Company data breaches are nothing to brush off, but many people seem to do just that until their data is part of the scandal. While data hacking might seem like old news, its danger is still real. Indeed, the more often you hear about breaches, the more you should be aware of the truth about how they work, how you can protect yourself and the safety of the victim company.
The 2014 Home Depot data breach was met with indifference by many consumers who saw it as just another incident at yet another retailer, says Avner Levin, Ryerson University associate professor and director of Ryerson’s Privacy & Cyber Crime Institute. Levin attributes this complacency in part to consumer fatigue with media buzz surrounding data breaches since 2013’s Target hack.
But just because such fraud may turn into common background noise behind “bigger” news doesn’t mean you should lower your guard, waiting until you become a victim before you learn the facts about these hacks.
Data breach misconceptions
1: MYTH: A retailer is safer following a breach
You may have heard that a company is actually safer after a security breach than it was before. And that may be true — but it’ll take time to get there, and the added safety might only last so long. After that, the company is probably going to be about as safe as it was before the hack.
Christine Duhaime, a financial crime and anti-money laundering expert in Toronto at Duhaime Law and MNP LLP, says it’s not safe to re-engage with a retailer immediately after a security breach because the company is preoccupied with its own internal systems issues. Instead, wait for the business to implement proper security measures against further hacks.
“That does not happen overnight and, in some cases, may take several months,” adds Duhaime.
Even then, Carlisle Adams, a University of Ottawa engineering professor and computer security expert, is skeptical about any security measures that companies introduce upon breach discovery.
He says that, too often, public relations priorities drive the extra resources and processes, which retailers put in place only as long as necessary to win back nervous customers. Security protections then dwindle away as other pressing business needs arise.
And while the specific vulnerability that allowed the breach may get fixed, many other holes remain since there is never only a single bug in a large complex system.
“If ‘safe’ means that the bugs haven’t been discovered or exploited yet, then that’s a risky proposition to put your faith in,” says Adams.
2: MYTH: You can make yourself breach-proof
Most security analysts agree smart-chip cards and strong passwords help protect consumers. However, those measures are not bulletproof.
Smart-chip cards are not the final answer to data breach security. American security expert Scott Schober says while microprocessor chip cards are safer than magnetic stripe versions, Canadians should be aware that if the three or four-digit card verification value (CVV) code found on the back of a card is compromised in a breach, smart-chip cardholders are at great risk from fraudulent online purchases that depend on the CVV code.
And your smart chip won’t help if you swipe your card at a less-than-safe point-of-sale terminal.
“If you have point-of-sale terminals and self-checkout stands that are not secure, even if the cardholder protects themselves six ways from Sunday, they are still not secure because the retailer’s system is vulnerable,” Levin says.
Based on Verizon’s 2014 Data Breach Investigations Report, 31 per cent of retail industry breaches result from point-of-sale intrusions. Hackers use malware to infiltrate the payment processing system, then extract credit card information swiped at time of purchase, explains Juan Andres Guerrero-Saade, a senior researcher at security software company Kaspersky Lab.
Even if you don’t see any suspicious activity on your card, your information may still be compromised. The hackers may have just not used your card number yet.
3: MYTH: You should watch out for big-dollar frauds only
Cardholders who scrutinize their accounts for large rogue transactions may miss tiny test amounts that fraudsters put through using stolen card data. Terry Cutler, Certified Ethical Hacker and founder of IT security firm Digital Locksmiths Inc, says you should pay close attention to suspicious transactions as low as one dollar, which can signal that your card was sold to criminals on the black market.
The underground value of stolen credit card information diminishes over time; the more time that passes, the more likely a bank will flag compromised cards. As a result, criminals buy fraudulent cards from the same city or province where victims are located and often visit grocery stores and gas stations to test a card’s value, or make modest charitable donations online, hoping their small purchases won’t trigger any flags.
Guerrero-Saade recommends making an effort to recall where you used your card and to match each transaction, no matter how small, against your account activity — preferably every few days.
4: MYTH: Store credit-monitoring offers are a viable solution
Home Depot offered 12 months of free identity protection services to customers who paid by card at one of its stores during the data breach period, similar to the one-year credit-monitoring offer that Target extended to its Canadian guests after its data breach.
However, Duhaime says consumers find the coverage limited and tend to resent having to pay for credit monitoring services after the initial free period expires.
Also, people may not trust a service recommended by a breached business that couldn’t even adequately address its own security issues, Duhaime says.
However, you can ask TransUnion or Equifax to add a fraud alert to your credit file.
5: MYTH: Zero liability is the ultimate safety net
Visa, MasterCard and American Express protect breach victims with zero liability, so long as customers report unauthorized charges in a timely manner.
However, in the case of the Home Depot breach, both debit and credit cards were compromised — and debit cards are not protected by zero liability.
Even credit card owners could conceivably fall prey to creative identity thieves who use stolen cards for crimes that fall outside the scope of zero liability policies. For instance, credit cards are accepted to confirm ID for a wide range of purposes, from opening a bank account to cashing stolen government cheques.
In Levin’s opinion, credit card zero liability policies are a leading factor driving consumers’ perceptions that data breach fraud is largely a victimless crime in which financial institutions cover all losses and tell us not to worry.
By Daniel Workman
I’m a government cleared cybersecurity expert (a Certified Ethical Hacker), and the Vice-President of Cyber at SIRCO, an investigations and protections firm in Montréal, Canada.
I’m also a frequent contributor to National & Global media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day.