As EFT processors and online transaction companies slowly recover from the blunt force trauma of the recent major retailer hacks, more unnerving facts about the current state of online data security are slowly surfacing. Not only are the big boys being targeted, but a growing percentage of individual American consumers are reporting stolen personal information and compromised accounts.
Findings from a January 2014 survey show that: • 18% of adults who do cash transactions online have had important personal information stolen such as their Social Security Number, credit card, or bank account information. That’s a 7% increase from July, 2013. • 21% of adults who socialize online said they had an email or social networking account compromised or taken over without their permission.
Hard on the heels of these numbers, another report has come out showing that 27% of credit/debit card users share three PIN numbers, simply because they are too busy to come up with a unique PIN. The most popular PIN number is 1234, followed by 1111 and 0000. All a hacker has to do is enter these three PINs and 27% of the time he gets a payoff. That’s a pretty good batting average.
And to top it all off, we now are finding out that a malicious little piece of malware known as the Heartbleed Security Flaw has been living quietly in the heart of the open source Security Sockets Layer code for over two years. SSL is the program intended to protect online transactions and accounts. What the discovery means is that hundreds, if not thousands, of companies and individuals will have to redo all the encryption keys that protect their various accounts and transactions, and millions of users will have to change their passwords. The scope of the problem is said to affect 66% of the sites with the little padlock at the bottom of the page that, heretofore, has been an unassailable guarantee of secure transactions..
So now what? EMV, the highly touted European Chip and PIN data protection system, is not to be deployed in this country until the end of 2015. And even when it is, there is a huge, and often vitriolic discussion going on among industry insiders about just how secure the Chip and PIN system really is.
What about PCI Compliance? Those in the know at the PCI Security Standards Council say that the PCI Compliance standards are not due to be updated because they are excellent standards. This flies in the face of complaints from many companies that despite the high cost of maintaining their PCI Compliance, measured in man hours, down time for audits, and systems that have been slowed down by excessive security additions, there is still no guarantee that they won’t suffer a breach. And PCI doesn’t even address the problem of unencrypted data streams within a private network, which is where the Target Hack happened
The Internet grew from research by the Defense Department in the late 1960s, but there has never been a master plan. One group built the Web browser, another developed search technology, another gave us payment networks, still others developed the encryption technology: in other words, it’s a hodge-podge of vulnerable code. When you read the story about the five-year-old who hacked his dad’s X-box and is now a “Security Researcher” for Microsoft, do you get the sinking feeling that our so-called secure Internet is really like a simulated B-52 Bomber made out of broken parts from an auto dismantler? It might look interesting but will it fly safely? That’s the bad news.
The good news is that there are many companies out there that are using proprietary encryption codes, especially among the leading edge Electronic Funds Gateway Processors who, not totally trusting OpenSSL, have added code that locks SSL up tight. When you are signing up with a company to do your ACH processing, make sure you ask the right questions about security.
*Data Breaches, Lax Security, Pervasive Malware – What’s Next? is copyrighted by Money Movers, Inc. This article may not be reproduced without direct permission of Patrick E. Craig and Money Movers, Inc.
Data Breaches, Lax Security, Pervasive Malware – What’s Next? – ©2014 Money Movers, Inc.