Data breaches likely as hackers stay a step ahead
By Peter Hall, The Morning Call (Allentown, Pa.) | |
McClatchy-Tribune Information Services |
The
"It was on a list that got distributed," she said. "They couldn't trace where the hacking took place."
Sigafoos also was caught up in the great
Even so, Sigafoos remains rattled.
"It made me think there is no security almost anywhere anymore," she said. "Even though there were no transactions that took my money away, it was so easy for someone to do."
With retailers, employers and financial institutions connected across a global network to streamline making and receiving payments, data breaches -- such as the
"This is something that we're going to live with from this point forward," said
Like a cat-and-mouse game, staying ahead of hackers takes vigilance, he noted.
"That's always been the case with security. One side makes an advance and the other catches up," Lopresti said.
Like
Last month,
The company later revealed the hackers also accessed the private information of tens of thousands of customers who visited the casino since 2009.
Also last month, the
The
Cybercriminals use the Internet to remain anonymous, assume new identities and use virtual currencies to move money without leaving records in the banking system, all of which makes them harder to apprehend. Nonetheless, the feds have been successful in putting hackers behind bars.
Last April, Russian
In January,
"The trouble with the Internet and the tremendous promise of the Internet is it spans the globe," Lopresti said. "You are exposed to attacks from lawless parts of the world."
High-risk cards
Driven by the ability to profit from reselling stolen bank card numbers and other information or simply by a desire to embarrass the target, online criminals use sophisticated software to identify and exploit weaknesses in computer network security.
With stolen data in hand, thieves try to make money with it.
"Just like a burglar uses a fence to monetize the items they steal from your home, hackers use online marketplaces," said
Single pieces of data such as
But the easier and more common crime is credit card fraud. Criminals can buy stolen credit card numbers and use them to make fraudulent online purchases or create counterfeit credit cards.
The numbers are sorted according to credit limit, with a platinum card number drawing a higher price than a low-limit card, Frymier said.
In some cases, banks have taken to the online marketplaces to buy up their stolen numbers after concluding that the cost is less than indemnifying cardholders for thousands in fraudulent purchases, Frymier said.
"We still have cards that in some cases have 1960s technology in a computerized world," Shearman said.
Stolen credit card numbers can be used to create counterfeit cards using relatively inexpensive equipment. And signatures are a poor way of verifying the cardholder's identity, Shearman said.
Chip-and-PIN cards, used widely in
Retailers spend hundreds of millions of dollars each year complying with security standards required by banks to protect data, but Shearman said the new technology would reduce the incentive for theft.
"The reason they're targeting the U.S. is we have these low-security, high-risk cards here," Shearman said.
In the
The group notes, however, that chip and PIN does little to prevent online credit card fraud, which increased by 30 percent during the same period.
Retailers and banks in
Visa, the largest payment card brand, wants to issue cards with chips that do not require PINs because that would be simpler and less expensive. Visa believes the chips alone will address the problem, according to
Retailers, on the other hand, are reluctant to spend the
When hackers find a way into a network, the causes range from the benign -- human error and password mistakes -- to the serious -- flaws in network design and companies' failing to upgrade technology.
Computer software, which contains some of the most complex engineering in human history, is created by humans and often contains errors that can leave systems vulnerable.
Last month,
Simple human errors, like sharing passwords or sending them to colleagues in emails that can be intercepted, contribute to the problem, Lopresti said.
The
The computers at Fazio Mechanical were protected by a free version of a virus-and-malware scanner -- like a home computer user might install -- that failed to detect the attack, according to the blog
Frymier said part of the problem is that the Internet was developed without security in mind. There were no hackers until there was a network to hack, he said.
As a result, many safeguards against malicious software are add-ons rather than integral parts of computer operating systems.
"We need to get to a world in which security is embedded into our software and not just a bolt-on," Frymier said.
Until then, companies need to design networks so that sensitive data cannot be accessed from parts of the network open to people who have no business looking at it, Frymier said.
He compared it to a hotel, where guests have access to their own rooms, the swimming pool and the restaurant, but not the rooms of other guests or the kitchen.
In 2011, for example, hackers used modified Sony PlayStations to break into the company's network used to provide games, music and other content to customers. The data they accessed, including names, addresses, passwords and credit card numbers, should have been stored on a separate network not connected to
Driving change
Whether companies are doing enough to protect their networks and other people's personal data varies from company to company.
"Businesses that sell to consumers are in a cutthroat competitive world where increasing their costs to provide better security may make them non-competitive versus a rival that isn't spending as much on security," Frymier said.
At the same time, experts say, businesses that experience data breaches suffer damage to their reputations.
Recognizing the threat of cyberattacks to the nation's financial, energy, health-care and other critical systems, President
"If you want to have access to individuals' personal information in order to do business, you have to prove that you comply with these insurance standards," he said.
Participation in the framework is voluntary, but eventually, he said, companies may have to prove they meet the standards in order to obtain insurance against cyberattacks.
Before that, Balchunas said, he expects to see class-action lawsuits on behalf of consumers against companies that fail to follow the best practices described in the framework.
"I look at it very pragmatically, and I strongly believe the changes are going to be driven by money," he said.
Balchunas and other experts say the government has limited authority to require companies to protect their customers' and employees' data.
Last month, U.S. Attorney General
Although recent data thefts have energized lawmakers, they may face opposition. Dozens of states, including
The
To date, the FTC has investigated more than 50 data-breach cases.
"Obviously there are a lot more breaches than that, but we're looking to see whether there is an unfair or deceptive practice," spokesman
In one of the first high-profile data breach cases,
The FTC found the company's failure to use reasonable security measures to protect customers' information was an unfair practice. In an agreement with the FTC, TJX had to take steps to fix its security systems and undergo audits every two years for 20 years.
The government also successfully prosecuted the so-called mastermind behind the thefts. In 2010,
In the meantime, there are steps consumers can take to protect themselves. For example, Sigafoos tries to make herself a hard target by checking her account activity every day.
Consumer advocates recommend regularly checking for unusual activity on credit reports, which are available for free from annualcreditreport.com. Security experts also advise consumers to use different passwords for bank and credit card accounts than for email or social networks and to make passwords difficult to guess with combinations of upper- and lower-case letters and numbers.
Those are good practices to minimize losses, but they can't keep thieves from stealing card numbers in the first place. That, Sigafoos noted, may be impossible to do.
"When you think about it," she said, "you're going out to shop and whoever you hand your card to, they've got your number, your code, your signature."
___
610-820-6581
___
Reporter
___
(c)2014 The Morning Call (Allentown, Pa.)
Visit The Morning Call (Allentown, Pa.) at www.mcall.com
Distributed by MCT Information Services
Wordcount: | 2237 |
Angels at work in Kidder County
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News