How businesses fail to protect customer info

Topic

New Reply

	TOP STORY How businesses fail to protect customer info
	By Doug Spindler Most Internet users should know by now that personal digital security is in large part our own choice and responsibility. But in truth, our electronic security is also in the hands of the companies we do business with — and they’re not all taking that fact seriously.[/SIZE]

---

The full text of this column is posted at windowssecrets.com/top-story/how-businesses-fail-to-protect-customer-info (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

I appreciate the info in the current item about what businesses need to do to protect customer data. But it seems to me that you neglected to mention one company that seems to me particularly culpable. A year ago Adobe had some 40 million customer’s credit card and other account data stolen. One might imagine that Adobe, a major software company, could have a functioning staff of people protecting that information.

Reply | Quote

Thank you for the fine article, Mr. Spindler. There is one point you may not be aware of – while changing a password standard may be easily implemented with a minimum of worry as to the impact on other systems, other changes sometimes need to be vetted to a much greater degree. Many POS system upgrades and rollouts take years to build and test due to the massive complexity of these systems. Large retailers have to lab test and beta test system modifications quite thoroughly prior to rolling them out. Failure could cost the company millions of dollars very rapidly.

This is not a defense of Home Depot’s delay(?) in upgrading their security as much as it is pointing out that since Target was hacked via a third party HVAC system access (SCADA systems have been long known to be very vulnerable), working with at least one other party, making sure the security in place works and doesn’t create havoc is a much more complex undertaking than a simple password configuration change for online accounts.

I agree in today’s world, if I were CIO of a corporation, I would insist on pen testing of any vendor network that connected to my network in such a manner. I would also insist on pen testing of my own systems. I would also insist on maximizing security at every level, which Home Depot neglected to do, against the recommendations of multiple Security Consultants and vendors. While this is not a guarantee this would have stopped the attack, it could have raised the alarm more rapidly, if monitoring was being attended to.

Unfortunately for them, Home Depot, has had turn over in its I.T. Department and this creates a lot of problems. Many companies do not invest in their I.T. departments enough. I.T. in general and Security in particular is still seen as a black hole in which companies pour money, but it’s difficult to put a dollar value on how much a given implementation has saved a company. This creates enormous challenges when trying to convince a CFO of the value of a costly change. CFOs want to see Returns On Investment. How do you show a return on something NOT happening? Yes, now we can say, Target lost millions and their business hasn’t recovered and they must redouble marketing dollars to compensate and continue to make examples from there. However, it’s still a difficult sell. Unfortunately.

These are large, complex systems and making changes to them is typically akin to turning a large cruise ship, not a speed boat.

Reply | Quote

Mr Spindler: It’s good to see that some companies are receptive to input on how to make their passwords more secure. In Canada, two of the biggest internet providers in the country – Bell and Rogers – will not permit any special characters in their passwords. I’ve written on several occasions, but they clearly do not care about security.

It’s ironic that companies in the internet provision business care so little about the security of their internet clients and their internet information. I suspect that these two “market leaders” will wait until one of them suffers a huge and expensive data breach, then the will both, like lemmings jumping off the cliff, wake up and fix things. Until then, their clients’ accounts are at risk.

Reply | Quote

“I told my colleague that his “unofficial” testing was probably illegal. While under contract, he had permission to connect to and analyze the hospital’s network. But once he’d submitted his report and the contract was complete, he had no right to perform the additional tests. I recommended that he stop his extra curricular activities and instead file a report on the U.S. Department of Health and Human Services (HHS) website.”

That is all very well, but unless he did post-contract testing how would he know that they had not improved security? And is filing a report now effectively admitting to illegal activity? Is there such a thing as a “public interest” defence in the US (I am in the UK), and would it apply in these circumstances?

Alternatively, to file a report with the HHS website at the same time as he filed his final report with the hospital, is probably unprofessional and would possibly lead to problems in getting his final bill paid!

So should he include in his standard terms the right to to perform post-contract tests? How many clients would agree to such terms?

Reply | Quote

This is a bit of a “sore point” for me given the extent to which so many companies still use “mother’s maiden name” as the first option for a password. I am a professional genealogist with a considerable volume of my work done for courts, either at the specific request of a court or for attorneys who will then present my work to a court, with one of the things I do as a result on an almost daily basis being establishing the maiden name of someone’s mother.

As a result of the continuation of mother’s maiden name as part of the standard security protocol, restrictions have been placed on access to some of the means I use to get such information, but does not stop me from doing my work, only made what I ultimately must bill for the same higher.

Thus, I have always considered classification of “mother’s maiden name” as a JOKE, not just informing ANY business who suggests such the reason why it is a joke, but also that if, at a minimum, I am not provided with another option, I will take my business elsewhere.

Not only am I a big proponent for using special characters, with them, I find it must easier not just to come up with passwords that make sense only to me, but are also easier to remember as the symbols tend to be “clues” if not to the specific password I have chosen, then the reason for my using the same.

Reply | Quote

My bank uses:
Place of Birth (per FreeBMD.org)
Date of Birth (per Birth Certificate)
Mother’s Maiden Name (per FreeBMD)
Plus a memorable place and a memorable date.
Random selection of letters from a Password (all letters),

I found that they require me to truthfully give my date and place of birth, but I can lie about the other “facts” – as long as I can remember that the response to “my memorable place” is (say) “Armistice Day” and to “my mother’s maiden name” is (say) “Park Lane Hotel”.

