Washington Times Dec 20 2013
By John McAfee
In recent days, Target customers were shocked to learn that since late November hackers have managed to steal the names, credit and debit card numbers, expiration dates and security codes from as many as forty million Target customers. Target customers should be very concerned, but they shouldn’t be shocked because dozens of stores, companies and government agencies have been hacked in recent years opening millions of Americans to identity theft, fraud and the possibility that sensitive personal information will be misused.
In just the last two years, hackers have gotten into the computers of J.C. Penney, 7-Eleven, Nasdaq OMX Group, JetBlue, Dow Jones and others and made off with similar information on 160 million of their customers. The hackers who successfully targeted Target could cost the US economy an estimated 4 billion dollars and the potential total cost of all these security breaches could be many times that amount. It has been estimated, in fact, that the total cost of these thefts to the US economy could be the equivalent of 450,000 average wage earners working for a full year.
That is a lot of money down the drain in an economy still struggling to recover from recession and the sad thing about it is that it wouldn’t have happened if security experts at these companies had thought well enough ahead to anticipate the nature of the attacks on their systems and put security measures into effect to thwart the hackers.
Many of the measures taken by companies and government security experts are either designed without anticipating the nature of the next assault on the system they are charged with protecting or without fully realizing that human beings are fallible and too often give hackers the very openings they are trying to eliminate. Preparing for the last attack, like military organizations that train for the last war is of limited value as is a strategy that ignores the human factor.
We have the technology today which can be utilized to at least keep institutions one or two steps ahead of the hackers if put in place and managed with an eye to what individual customers will and won’t do to assist in protecting their own and the institution’s data.
For example, in today’s world, cardholders can be easily empowered to control how, when and where their credit and debit cards can be used. Smart phones are ubiquitous and Apps can be developed for these phones that would allow individual customers tremendous flexibility by allowing them to disable their cards when they are not in use and enable them just prior to a purchase. The individual cardholder could be given the power to control his or her transaction limits, the types of purchases that can be made on the card as well as where and when it can be used. With such a system in place, hackers couldn’t use whatever data they might get their hands on without hacking in to the phones of individual cardholders, a daunting and virtually impossible task.
We know too that even those charged with protecting computer security within government security agencies often use dated technology or like those in the private sector develop systems that ignore the frailty of the human beings who use them. The idea that someone like Edward Snowden could waltz into the NSA, gain access to virtually every secret stored there and walk out with it shocked the nation and the world, but it happened. We learn almost monthly that state sponsored hackers have broken into supposedly secure government data bases either because of a human breach or because the agency is several steps behind the hackers in employing technology to protect the nation’s secrets.
In a few cases the people charged with putting complex systems in place either disregard or don’t appreciate the importance of protecting the data they will be protecting. This happens rarely, but those who built the government’s Obamacare on line system did so without giving much thought at all to the fact that hackers might gain access to the system and thereby to sensitive information on tens or even hundreds of millions of Americans. The stories about successful hackers stealing data from Target or 7-Eleven will seem minor by comparison to those we could see next year as these same hackers go after the Obamacare system as the mother lode of data on individual Americans.
Within public and private sector institutions, the human element must be factored in from the beginning. Human beings with the best of intentions make mistakes that can compromise the privacy of others. Simple human curiosity is a trait often used by hackers. Hackers frequently use curiosity to gain access to an institution’s security system, For example, a major European corporation was hacked recently by placing a USB memory stick on the ground next the parked car of one of the corporation’s security employees who found it and picked it up. It was labelled “weight loss” and the employee, who the hackers knew was struggling with weight issues, took it back to her office and inserted it into the USB slot in her computer to see if it might contain information she could use. The hacker’s program immediately took control of the company’s security system and millions of dollars’ worth of data was stolen.
Institutions must address the human element with the same thoroughness they put into the technological component of the security systems they devise to protect our privacy. Technological flaws, such as occurred with such glaring visibility in the Obamacare systems design and deployment are relatively rare, but human mistakes are common
If we don’t learn from our mistakes, what occurred at Target will become a daily threat to the privacy and financial security of every American.
Follow Washington Times on Twitter : @washtimes on Twitter