • Facebook learned of this in late 2015 and asked everyone in possession of the data to destroy it. (They did not, however, tell those affected that their data had been harvested.)
  • The company said it did, and Facebook apparently left it at that.

That takes us up to recent days, when The Guardian and The New York Times wrote articles claiming that the firm still has copies of the data and used it to influence the election.

What’s happening now?

  • Facebook has suspended Cambridge Analytica from its platform, banning the company from buying ads or running its Facebook pages.
  • The Justice Department’s special counsel, Robert S. Mueller III, has demanded the emails of Cambridge Analytica employees who worked for the Trump team as part of his investigation into Russian interference in the election.
  • The European Union wants data protection authorities to investigate both Facebook and Cambridge Analytica. The UK’s information commissioner is seeking a warrant to access Cambridge Analytica’s servers.

And what should you be doing?

Consider deleting your profile. I am. I’ve written about how to do that before and how to weigh deactivating your account versus deleting it. Consider carefully before making that choice.

Remember that the real illusion about Facebook is that there is anything significant we can actually do to protect our privacy. Facebook provides an effective privacy checkup tool, but it does nothing to limit the data that Facebook sees, or that Facebook decides to share with organizations willing to buy it, or even that hackers decide to target.

The data you’ve already shared on Facebook, from your profile to your posts and pictures is already lost. There is nothing you can do to protect it now. The only data you can protect is your future data that you choose to not share on Facebook.  Here are my suggestions for a few pro-active steps you can take right now:

  • Delete or deactivate your Facebook profile
  • Reread my post about Facebook Privacy from 2013—unfortunately, all of it still applies today!
  • Memorize this phrase: “Anything I put on Facebook is public, permanent and exploitable.”
  • Tell some little white lies on your profile.
  • And stop taking those quizzes!

John Sileo is an an award-winning author and keynote speaker on cybersecurity, identity theft and online privacy. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

How to Stop Wi-Fi Hotspot Hackers

We’ve all been there before–killing time at the airport, meeting up with a colleague at a local coffee shop, staying at a hotel…–and we want to connect to the Internet.   Nearly everyone offers free Wi-Fi these days, including lots of cyber criminals.  They’ve become so good at mimicking legitimate hotspots that you’d better know what you’re looking for before you connect!  Here are our top six tips to stop those Wi-Fi Hotspot Hackers.

Don’t connect to an Evil Twin.

An Evil Twin is a rogue wireless access point that masquerades as a legitimate Wi-Fi access point.  It’s relatively easy for hackers to set these up and gather personal or corporate information without the end-user’s knowledge. It will most likely have a name similar to the real hotspot. To prevent this from happening:

  • Make sure you’re connecting to a legitimate public Wi-Fi network by asking the café, airport, hotel, library, etc. for the correct hotspot name.
  • If the Wi-Fi hotspot forces you to enter a user name and password, it is considerably safer than those that require no password.
  • When you are finished using a hotspot, log off the Wi-Fi connection and forget the network. Failing to do so allows mobile devices to re-connect to that network when you simply walk by that location.

Tether your laptop or tablet to your phone.

Also known as a personal Wi-Fi hotspot, tethering is the act of using your smartphone’s encrypted cellular connection to the Internet to surf securely from your laptop or tablet.

  • To tether your computing device to your smartphone, simply contact your mobile provider (Verizon, AT&T, Sprint, T-Mobile, etc.) and let them know that you want to be able to connect your computing device to your smartphone.
  • It costs about $15 per month– well worth the protection. Your provider will turn it on and will walk you through setting up both your smartphone and device so that they communicate with the Internet in a well-protected manner.
  • Many tablets, like the iPad, now come with cellular data access built into the device so you never even have to utilize free Wi-Fi (though it’s still safe to use the secure Wi-Fi in your home and office).
  • Or, just use your smartphone!

Make sure you’re surfing with HTTPS.

In your browser’s URL bar, make sure that the address starts with https://. The “S” stands for secure, and encrypts your communication between the computer and the Internet, so that it can’t be easily “sniffed” by hackers.

  • HTTPS connections should show a lock symbol in the URL bar (and sometimes the bar itself turns green when you are on a secure connection).
  • If you don’t have HTTPS access, use your cellular connection to surf.
  • At a minimum, avoid all banking, credit card, email and financial transactions or anything that requires you to give out your personal information.

Patch your software.

  • Keep your browser and operating system up-to-date with security patches, but don’t do it on Wi-Fi; update when you have a secure connection at home or at work.
  • Having the latest software limits the “hacker back doors” that allow criminals into your system.

Turn off file sharing.

  • Both Macs and PCs have file sharing capabilities that when turned on, expose your files to others on your network (including strangers on a free Wi-Fi hotspot).
  • In your system settings, uncheck the box that allows file and printer sharing through your computer.

Turn on your VPN.

  • A Virtual Private Network encrypts (protects with a passcode) the traffic between your device and the VPN server. This effectively takes the man-in-the-middle (a Wi-Fi sniffer) out of your communication to the Internet.
  • VPNs can either be personal (e.g., SecurityKISS) or set up by your company’s IT department.

While all of these tips are valuable tools to keep your data secure, if you are the type of person who rarely even utilizes the Internet away from home, you may not want to take the time to do all of them.  At the very minimum, before you ever enter any information online (financial, passwords, personal information), INVESTIGATE how you’re connected, THINK about who has access to your data and consider whether it can wait until you KNOW you’re on a secure connection.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

John Sileo Receives CPAE Hall of Fame Award

DENVER, /PRNewswire/ — Just a decade before stepping on stage to receive the speaking industry’s most prestigious award, John Sileo thought he might be going to jail for crimes committed in his name by another person.

“An agent from the DA’s office showed up on my doorstep to tell me I was being investigated for the electronic theft of $300,000,” says Sileo, a cybersecurity keynote speaker and president of The Sileo Group, a cybersecurity think tank born from his experiences with the crime. “We lost nearly everything – my family’s 40-year-old business, our investments, my career and a whole lot of time and money.”

Sileo was an early victim of cybercrime, but in his case the theft was instigated by an insider who made illegal electronic bank transfers using Sileo’s identity. “Businesses that don’t pay attention eventually pay the price,” says Sileo from a keynote speech he delivered recently to the banking industry.

As the recent hacking of the DNC and the New York Times shows, cybersecurity is top of mind for every business in America. How they choose to respond directly affects their bottom line.

Spurred by the massive uptick in cybercrime, Sileo wrote his first of several books on the topic in 2005 and by 2006 was being asked to speak around the world on cybersecurity, data privacy and identity theft. Since then, Sileo has spoken at the Pentagon, on 60 Minutes, in USA Today and for satisfied clients ranging from Charles Schwab to Visa, Pfizer to Homeland Security. His latest book, Privacy Means Profit (John Wiley & Sons), explores the educational links between personal protection and securing data in the workplace. Sileo also hosts Sileo On Security (SOS), a series of video tips used for corporate training.

This summer, Sileo was asked to deliver a rare acceptance speech (see video) as he joined the ranks of former U.S. President Ronald Reagan and General Colin L. Powell in the CPAE Speaker Hall of Fame®.  This award honors professional speakers who have reached the top echelon of platform excellence. Joining John on stage were fellow inductees David Glickman, Jason Hewlett, Jane Jenkins Herlong and Linda Larsen.

“I’m so grateful for everyone who believed in me, who encouraged me to turn my hard-earned innocence into lemonade. I couldn’t have done it without the National Speakers Association, without my close friends and especially without my family behind me,” says Sileo, visibly holding back his emotions. “I’m the luckiest guy on earth.”

It’s that kind of positivity in the face of defeat that landed Sileo in the company of fewer than 300 speakers worldwide who have been inducted into the CPAE Speaker Hall of Fame®. Now that’s some pretty rewarding lemonade.

Don’t Get Hooked With Phishing Scams

Common Phishing Scenarios:

“Your account has been suspended” or “We suspect fraudulent activity on your account” or “You’ve won a contest” or “We owe you a refund”

If you’ve ever received an email, voicemail or text with a message like one of the above, you know how visceral your reaction can be. And chances are very high that the message is a fake.

Just as fishing is one of the oldest occupations around, phishing is one of the oldest scams around. Ever since email was invented, thieves have been phishing to get your information by cleverly impersonating a business or an acquaintance. They hope to trick you into giving out your personal information or opening a link or an attachment that downloads malware onto your computer so that they can gain access all of your data.

Even though it’s been around for a while, it still works with alarming regularity. Almost 90% of all corporate data breach is the result of a phishing attack.  The ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month.  It’s always good to have a refresher of how to prevent getting hooked!

What to look for:

  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but may contain a mismatched URL (may vary in spelling like Annazon.com) or the URL contains a misleading domain name. (.com vs. .net). Use the hover technique to verify legitimacy.
  • Beware if you receive unsolicited (or out of character) phone calls, visits, or email messages often with an urgent request or threatening punitive action if you don’t respond.
  • Think twice if a company that seems legitimate asks you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Remember–legitimate companies don’t ask you to send sensitive information through insecure channels.

How to prevent/avoid phishing (It’s a lot, but every single tip matters!)

  • Never open email from an untrusted source and don’t open unexpected email attachments or instant message download links.
  • Don’t trust links in an email. Right click on the link to make sure it’s valid. Better yet, type in the real website address into a web browser.
  • Never give out personal or financial information upon email request.
  • Look carefully at the web address.
  • Be suspicious of unsolicited phone calls, visits, or email messages.
  • Don’t call company phone numbers in emails or instant messages. Check a reliable source such as a phone book or credit card statement.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the “s” stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
  • Report phishing email to reportphishing@antiphishing.org

There is also SMiShing (fraud through SMS on your phone), Vishing (fraudulent voice calls) and Spear Phishing (customized email that appears to be from an individual or business that you know). As soon as a new method of communication is invented, I guarantee the fraudsters will be using it, so there will be a new term for that, too!

One of the most profitable steps you can take inside of your organization is training your people to detect phishing scams. They are a hacker’s first and favorite tool to separate you and your data.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Is CHIP & PIN Credit Card Security Worth $100M? (Are You Serious?)

I’ve had dozens of media requests for interviews and countless more email inquiries from people concerned about the Target data breach.  At first, everyone just wanted to know details of how it happened, how big the breach was, and what they should do about it if their credit cards were at risk.  Now that the initial shock of it is over, we are on to a bigger question:

How do we keep breach from negatively affecting so many Americans? 

Breach will always happen. If it’s digital, it’s hackable. It’s coming to light that the Target breach may have been due to the computer access an HVAC WORKER (no, not an entire company, an individual WORKER) had to Target’s systems. While there is no guaranteed way of preventing fraud, there is a pretty reliable answer out there, and it’s been around for decades.  That answer is for the US to finally catch up to more than 80 countries around the world and start using chip and PIN enabled credit cards, also known as EMV, smart cards, or microchip cards.

By placing microchips in credit cards, it makes it much harder for criminals to clone the cards than the relatively easy-to-crack magnetic stripes.  Chip cards take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. So in the case of the Target breach, the stolen data couldn’t be used to easily create duplicate credit cards, drastically reducing the value of the stolen data. The possibility for online abuse of the numbers (known as Card Not Present transactions) would remain a threat from the breach, but it would be a fraction of the problem (and solvable in other ways).

France has been using this technology since 1982, the UK since 2001, and Canada since 2007. In the first five years after the UK started using chip & PIN, fraud went down 70%.  In that same time period, the cost for fraud in the US had DOUBLED. It’s not that the technology is perfect, it’s that the increased security convinces criminals to target those who don’t use the technology (which to this point has only been, well, the United States). 

If there is such a great guarantee on fraud reduction by switching to chip and PIN cards, why is the US resisting it?  The answer:  MONEY.  Banks, credit card companies, and retailers have been caught in a battle of wills for many years now, with retailers not wanting to spend money on installing new chip-friendly card readers unless banks are committed to spending money on issuing new cards.

The cost of implementing the card system can be staggering. Target is expected to spend around $100 million to install new chip card readers in an effort to protect against cyber theft.

So is it worth $100 million to implement chip and PIN technology?

Without question. And even Target thinks so, or at least it did ten years ago when it was at the forefront of implementing chip & PIN technology.  From 2001-2004 they spent $40 million to adopt chip-based credit-card technology and installed 37,000 new point-of-sale terminals to handle chip cards across its U.S. stores.

Ultimately they backed out because their marketing strategy at the time just didn’t catch on with consumers and because it was taking “A FEW SECONDS” longer per customer to get through the line.  I don’t know about you, but I’d wait an extra two seconds in order to know my data is secure.  And I bet Target victims would take back the time it is taking them to change their credit card information with every online site or monthly automatic payment company their now-compromised card was used for.

To put the cost in perspective, $100 million is about $1.00 per Target breach customer. I bet the average credit card holder would be willing to foot the $1 bill to dramatically reduce their risk (even if it’s not a perfect solution). In fact, the cost of fraud gets passed on to customers anyway (higher credit card rates, higher retail prices), so why not spend that same money (or far less, in fact) on securing the transactions in the first place? 

  • A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.  The Credit Union National Association said these costs most likely do not include any fraud losses, which are likely to occur later.
  • In 2012, the Ponemon Institute’s annual study showed the average cost of a data breach in the US is $188 per person notified.
  • For credit issuers, the average cost per record breached is set at $280.
  • Aite Group reports that card fraud in the U.S. already costs the card payment industry (primarily issuers) $8.6 billion a year.

 You tell me if it’s worth it! (Seriously, I want your thoughts and comments below)

How do we get there?

It seems crystal clear to me that fraudsters have gotten so sophisticated that we either need to join together (retailers, banks, and credit card companies) or we will fail to stop this trend of Mega-Breaches.  Pardon the pun, but clearly we have put the “target” on our own backs; criminals have increasingly focused on the US because we are so far behind.

James Dimon, CEO of J.P. Morgan Chase sees this as an opportunity for real change.  He said,  “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade.”

I see 4 overarching steps that need to be taken:

  1. Retailers, credit card processors, banks, VISA, MasterCard and American Express need to stop focusing on their own self-interest (profit) and start to work together for the common good. Of course, they won’t do this without incentive, so…
  2. Congress should create  a U.S. equivalent of the U.K. Card Association that sets policy and has the authority to fine those stakeholders who fail to act.
  3. In other words, we will need legislation to ensure that the “liability shift” dates projected for 2015 are met.  This means that if credit card companies have issued chip and PIN cards, but retailers have not installed machines to read them, the merchants would be held accountable for any losses due to fraud.
  4. Everyone needs to understand that there will be costs associated with the change, just like there are costs when you install a security system, a lock on a door or a vault in a bank.

Will chip and PIN cost retailers? Yes. Will chip and PIN cost banks? Yes. Will it cost consumers? Yes. Will it cost (in total) as much as the fraud resulting from even a single major breach like Target. NO. It’s time to start thinking about security from a long-term perspective, and long-term profitability will follow.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.