I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

First of all, if you haven’t read it, you must: The FBI is investigating baseball’s St. Louis Cardinals for hacking the Houston Astros, according to the New York Times. Someone from the Cardinals allegedly stole data offering insight into the Astros player evaluation files, details on possible trades, and so on.  This kind of corporate espionage goes on all the the time, and if you didn’t believe that, well, there you are.

Here’s what’s interesting for you.  The story-in-the-story here is that the Astros hired a hot-shot Cardinals employee named Jeff Luhnow and made him general manager. He took some Cardinals employees with him.  That created bad blood. Apparently, it also created a beachhead for the hacker. The Times reported today that someone from the Cardinals used old passwords from those former employees when breaking into the Astros’ computers.

“Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said,” the Times says.

In other words, Cardinals employees re-used passwords they had used when they worked for the Astros.  Let that be a lesson to you: When you switch jobs, switch whatever password creation trick you have been using.

Still, the situation is a bit unusual.  Computer networks are designed so such passwords cannot be retrieved, even by system administrators.  They’re encrypted. Even firms that store previous passwords to prevent re-use scramble them so they can’t be accessed, according to security expert Harri Hursti. At least, that’s “best practice.”

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

There are other possibilities, of course.  That details in the New York Times story could be wrong.  A former Cardinals employee could have shared his or her password with others in the team’s front office — that’s not unusual. Maybe a post-it note was left behind on a computer monitor.  Maybe the password was “password.”

But here’s your nearly daily reminder that you might be hacked, and the hacker might be a surprise — it might be a former friend or colleague.  So be vigilant about your passwords.  And when you change companies, change your password habits.

Bob Sullivan

Since I broke news of the Starbucks mobile pay / gift card /credit card attack, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on.  I’ve been talking to victims of the Starbucks fraud all week, and I’ll have a lot more detail on what’s really happening soon, but for now, I want to clarify a few important issues that keep cropping up: Bad passwords, what “hacked” means, what does mobile have to do with it, and why victims are “sharing” accounts with criminals.

Starbucks told media outlets around the world all last week that it hadn’t been hacked and blamed the situation on consumers with bad passwords. The firm also repeated many times that the attack has nothing to do with its mobile app. In its first response to my initial inquires, Starbucks told me the attack is “not connected to mobile payment.” Later, when the firm issued a statement, the first paragraph of that statement read, “News reports that the Starbucks mobile app has been hacked are false.” (Note, I never wrote that Starbucks mobile app had been hacked, though as you’ll see in a moment, I’m not a fan of the semantics being deployed here.) 

Taken collectively, these positions are meant to create the impression that there’s nothing wrong with the way Starbucks is processing payments, and in fact, some journalists declared that to be the case. Fortune magazine wrote “Starbucks says its popular mobile app has not been hacked, contradicting multiple media reports that intruders have hijacked the accounts of hundreds of the coffee chain’s customers…” Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.

So let me try to clarify a few of these issues.

Blaming the victim (passwords)

It’s true that the attack begins with criminals managing to hijack consumers’ Starbucks accounts by somehow obtaining their username/password combination.  As every firm that uses this most rudimentary authentication tool knows, a large percentage of those accounts will always be pretty hackable.  People re-use passwords and they use common passwords.  They even respond to phishing attacks and divulge their login information.   But many years ago, financial institutions stopped blaming customers for this, since that doesn’t solve the problem.  

Also, federal law prevents it. The Federal Reserve has ruled that even if customers give a hacker their online banking passwords, financial institutions can’t hold them liable. Here’s the relevant opinion: “Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E,” a decade-old Fed opinion concludes. “Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”

Blaming the victim is bad form, anyway.

What do banks do instead of blame the victim? They take matters out of consumers’ hands and use back-end software to spot fraudulent transactions and stop them.  That’s why, even if you are tricked by a hacker into coughing up your Big Giant Bank login credentials, it’s unlikely that a $2,000 wire transfer to Romania will be approved.

Certainly, Starbucks has some back-end tools in place — I don’t know, because the firm isn’t answering questions about its security. But so many victims have come forward to show me repeated debits with obvious criminal patterns — changed login information followed by rapid-fire withdrawals — it’s obvious Starbucks isn’t doing a great job of spotting suspicious transactions and stopping them in progress.  Why would that be?  One obvious guess: Dialing up the fraud-spotting software would also lead to false positives, which would inconvenience some consumers as they tried to add value to their Starbucks cards. It’s a tough balancing act, but consumers who see their credit or debit cards hacked via their Starbucks account don’t want to hear about balancing acts.

There’s also this troubling element: I’ve spoken to consumers who swear they didn’t reuse their Starbucks login information, and that their Starbucks passwords were complex, and they’ve been hacked, too. Of course, consumers often “misremember” such things, and are notoriously unreliable when making claims about their security choices. But then, so are corporations under scrutiny.

Maria Nistri and several other consumers I’ve spoken with haven’t been happy that A) Starbucks hasn’t been able to stop fraudulent transactions even when they are reported within a few minutes and B) Starbucks toll-free fraud hotline doesn’t open for business until 8 a.m. east coast time.  It seems unfair to blame consumers for bad passwords and then not answer the phone when they call to report fraud.

Has Starbucks been hacked? Wrong question

The word “hack” is always problematic in any news report involving a computer crime.  Security folks hate its use, because to them, hacking merely means tinkering. Using a computer as an aid when stealing money is another thing entirely. Unfortunately, hacking is a really convenient shorthand term that readers have come to understand, and it’s fallen into common use.

So we arrive at the confusion over Starbucks’ statement that its mobile app has not been hacked, which is not inaccurate.  To be precise: As far as I know, the crime I have described here doesn’t involve a criminal using some kind of advanced technique to intercept data from Starbucks mobile app, or any similar hacking technique that compromises the integrity of the Starbucks app itself (other researchers have discovered flaws in the app, but this is not that).   Instead, criminals have figured out a rather old-fashioned way to drain value off of Starbucks gift cards — loaded onto the Starbucks app or not — and onto to cards they control. This gives them the ability to steal from consumers’ debit and credit cards using a Starbucks account as a relay of sorts.  Consumers are very likely to experience this as their Starbucks app being “hacked.”  I used the word “attack” instead. But really, does it matter? Starbucks consumers are being hacked, after all, and that’s what matters.

Mobile pay vs. gift card

Starbucks’ rather ingenious and simple app is really just an electronic representation of its gift cards, and this simplicity is part of the reason the coffee giant now operates the most popular mobile wallet payment system in the U.S., dwarfing Apple Pay. That makes Starbucks mobile pay incredibly important to the firm.  Perhaps that’s why the main point Starbucks made to me in its initial statement was “what you’re describing is not connected to mobile payment – linking the two is inaccurate.”  You could argue that this attack really targets Starbucks gift cards and not the app, but I disagree.  The line between the Starbucks app and Starbucks gift cards is entirely blurry; they are basically one in the same.

Starbucks gift cards, and in particular the auto-reload function that is the source of some of this trouble — are so popular because the app is so popular.  It’s also important to note that Starbucks has gone to immense trouble to push gift card users onto the mobile app, offering all manner of loyalty incentives and so on.  I would argue that “de-linking” the two for the purposes of describing this attack would be inaccurate.

Hackers and consumers “sharing” accounts

Finally, one element of this story has confused me since I first spoke to Maria Nistri, and it’s been confirmed by many victims I’ve spoken to. Even after a criminal hijacked her Starbucks.com account, Nistri was able to log in to her account on her smartphone. That means Starbucks is permitting simultaneous logins for the same account using different credentials.  The criminal is logged in using their new email address, while the victim is logged in with the old credentials — presumably because their mobile device never logs off. This turns out to be a good thing in some cases, because it has allowed many victims to hurriedly de-link their credit cards from the app in the middle of a fraud. But it’s also atypical security behavior. Why would old credentials ever allow someone to log in to an account? Clearly because the app isn’t verifying that it has up-to-date credentials very frequently. More than one consumer has rightly asked me: Once their account is restored,  can the criminal still log in?  Here’s what one consumer told me a Starbucks representative told her:

“I mentioned that when the hacker changed the login info, I was still logged in from my phone – so couldn’t the thief still have access to the account, too? The CSR said it should kick them off eventually’ because their login credentials will not be able to refresh. I asked for a specific timeframe and he had no idea. He said it should be a few hours…probably.”

Larry Ponemon

Highly publicized payment card breaches affected millions of consumers in 2014. In the wake of these breaches, retailers, financial institutions, payment processors and credit card brands responsible for delivering these systems in the United States are facing more scrutiny than ever before and are meeting at a crossroads in the security conversation.

The discussion will only get more intense with continued innovation in the field. The payments
industry is undergoing a revolution led by emerging technologies including mobile payments and wallet technologies, virtual currencies and the deployment of chip and PIN technology. The
potential benefit of these new technologies is significant, but it remains to be seen if security risks will prove to be a major barrier to adoption.

Ponemon Institute and Experian® Data Breach Resolution are pleased to present the findings of Data Security in the Evolving Payments Ecosystem. The study explores the impact of mega
payments breaches on security and response, as well as the current levels of confidence in the
security of emerging payments technologies. Organizations in this study had an average of three data breaches in the past 24 months involving an average of 8,000 customer records.

You can access the entire study on Experian’s website.

As Figure 1 shows, 68 percent of survey respondents say pressure to migrate to new payment systems puts customer data at risk. Respondents are most positive about EMV chip and PIN cards. Fifty-nine percent of respondents cite it as an important part of their organization’s payment strategy and 53 percent of respondents believe chip and PIN cards will decrease or significantly decrease the risk of a data breach.

While some respondents doubt the ability of “chip and PIN” to address the current security issues with card payments, they also believe their companies face new threats posed by continued innovation in payment technologies. In fact, 59 percent of respondents expect data breach risk to increase through the use of mobile payments at point of sale in stores, and 54 percent believe near field communications technology will increase the risk of suffering a breach.

While risk and security concerns loom, large and new technologies are being
deployed because they offer vastly improved customer convenience.
Throughout our study, we found a large percentage of companies are likely to
keep moving forward with deployment of new technologies despite concerns about
security. More than half of respondents say customer convenience was a higher
priority to their organization than security.

In addition to concerns over the ability to secure the next generation of payments
technologies, there is also uncertainty about the ability of breached companies to
properly manage a security response.

Throughout the industry, organizations continue to be deficient in governance and security practices that could strengthen their data breach preparedness. Only 16 percent of respondents feel companies are very effective in breach response, which suggests much room for improvement in responding to the aftermath of a major incident. Left facing all these questions and the uncertain of new technologies, the industry can agree on one thing: the need for action.

While unprecedented threats and new security challenges may seem daunting, the payments
industry is taking steps to respond and focus more on security. Companies are prioritizing
customer needs in their security planning and investing time and resources in improving security.

Sixty-nine percent of companies say media coverage of breaches, including those in the
payments industry, over the past year caused their organizations to re-evaluate and prioritize
security.

It’s receiving much more attention at the highest levels of organizations with 67 percent of
respondents noting their C-level executives are more supportive of enhanced security measures to protect payments information. Forty-five percent of respondents said they were increasing their budget and 54 percent are investing in new technologies.

Along with improving security, companies also recognize their responsibility and the importance of protecting their customers after an incident occurs and improving incident response planning. A majority of companies (61 percent) provide identity theft protection and fraud resolution services as a best practice. While 56 percent are re-evaluating and improving incident response planning for a breach, leading to greater communication and guidance to affected customers.

Methodology
The study surveyed 748 US-based individuals in IT and IT security, risk management, product
development and others involved in the payments systems within their organizations. For
purposes of this research, payments ecosystem refers to the collection of retailers, financial
institutions, payment processors, credit card brands, regulators, consumers and other
stakeholders who ensure the smooth flow of payments and other transactional information.

Read the rest of the study on Experian’s website.

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter. 

Larry Ponemon

If your company is like most, security has risen to the top of the agenda amongst C-suite executives and boards of directors. Rapidly evolving security threats pose an ongoing, central challenge, as companies and governments face an increasingly sophisticated threat environment. Large global organizations with industry presence and value may be of special interest for adversaries, whether they be individuals, organized crime or nation states. Forrester predicts that at least 60 percent of enterprises will discover a breach in 2015, but says the actual number of breached entities will be much higher–80 percent or more.

Accenture, in collaboration with the Ponemon Institute LLC, conducted a study to identify the success factors of companies that demonstrated a dramatic increase in security conditions during the past two years — the “leapfrogs” — to see what helped them move from laggard to leader.  The study unearthed six trends:

1. Security innovation is valued

Leapfrog companies have made significant increases to their level of security innovation, seeking out new approaches to emerging problems.
Leapfrog companies are more likely to have an officially sanctioned security strategy, and this strategy is more likely to be the main driver to their organization’s security
program.

2. Leapfrog organizations are proactive in addressing major changes to the threat landscape

They recognize that persistent attacks should change the company’s approach to IT security and adapt their security posture in response to threats. Different security threats continue to emerge—the research evaluated the level of impact those threats had on the organizations’ security ecosystem and how the organizations responded.
3. The CISO is important and influential

Both Leapfrog and Static organizations have a CISO; the important differences lie in how that role is viewed and executed. Across all organizations studied, the CISO has hiring/firing authority, holds responsibility for enforcing security policies and has authority over budget and investment decisions.  Within Leapfrog organizations, the CISO is more likely to directly report to a senior executive, set the security mission by defining strategy and initiatives, and have a
direct channel to the CEO in the event of a serious security incident.

4. Leapfrog companies excel in governance

Both groups of companies identified the importance of appointing a CISO for the organization, recruiting expert IT security personnel and background checks for all privileged users as critical to achieving a strong security posture. However, the Leapfrog companies believe disaster recovery and business continuity management practices are important. Static companies, on the other hand, are more likely to cite clearly defined IT security policies and standard operating procedures (SOP) than Leapfrog companies.

5. Certain technologies separate the two groups
Leapfrog companies exceed Static companies in viewing the following features of security technologies as very important: pinpointing anomalies in network traffic; prioritizing threats, vulnerabilities and attacks; curtailing unauthorized sharing of sensitive or confidential data; and enabling adaptive perimeter controls. In contrast, Static companies exceed Leapfrog companies in believing the following are more important features of security technologies: controlling insecure mobile devices including BYOD, limiting access for insecure devices and enabling efficient backup functionality.

6. Security budgets in Leapfrog companies include funding for innovations in information technologies

Leapfrog companies are more likely to have a dedicated budget for its security programs and have allocated more money toward security over the past few years (Figure 8). They also have a fund dedicated to innovations in information technologies.  These companies are more positive about having enough funding to meet their mission and objectives.

Methodology

To estimate the security posture of organizations, we used the Security Effectiveness Score (SES) as part of the survey process. The SES was developed by The Ponemon Institute in its annual encryption trends survey to define the security effectiveness of responding organizations. We define an organization’s security effectiveness as being able to achieve the right balance between efficiency and effectiveness across a wide variety of security issues and technologies. The SES is derived from the rating of 48 security features or practices. This method has been validated by more than 60 independent studies conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). A result for a given organization greater than zero is viewed as net favorable, which means the organization’s investment in people and technology is both effective in achieving its security mission and efficient. Hence, they are not squandering resources and are still being effective in achieving their security goals. A negative SES has the opposite meaning.

For this research, we evaluated hundreds of companies that were previously benchmarked so that changes in the organizations’ SES scores could be measured and evaluated. Based on that
analysis, we divided the sample into the following groups:
Leapfrog sample: 110 companies that experienced a 25 percent or greater increase in their SES over a two-year period. The average increase in SES for these companies was 53 percent.

Static sample: 137 companies that experienced no more than a 5 percent net change in their SES over a two-year period, with an average change of 2 percent. This sample was matched to the Leapfrog sample based on industry, size and global footprint.

To read the full report, click here.

Bob Sullivan

I spent a year studying English Common law in college, and here’s the only thing I really remember: Law exists to prevent mob rule. It only survives when it’s considered effective by the masses. If it’s not, people start taking the law into their own hands.  This is the precipice on which Twitter dangles right now.

You probably heard about former major league baseball player Curt Schilling going all Wild West on jerks who harassed his daughter on Twitter.  I’m fine with what he did; in fact, I think it’s great.  It’s time people realized there are consequences for the stupid, vile things they say online.  It’s high time — past time — we cleaned up the neighborhood. I believe in free speech as much as the next Internet geek, but it’s also time the Internet grew up.  Folks like those who said God-awful things to Schilling’s daughter need to be kicked out of the bar, pronto, and forced to live with the consequences of what they’ve done.

Now, you can all expect a bunch of other folks to follow suit, with varying results, of course.  Curt Schilling can get justice — not to mention, protection from any potential response — because he’s famous.  You probably can’t.

That’s why this is Twitter’s problem.  After all, it’s their bar.  As a refresher course in free speech law, the government can’t make a law preventing you from saying things in public. A company sure as heck can do that with its private property.  You have no Founding Fathers-given right to be vile on Twitter.

I do appreciate the lovely parlor banter about chilling discussion and people’s rights to be assh**s, but save that for college, please. If you are an adult, you owe it to yourself to read the kinds of Tweets directed at people like Anita Sarkeesian, who campaigns against violence in video games. I won’t display them here — but however vile you imagine they are, triple that.    Click that link to see a Mother Jones story which describes 157 “hate Tweets” she received in a single week. They are enough to snap anyone out of a philosophy-induced haze about free speech and social media.

So I was delighted recently when a leaked memo seemed to suggest that Twitter management was starting to get it.

“We suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years. It’s no secret and the rest of the world talks about it every day. We lose core user after core user by not addressing simple trolling issues that they face every day,” CEO Dick Costolo wrote in an internal memo that was published on The Verge last month. ” I’m frankly ashamed of how poorly we’ve dealt with this issue during my tenure as CEO. It’s absurd. There’s no excuse for it. ”

He then promised to start kicking users off Twitter “right and left” for mishbehaving. The Electronic Frontier Foundation, which also cheered the general message, paused on that last part. calling it a “dangerous sentiment.”  I know, that’s what the EFF has to say, and I’m glad they are saying it. But enough is enough.

Creeps are running circles around decent people while we continue the collegiate debate here. I’m ready to give Twitter the right to kick people off the service right and left, with a very big IF.  IF it doesn’t try to do this on the cheap, and IF it’s very transparent.

The real problem here is money, as it always is.  Here’s a brief history lesson. Back when eBay was just about the only profitable firm on the Internet, it had a massive problem that threatened its very survival.  Fraud was rampant. In some categories, such as expensive electronics, roughly half of all listings were fraudulent. After repeating the usual Internet BS about community policing (which is really discount policing), eBay finally got serious and hired a huge team of fraud fighters — human beings — who put in the heavy lifting of reviewing listings by hand and cleaning up their neighborhood.

Twitter has to do this. It’s not only the right thing to do, it’s absolutely critical for its survival. In fact, it’s critical for the entire spirit of social media and perhaps the Internet itself.  Twitter needs to grow up, grow a pair, and start investing in decency. What’s that you say, it’s not “scale-able?”  When then just turn off the lights. It’s your bar. It’s your job to keep it safe.  What we don’t want is a world of random justice doled out by Curt Schilling.

Why? Because Twitter can do this in a transparent, reasonable way.  We all know some of these things will be tough calls.  What is trolling and what is hate speech?  Trolls say crap just to start angry discussions. People who fall for their tactics kind of get what they deserve.  Hate speech is threatening.  Yes, there are gray lines. A computer will never do a good job of figuring that out.  But let’s get real — there is no confusion about the kinds of Tweets Sarkeesian often gets. Twitter did recently release improved tools for reporting problems, but we’ll see if there are improvements to response time. It shouldn’t take longer than a few minutes to get them removed. When there is a “false positive,” as there will be, Twitter should have a very prompt process for appeal.  Right now, complaints often go to black holes, and the creeps know this, and take advantage of it.  That’s the real problem, Twitter.

Your move. A million Curt Schillings are watching.

Sign up for Bob Sullivan’s free email newsletter.

Larry Ponemon

We are pleased to present the findings of the 2015 Global Megatrends in Cybersecurity, sponsored by Raytheon. The purpose of this research is to understand the big trends or changes that will impact the security posture of organizations in both the public and private sector in the next three years. Moreover, the study looks at the next generation of protocols and practices as the cybersecurity field evolves and matures.

