Why hackers love the holiday season [Q&A]
Recent high profile security breaches involving retailers like Target and Neiman Marcus mean that people are increasingly aware they may be vulnerable when shopping online. Yet many don't fully understand the landscape that lies behind hacking and why it’s such a lucrative business.
With Christmas and its associated e-commerce peak fast approaching we spoke to Kelly Yee, Vice President of secure email provider Penango who has a wealth of security systems experience in both the public and private sectors. Here are her views on how hackers work and how we can guard against becoming victims over the holiday season.
BN: Most people realize that today’s hackers are motivated by financial gain, but how do they turn stolen data into money?
KY: In the case of stolen identities, an attacker may sell a bulk package of stolen identities to the highest bidder who will pay what they think the information is worth. Selling large amounts of data in the black market is a sophisticated enterprise and has become the new "it" product to sell on the black market.
BN: Hacking seems to be changing from a solitary activity into a serious business. Is there such a thing as a 'typical hacker' and if so what is he or she like?
KY: Today one rarely sees a waitress stealing someone's credit card information and going to Bloomingdale's to buy new clothes anymore. Instead what is more likely to happen is an attack involving tens of thousands of consumers' credit card information from a business being stolen and then sold to the highest bidder on the black market. There is rarely a typical attacker and that is why it is so hard to place a face to them or stereotype them.
BN: Are some companies less vulnerable to attack than others?
KY: Unfortunately, no. As consumers, we do not know what kind of internal security measures a company has and it's unlikely that a company would be willing to share this, as attackers would love to get their hands on this kind of information. For businesses keen to beef up their security, they should investigate what their potential partners are doing to secure their data. For instance, if a company is choosing an online portal to process orders that company should definitely inquire about the security measures that portal has in place for data at rest and in transit.
BN: Is there any way for consumers to know that a particular site is visible to attack?
KY: There are small precautions users can take to help reduce the use of sites that are prone to attacks. For example, consumers should utilize sites that have "https:" as they add a protocol encryption layer (TLS/SSL) for http:.
However, even a trusted website can be attacked. Take the Heartbleed bug infiltration of TLS/ SSL. What's more, the way companies store their customers' data is what is really prone to attack. This storage system, has nothing to do with a company's website.
The bottom line is, it is very hard to know which particular website, let alone which company's security and data retention measures are prone to attack.
BN: How can individuals and companies protect themselves?
KY: As a consumer, first check your credit card statements at least once a month. This only takes a few minutes and users can generally recognize a transaction that is not familiar. Also credit card companies are fairly easy to work with if there is any suspicious activity, and they remove the charge quickly.
Second credit card companies are federally required to have policies in place to help their users when an attack happens. For this reason, consumers should opt to use their credit card over their debit card where they can.
Third, some people prefer to use cash to protect themselves from attackers altogether. However, doing this may affect individuals in other ways: one can easily lose money and returns may be harder without a card receipt. Also some credit card companies have extended warranties or return policies, so consumers should take advantage of those benefits.
Companies should ensure their data is protected at rest and in transit. Using a secure gateway for data is the first step, but what about the data at rest or stored in the company's database? Penango offers a solution to this by providing true end-to-end (at rest and in transit) authenticated and encrypted email. Even if an email is compromised, Penango can prevent an attacker from reading your messages. This is just a first step, so companies should also make sure that the have a security policy from everything to credit card information down to daily emails.