In the past few months, consumers have been deluged with one reason after another to fear technology and transactions. Target. Neiman Marcus. Michaels. Millions of stolen credit cards. Millions of passwords leaked and lost by Adobe, and a little less recently, Yahoo. Net users are used to, and perhaps growing numb to, the constant bad news.
Then came Heartbleed. The most recent scary Internet disaster is much worse than a compromised bank account. Heartbleed turns the very thing that was supposed to keep us safe into our worst technology nightmare. It’s a little like learning that every cop in your city is really working for the mob. Perhaps better said, it’s like learning that every store you give your credit card to is really a hacker out to steal it.
What are we supposed to do now? And I don’t mean reset your password, which is a lovely thing to do, but it may help and it may hurt you in this situation, and it doesn’t actually help with the real problem: Trust. If consumers finally lose trust in our transaction systems, everybody loses. Even the hackers.
“This is the last thing consumers need in the wake of the Target breach and all the other security breaches we have been hearing about,” said Avivah Litan, the security analyst at Gartner Group who is the loudest voice you’ll hear when there is a big data leak.
To review, Heartbleed is a flaw in the encryption technology used to keep data safely scrambled while it flies around the Internet. You know of it mostly because of those little locks that appear next to web addresses in your browser. A technology that is designed to keep encrypted connections open over time — by sending a regular “heartbeat” message that lets one computer tell another “I’m still here” — was instead a hacker’s best friend. Researchers figured out they could craft a heartbeat message that tricked a server into sending back every kind of data it stored. The heartbeat could be made to bleed data. That includes credit cards and passwords, but even worse, it even includes encryption keys. A bit like the ominous hacker movie Sneakers, the Heartbleed bug truly meant an end to secrets online.
The Heartbleed code is now fixed, and companies are racing to install the fix, and consumers are stumbling through changing passwords and doing the usual “have I been robbed?” inventory on their bank accounts. Crisis averted. This time. (Aside: If you have already changed your passwords, you should really change them again in about a month, because there’s no way to know if you updated your security while a hacker still controlled the website you logged into. )
The question has to be asked: How many times can we warn consumers to check their bank account statements carefully? Hanging over the Heartbleed incident, and Target before it, and Yahoo before that, is a dark feeling that the whole thing might not be safe. Consumers always react to large credit card hacks by saying they will now buy with cash. Most of the time, data shows, they don’t mean it. But Target had to admit last quarter that its revenue was materially impacted by the credit card incident. This is getting serious.
In the credit card world, the response to Target was straightforward. Journalists discovered that U.S. credit cards were a decade behind the times, and folks started pushing to add computer chips to our old-fashioned plastic, using a technology known as EMV. Of course, if EMV were so great, U.S. card issuers would have installed the chips 10 or even 15 years ago. Folks who know credit card security will admit privately that moving to EMV isn’t really much of a solution — fraudsters can just move to other kinds of credit card fraud the chips can’t stop. But there is still a very good reason to add the chips.
EMV will make shoppers feel better. That’s not a placebo. Trust is a very real thing. In fact, it’s the only thing.
If — when? — consumers finally get fed up by all the bad news, and a real trust gap arises, lots of people are going to lose lots of money. When a consumer pays for something with a $20 bill instead of swiping a card, at least 4 different entities miss out on getting a cut of that transaction. Trust means you don’t think, you just pull out your plastic. A trust gap means, perhaps, you don’t bother logging into that website and changing your password, you simply go somewhere else.
In other words, trust is basically the currency of our time. A tipping point on trust would create the equivalent of a run on a bank during a currency crisis. Lack of trust can snowball. With each “withdrawal,” the trust gap only grows.
In the credit card world, only comprehensive changes to the entire, end-to-end system of payments will really take a bite out of crime. I recently spoke to Visa’s Chief Risk Officer, Ellen Richey, who told me that a move to chip cards should be accompanied by new technology that makes online credit card fraud more difficult.
We don’t need to plug a hole in the dam with our thumb, we need a new dam.
This same thinking needs to govern online transactions, and privacy in general. It’s terrible that folks around the world are being told, in rather panicked tones, “CHANGE ALL YOUR PASSWORDS!” But it’s even more terrible that most of our digital and financial lives are guarded only by 50-year-old technology involving 8 upper or lower case letters and maybe a number or two. Two years ago, after a series of high-profile password list leaks from sites like LinkedIn, experts proclaimed the password dead. Heartbleed proves it’s more like a vampire that seems to live forever and come out to threaten us once in a while.
Litan, the Gartner analyst, has some good news about Heartbleed. Remember, this is a flaw discovered by good guys, not an active crime (like Target). That means the damage can be contained, and she thinks it will be. This time.
“I don’t think this is an uncontrollable disaster,” she said. “It’s manageable and as long as the companies who use this version of Open SSL act responsibly – i.e. patch and secure their systems and ask users to change passwords – we are OK. There is no evidence that the criminals have used this attack vector yet. And if these security steps are taken and upgrades are made – they won’t be able to.”
So, there’s no run on the trust bank this time. But I guarantee that consumer patience is not infinite. We can only come up with so many variations of our pets’ names. Tokens? Fingerprints? Disposable passcodes? Something needs to change before we ask users to invent new passwords one time too many, and the trust gap swallows up the whole thing.