The place and date of birth has to be “honest” to meet “money laundering regulations”! So they have mixed their transaction security systems and procedures with their account opening systems and procedures!

Reply | Quote

I have found that some employees of big box stores like Home Depot and Lowes ask for “the last four digits” on a credit card I give them and then just use the last four digits of the raised-character credit card number, not the security code (as in American Express, above the card number). So many of them do this I wonder how it might affect my security as a customer at those stores.

Reply | Quote

Securing credit card accounts is a fixable problem: (1) Use virtual, one-time only card numbers with time and dollar limits for on-line purchases (2) Use PIN priority EMV (chipped) cards for brick&mortar purchases. This likely won’t be done without government intervention. Consumers may not have to pay for fraud but they are largely left on their own to clean up the mess. Next October, the banks will shift as much fraud liability to merchants as they can. Merchants will attempt to shift that liability to consumers. We’ll see what happens.

Reply | Quote

I use KeePass to manage strong passwords. This really makes strong passwords usable: I don’t have to make them something I can memorize and more importantly I don’t have to type a large number of random characters.
EXCEPT! Some companies (LPL,PayPal,…) have decided that somehow their edit controls provided for entering and/or confirming passwords should have the paste property disabled. I have written to LPL and complained to PayPal that this practice discourages strong passwords – no response!!
I have tried to find some justification for this practice but so far it seems like an IT prank to annoy customers and weaken user security.

Reply | Quote

My security practices!-
1. I use free LastPass to store my passwords/CC#s, and free Zemana AntiLogger to encrypt keystrokes (foils keyloggers).
2. When paying bills/purchases- I Never allow them to store my CC# (1 time purchase…).
3. I Never copy/paste CC#s…, as that info is copied to your insecure Clipboard.

Reply | Quote

Some companies (LPL,PayPal,…) have decided that somehow their edit controls provided for entering and/or confirming passwords should have the paste property disabled.

I too have encountered that problem, typing in a 25 charater pw is annoying. I wrote Roboform as to whether their product could over come that but never got a response. Does any one know of a pw progaram that would work ?

Yeah cutnpaste is maybe not as secure as a password program but I do password first then username.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Thanks for the article. One area not touched on is how many bank credit cards and other firms using credit cards include the full account/card number on their statements. This not only opens the way for someone rifling garbage, but also online where those statements are typically available.

To jr093: Yes, IT turnover can be a problem, but major turnover is typically the result of employee demoralization at companies that don’t want to spend the money necessary to staff and run a top rate IT operation and website. Much of IT spending is still done begrudgingly, seen as accounting and other necessary overhead in the current marketplace. What’s not seen is how skimping creates a potential bomb that could seriously undermine major portions of the business. But that’s the venality of American capitalism.

Reply | Quote

” I have always considered classification of “mother’s maiden name” as a JOKE…”
What I’ve done to ‘What is your mother’s maiden name?’ is: Her2468NameIs1357Nameless
Let’s a hacker try to uncover that one. I do have to keep a list of these things somewhere.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

” I have always considered classification of “mother’s maiden name” as a JOKE…”
What I’ve done to ‘What is your mother’s maiden name?’ is: Her2468NameIs1357Nameless
Let’s a hacker try to uncover that one. I do have to keep a list of these things somewhere.

When I call financial/… CS, they often ask for my mothers maiden name for acct. verification-
If I was on the road with no access to a long-string name list, I’d be SOL!- I use only 1 complex Maiden name for All, that I can remember. Maybe not as secure?, but I’m not locked out!

Much the same problem holds true with “Trying” to log onto my accts…, from another users computer without the aid of my LastPass PW manager (NOT, unless they also have LastPass installed for Login!?)- I Refuse to use the same PW twice as they may be hacked, and I don’t have an answer to this dilemma???

Reply | Quote

When I call financial/… CS, they often ask for my mothers maiden name for acct. verification-
If I was on the road with no access to a long-string name list, I’d be SOL!- I use only 1 complex Maiden name for All, that I can remember. Maybe not as secure?, but I’m not locked out!

Much the same problem holds true with “Trying” to log onto my accts…, from another users computer without the aid of my LastPass PW manager (NOT, unless they also have LastPass installed for Login!?)- I Refuse to use the same PW twice as they may be hacked, and I don’t have an answer to this dilemma???

Use Last Pass portable:
https://helpdesk.lastpass.com/lastpass-on-the-go-2/lastpass-portable/

Jerry

Reply | Quote

Use Last Pass portable:
https://helpdesk.lastpass.com/lastpass-on-the-go-2/lastpass-portable/

Jerry

Also, there is a truly cross-platform and (for Windows) portable free password manager: KeepassX (Not the same program as Keepass for Windows):
http://www.keepassx.org/

-- rc primak

Reply | Quote

One general comment about the article.

Password complexity (use of sepcial character) is according to security professionals, not as important as the maximum allowed password length.
http://arstechnica.com/security/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/
Still, it’s good to have the option of both length and complexity.

One more thing : In the US, laws are going into place in 2015 which will make the transition to chip and PIN credit and debit/ATM cards move more swiftly, and force retail POS upgrades.
http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php
The industry name for the technology is EMV:

EMV — which stands for Europay, MasterCard and Visa — is a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions.

We’ll be seeing this more and more in the coming year.

-- rc primak

Reply | Quote

scottis, you’re correct, my solution, while it may work for me, probably is not a good for you. I guess all we can each do is find out, tweak, and use whatever best balances security – functionality. I hope I made sense, it’s almost 6am here.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote