Bob Sullivan

We know that Americans are concerned about their cars being hacked.  We also know that some consumers believe criminals are “hacking” into their parked cars and committing “snatch and grab” crimes using devices that simulate newfangled keyless entry systems.

Now, we know the FBI is worried about car hacking, too. The agency, along with the National Highway Traffic Safety Administration, issued a bold warning to consumers and manufacturers last week.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the warning says. “While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.”

The FBI warning didn’t raise any new concerns; it mainly cites revelations of car hacking from 2015 as impetus for the warning. Still, the notice clearly demonstrates there is a level of activity around car hacking that should have everyone concerned. Drive down the highway sometime (as a passenger) and use your smartphone to see at all the cars sending out Bluetooth connections around you and you’ll get an idea about how connected our vehicles have become.

Meanwhile, consumers continue to report mysterious car break-ins around the country with no signs of forced entry, in situations when they swear their car doors were locked.  In Baltimore, a string of crimes following this pattern frustrated local residents earlier this year.

“What was strange to me was that, while I could tell it was broken into because my jacket was taken and they tossed through the stuff in the car, there were no signs of a breaking. No broken windows or anything,” said one driver. “I called and reported it mostly because I wanted to know how anyone could have gotten in if it was locked and no windows were broken. The officer said people have these things that basically interfere with newer cars electronic/fob locking systems and disable the alarms.”

The reports follow a persistent set of national stories around keyfob break-ins that began with a CNN report two years ago, and was followed by a New York Times story last year that casually suggested drivers store their car fobs in their freezers to keep them safe from hackers. (Notably, the story appeared in the Times’ Style section. The science was a little shallow).

There have also been vague warnings issued by some agencies around the world, like this notice from London Police, or this notice from the National Insurance Crime Bureau,

“The key-less entry feature on newer cars is a popular advancement that lets drivers unlock their cars with the simple click of a button on a key fob using radio frequency transmission. The technology also helps prevent drivers from locking their keys in the vehicle,” it says.  “Not surprisingly, thieves have found a way to partially outwit the new technology using electronic ‘scanner boxes.’ These small, handheld devices can pop some factory-made electronic locks in seconds, allowing thieves to get into the vehicle and steal personal items left inside.”

The existence of such a scanner box is very much in question, as are assertions that such a universal master key can be purchased for as little as $17; so is any notion that the crime is widespread. If any law enforcement agency has seized such a device, we are all waiting for it to be put on display.

How would such a magic device work?  By tricking your car into thinking your key fob is nearby and opening the door in response to a handle jiggle; or perhaps by amplifying the signal it sends out, or by intercepting that signal and copying it somehow. Or, hackers could “guess” the code for opening a car, if the code were poorly constructed. Here’s a great explanation of how it might work, and why it’s a major challenge unlikely to be used by street thugs.

*Could* such a hack exist? Well, of course, says embedded device security expert Philip Koopman, a professor at  Carnegie Mellon. Koopman actually worked on earlier generation designs for key fobs.

“I would not at all be surprised if the Bad Guys have figured out that some manufacturer has bad security and how to attack it,” he said. “There is nothing really new here, other than general lack of people to admit that if you cut corners on security you will get burned, and an insistence by manufacturers and suppliers that known bad practices are adequate.”

In a blog post six years ago, he warned about the cost sensitivity for auto manufacturors (“No way could we afford industrial strength crypto.”)

Back to today, he offered this speculation on keyless entry attacks.

“It is (possible) that the manufacturers used bad crypto that is easy to hack, possibly via just listening to transmissions and doing off-line analysis. And it is possible to attack by getting near someone when they aren’t near their car and extracting the secrets from their car keys when it is in their pocket, then using that info to build a fake key. The technology is very similar to the US Passport biometric chips, so all the attacks for those are plausible here as well.”

The FBI offers the following advice to consumers: Keep your car software up to date, as you do with your PC; don’t modify your car software; be careful when connecting your car to third parties; and “be aware of who has physical access to your vehicle.”

That last bit of advice might work for people with long driveways, but the rest of us can’t do much about who might be able to walk by our cars on streets and in parking lots.

“While these tips may seem innocuous, they do show the limitations that law enforcement and consumers have in combating the car hacking threat,” said Tyler Cohen Wood, Cyber Security Advisor of Inspired eLearning.  “With the ever-increasing implementation of Internet of Things devices, including devices installed in newer cars, it’s a real challenge for law enforcement to identify different threat vectors associated with vehicle hacking.  There is no real standard for Internet of Things devices from a vehicle standpoint—each automobile manufacturer offers different types of devices as options in vehicles, from entertainment and navigation systems to remote ignition starting devices.  There is no industry standard for operating systems or security protocols on these devices, so it’s difficult for law enforcement to identify the specific threats that the devices pose to the public.”

So what else should you do?  Putting your car “keys” in the freezer is probably a bad idea; it will likely create more problems than it solves.  You might damage the very expensive key, for example, to mitigate a threat that is still perceived as low. But it wouldn’t hurt to take great care with where you leave the key. If you park directly in front of your front door, perhaps you shouldn’t leave the key right there.  Otherwise, read the local police blotter and talk to neighbors about street crime.

Most of all, make sure you really do lock your car doors.

Bob Sullivan

It’s natural to look for a scapegoat after something terrible happens, like this: If only we could read encrypted communications, perhaps the Paris terrorist attacks could have been stopped.  It’s natural, but it’s wrong.  Read every story you see about Paris carefully and look for evidence that encryption played a role.

There’s a reason The Patriot Act was passed only a few weeks after 9-11, and it wasn’t because Congress was finally able to act quickly and efficiently on something.  The speed came because many elements of the Patriot Act had already been written, and forces with an agenda were sitting in wait for a disaster so they could push that agenda.  That is wrong.

So here we are now, once again faced with political opportunism after an unthinkable human tragedy, and we must remain strong in the face of it.  There is no simple answer to terrorism, and we should all know this by now.  And so there must be no simple discussion about the use of encryption in the Western world.  The debate requires a bit of thoughtful analysis, and we owe it to everyone who ever died for a free society to have this debate thoughtfully.

The basics are this: Only recently, computing power has become inexpensive enough that ordinary citizens can scramble messages so effectively that even governments with near-infinite resources cannot crack them. Such secret-keeping powers scare government officials, and for good reason.  They can, theoretically, allow criminals and terrorists to communicate with a cloak of invisibility.  Not surprisingly, several government officials have called for a method that would allow law enforcement to crack these codes.  There are many schemes for this, but they all boil down to something akin to creating a master key that would be generated by encryption-making firms and given to government officials, who would use the key only after a judge granted permission.  This is sometimes referred to as creating “backdoors” for law enforcement.

Governments can already listen in on telephone conversations after obtaining the proper court order.  What’s the difference with a master encryption key?

Sadly, it’s not so simple.

For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.

There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.

Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.

In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.

Is there some creative technological solution that might help law enforcement find terrorists without destroying the entire concept of encryption? Perhaps, and I’d be all ears. I haven’t heard it yet.

Only a few weeks after 9-11, a software engineer who told me he was working for the FBI contacted me and told me he was helping create a piece of software called Magic Lantern.  It was a type of computer virus, a Trojan horse keylogger, that could be remotely installed on a target’s computer and steal passphrases used to open up encrypted documents.  The programmer was uncomfortable with the work and wanted to expose it. I wrote the story for msnbc.com, and after denying the existence of Magic Lantern for a while, the FBI ultimately conceded using this strategy.  While we could debate the merits of Magic Lantern, at least it constituted a targeted investigation — something far, far removed from rendering all encryption ineffective.

For a far more detailed examination of these issues, you should read Kim Zetter at Wired, as I always do. Then make up your own mind.

Don’t let a politician or a law enforcement official with an agenda make it for you. Most of all, don’t allow someone who capitalizes on tragedy a mere hours after the first blood is spilled — an act so crass it disqualifies any argument such a person makes — to influence your thinking.

Larry Ponemon

User growth has become a key indicator of a company’s financial growth and sustainability. Even a company’s revenues can take a back seat to its user base as a metric that predicts future success. While it may have taken the telephone 70 years to reach 50 million users, in today’s fast-paced world companies can reach that same number in a matter of months.

As the user-base becomes a new form of currency, driving valuations of companies around the world higher and faster than ever before, it is becoming increasingly important to protect the integrity of these users. Information about who users are, what they do and how they do it is incredibly valuable. If not adequately protected this information can be (and is being) exploited.

The purpose of this report is to understand the scope of registration fraud, and how this epidemic is impacting companies and their users. It offers a glimpse into how companies verify and protect their users, and the damage that can be done when fraudulent users and fake accounts are allowed to exist within a user base.

Thanks to a sponsorship from Telesign, We surveyed 584 U.S. and 414 UK individuals who are involved in the registration, use or management of user accounts and hold such positions as product manager, IT security practitioner and app developer. Eighty-nine percent of these respondents say their organization considers its user base a critical asset with an average value of $117 million.

However, account fraud is becoming more prevalent because most organizations have a difficult time ensuring bona fide users and not bad actors are authenticated during the registration process. Only 36 percent believe they are able to avoid fraudulent registrations. Moreover, once fake users are registered, they spam legitimate users and often create more fraudulent accounts. Fake users also steal confidential information as well as engage in phishing, social engineering and account takeover.

The findings reveal why companies are vulnerable to the threats of fake users:

• The authentication process is difficult to manage, according to 69 percent of respondents, allowing fake users to infiltrate the user base.

• Fifty-eight percent of respondents say user convenience is most important to their fraud prevention strategy and 42 percent of respondents say ease of use is critical. Only 21 percent say security is important.

• The majority of respondents (54 percent) say a phone number is enough to stop fraudulent registrations and protect account access.

• Companies seem to be unwilling to crack down on fraudulent registrations. Forty-three percent of respondents say their company doesn’t worry about the registration of fake accounts to avoid friction in the registration process. Most companies do not have a formal method for determining whether a potential user is real.

• Only 39 percent of respondents say their company is vigilant in determining that each user account belongs to a real person.

• Only 25 percent of respondents believe the traditional username and password(s) is a reasonably secure authentication method for their users. However, 94 percent of respondents say they use passwords or PINs and 79 percent use email addresses to create an account(s).

To read the rest of the report findings, please download the PDF from Telesign.com

Charlie Miller, who helped find the flaw, installing the patch. Click for Twitter feed.

Bob Sullivan

Consumers are becoming more and more aware that hacking isn’t just a gadget nuisance any more.  Computer security problems, like viruses, increasingly come with real-world consequences — like the potential to screw with an airplane’s flight system, or more recently, a car.  Wired’s Andy Greenberg last month revealed to the world the latest hacking horrible — security researchers were able to “kill” a Jeep while he was in it.

“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”

Later, the hackers demonstrated they could stop and steer the car remotely using a software vulnerability.  Yikes.

The digital carjacking incident incident was a huge embarrassment for Jeep maker Fiat Chrysler, which recalled 1.4 million cars to fix the software.

But pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face.  Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable.

Consumers  seem to implicitly understand this.  Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (Ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 a month being the preferred cost.  I smell a marketing opportunity for antivirus makers!  I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?  (And while I’m at it, could I make a final, fruitless plea to save at least some dashboard gauges and knobs?  I *hate* digital displays.)

On to the results:

• 72 percent said they are aware of the recent Jeep Cherokee hacking incident.
• 41 percent said they will consider this recent vehicle hacking incident when buying/leasing their next car.
• 78 percent said vehicle hacking will be a frequent problem in the next three years or less.
• 33 percent classified vehicle hacking as a “serious” problem; 35 percent classified it as a “moderate” problem.
• 58 percent do not think there will ever be a permanent solution to vehicle hacking.
• 41 percent think pranking is the most common reason for hacking a vehicle; 37 percent think theft is the most common reason for hacking a vehicle.
• 81 percent think the vehicle manufacturer is most responsible to secure a vehicle from hacking; only 11 percent consider themselves most responsible to secure a vehicle from hacking, and 5 percent see it as the responsibility of their wireless provider.
• 64 percent would prefer to go into a dealership to get a vehicle’s security patch installed; only 24 percent would prefer to do it wirelessly, and a mere 12 percent would prefer to have the software mailed so they could install it themselves.
• 47 percent said they would go to a dealership “immediately” if they knew they had to install a security patch to protect their vehicle from hacking; 31 percent said “within a week,” and 17 percent said “within a month.”
• 44 percent would prefer to be notified via mail, and 41 percent would prefer to be notified via e-mail, in the event their vehicle was recalled.  Only 11 percent preferred notification via a phone call, and 5 percent preferred text.
• 52 percent indicated they would be willing to pay for a monthly subscription to ensure that their vehicle would be completely protected from hacking, with $8 being the average respondents would be willing to pay each month.

“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Karl Brauer, senior analyst for Kelley Blue Book.  “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.  If automotive engineers find themselves playing catch-up in this field, it could have disastrous results for both consumers and the industry.”

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others.  In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen.  It now appears that tens of millions of people are at risk of being exposed.  As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0.  It’s not about the data, it’s about the context.  Using stolen data, like credit cards, to get money is hard work.  Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking.  Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things.  Actresses were insulted and underpaid.  It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data.  Credit cards, yes. Email servers, maybe not. Slowly, this will change.  But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is.   Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another.  Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago.  But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess?  One possibility is paying a ransom.  A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on.  The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work.  Cryptolocker made $27 million just in its first two months, from both home users and small organizations. 

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams,  about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies.  In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may  help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context.  Secrets are almost always valuable to someone.

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report?  Download it from Dell here. 

I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

First of all, if you haven’t read it, you must: The FBI is investigating baseball’s St. Louis Cardinals for hacking the Houston Astros, according to the New York Times. Someone from the Cardinals allegedly stole data offering insight into the Astros player evaluation files, details on possible trades, and so on.  This kind of corporate espionage goes on all the the time, and if you didn’t believe that, well, there you are.

Here’s what’s interesting for you.  The story-in-the-story here is that the Astros hired a hot-shot Cardinals employee named Jeff Luhnow and made him general manager. He took some Cardinals employees with him.  That created bad blood. Apparently, it also created a beachhead for the hacker. The Times reported today that someone from the Cardinals used old passwords from those former employees when breaking into the Astros’ computers.

“Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said,” the Times says.

In other words, Cardinals employees re-used passwords they had used when they worked for the Astros.  Let that be a lesson to you: When you switch jobs, switch whatever password creation trick you have been using.

Still, the situation is a bit unusual.  Computer networks are designed so such passwords cannot be retrieved, even by system administrators.  They’re encrypted. Even firms that store previous passwords to prevent re-use scramble them so they can’t be accessed, according to security expert Harri Hursti. At least, that’s “best practice.”

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

There are other possibilities, of course.  That details in the New York Times story could be wrong.  A former Cardinals employee could have shared his or her password with others in the team’s front office — that’s not unusual. Maybe a post-it note was left behind on a computer monitor.  Maybe the password was “password.”

But here’s your nearly daily reminder that you might be hacked, and the hacker might be a surprise — it might be a former friend or colleague.  So be vigilant about your passwords.  And when you change companies, change your password habits.

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control.  The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big.  Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.

It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.

What’s broken here is the system.  What’s missing here is bold action.  While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better.  Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value.  So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.

But there’s more going on here than chip card change.  Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data.  The new thinking: Grab everything, and we’ll figure out how to monetize it later.  It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk.  Turning private data into an extortion payout is much easier.

So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data.  They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways.  New account fraud. Phishing. Extorting consumers.  Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.

Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets.  Why would Anthem leave such data in an unencrypted state, lying around for the taking?  More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?

The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not.  Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store.  Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.

Change must come.  Data is everyone’s core business now.  Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked.  Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.

That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.

See you in another week or two when the next big hack hits.

Sign up for Bob Sullivan’s free email newsletter.

You couldn’t get nine out of 10 Americans to agree that the sky is blue.  So it’s remarkable that nine out of 10 say they have lost control over how their personal information is collected and used by corporations, a new survey released Wednesday by the Pew Research Center has found. Virtually the same number feel like it would be “very difficult” to remove inaccurate information about them online. And roughly two-thirds believe the government should do more to regulate advertisers and how they use personal information.

On the other hand, more than half said they were willing to share “some information” about themselves in order to use online services for free, and about one-third say that surveillance can be beneficial for society.

The results show Americans’ feelings about privacy are varied and subtle, said Lee Rainie, director of the Internet Project and a co-author of the study.

“Far from being apathetic about their privacy, most Americans say they want to do more to protect it,” Rainie said. “It’s also clear that different types of information elicit different levels of sensitivity among Americans.”

The slew of data breaches at major retailers over the past year have put privacy concerns front and center in Americans’ minds. Credit monitoring, transaction alerts and general vigilance of where you share your data and who you share it with are all part of keeping your data footprint limited. It won’t necessarily prevent identity theft or fraud(two consequences of sharing your personal information broadly), but it can make dealing with it easier. Any large, unexpected changes in your credit score could be signs of new-account fraud. (You can use free online tools – including those at Credit.com – to monitor your scores for any changes in your credit scores. You can also get free credit reports once a year at AnnualCreditReport.com.)

Other findings in the poll, which questioned a representative cross section of Americans:

When they want to have anonymity online, few feel that is easy to achieve. Just 24% of adults “agree” or “strongly agree” with the statement: “It is easy for me to be anonymous when I am online.”

• 61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.”
• 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
• 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites
• Generally, people trust old technology more than new for privacy. People trust old-fashioned telephones more than social media or text messages, for example. They even trust landline phones more than cellphones.
• 36% “agree” or “strongly agree” with the statement: “It is a good thing for society if people believe that someone is keeping an eye on the things that they do online.”

Privacy law expert Chris Hoofnagle, a teacher at Berkeley Law school was reviewed the study, noted that attitudes about surveillance were linked to citizens’ education levels.

“A sizable minority agrees with the idea that surveillance is beneficial for society. This group was characterized as younger and less well educated, with each step in more education resulting in less agreement of its beneficence,” he said. “I think there are very interesting class dynamics in privacy privacy and it is something that the Digital Trust Foundation is going to start funding research around this question in 2015. A question to ask here is why does this group find beneficence in surveillance? Could it be because they are heavily surveilled and simply do not have a choice over the matter?”

Here’s a few more of Hoofnagle’s observations.

“Trust in communications channels is based both on the age of technology and legal protections. The oldest and most legally protected technology (ECPA warrant standard) is the landline phone, followed by wireless phones. Email and text go over the wire in plain text, making them technologically inferior, and they are less protected as they fall under the SCA. Chat is the strange one—it is a newer technology, and so perhaps less trusted for that reason. But some chat is very strongly protected (iMessage).  And of course, no one should feel secure on social media sites because Facebook is crawling with investigators and Facebook itself is a privacy threat.

“Finally…many others have found that Americans are skeptical of both private-sector and government collection of information. (These) results are consistent with surveys going back to the 1980s that finds distrust of both government and commercial data practices.”