We surveyed 1,006 senior-level information technology and information technology security leaders (hereafter referred to as respondent) in the US, UK/Europe and Middle East/North Africa (MENA) who are familiar with their organizations’ cybersecurity strategies.

The research covered a range of trends related to an organization’s ability to protect itself from
cyber threats and attacks. Some of the areas addressed in this report are: the critical disconnect
between CISOs and senior leadership, insider negligence, the Internet of Things, adoption of new technologies such as big data analytics, predictions of increases in nation state attacks and
advanced persistent threats and the dearth of cyber talent.

Based on the findings of the research, there are seven mega trends that will significantly impact
the cybersecurity posture of organizations in the following areas: disruptive technologies, cyber
crime, cost of compliance, the human factor, organizational and governance factors and enabling security technologies. Following is a summary of these seven mega trends and implications for companies.

1. Cybersecurity will become a competitive advantage and a C-level priority. As part of this study, we asked a panel of cybersecurity experts to predict changes to several normatively important characteristics concerning the role, mission and strategy of security.1 A total of 110 individuals with bona fide credentials in information security provided their three-year predictions.  Only 25 percent of respondents believe their organization’s C-level views security as a competitive advantage. However, 59 percent of respondents in the expert panel say C-level executives will view security as a competitive advantage three years from now.

2. Insider negligence risks are decreasing. Due to investments in technologies, organizations will gain better control over employees’ insecure devices and apps. Training programs will increase awareness of cybersecurity practices. A lack of visibility into what employees are doing in the workplace will become less of a problem in the next three years.

3. Cyber crime will keep information security leaders up night. There will be significant
increases in the risk of nation state attackers and advanced persistent threats, cyber warfare or
terrorism, data breaches involving high value information and the stealth and sophistication of
cyber attackers. In contrast, there are expected to be slight improvements in mitigating the risk of hacktivism and malicious or criminal insiders.

4. The Internet of Things is here but organizations are slow to address its security risks.
The Internet of Things is the expanding network of billions of connected devices that are
permeating our daily lives—from the computers inside our cars to our WiFi enabled appliances,
from wireless medical devices to wearable device.
Because consumers are embracing more connected devices, information security leaders predict that the Internet of Things will be one of the most significant disruptive technologies in the near future.

5. The cyber talent gap will persist. Respondents in three regional samples hold a consistent belief that their organizations need more knowledgeable and experienced cybersecurity practitioners (i.e., the cyber talent gap).

6. Big shifts in new technologies towards big data analytics, forensics and intelligence based cyber solutions. The following technologies will gain the most in importance over the next 3 years: encryption for data at rest, big data analytics, SIEM and cybersecurity intelligence, automated forensics tools, encryption for data in motion, next generation firewalls, web application firewalls, threat intelligence feeds and sandboxing or isolation tools

7. Despite alarming media headlines, cybersecurity postures are expected to improve. The majority of respondents say their cybersecurity postures will improve for the following reasons: cyber intelligence will become more timely and actionable, more funding will be made available to invest in people and technologies, technologies will become more effective in detecting and responding to cyber threats, more staffing will be available to deal with the increasing frequency of attacks and employee-related risks will decline.

To read the full Raytheon report, click here. 

Larry Ponemon

The year 2014 will long be remembered for a series of mega security breaches and attacks starting with the Target breach in late 2013 and ending with Sony Pictures Entertainment. In the case of Target breach, 40 million credit and debit cards were stolen and 70 million records stolen that included the name, address, email address and phone number of Target shoppers. Sony suffered a major online attack that resulted in employees’ personal data and corporate correspondence being leaked. The financial consequences and reputation damage of both breaches have been widely reported. Other well-publicized mega breaches in 2014 in order of magnitude were:

• ebay (145 million people affected)
• JPMorgan Chase & Co. (76 million households and 7 million small businesses affected)
• Home Depot (56 million unique payment cards)
• CHS community Health Systems (4.5 million people affected)
• Michaels Stores (2.6 million people affected)
• Nieman Marcus (1.1 million people affected)
• Staples (point-of-sales systems at 115 of its more than 1,400 retail stores)

This year is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack. Will companies be prepared to deal with cyber threats? Are they taking steps to strengthen their cyber security posture? Ponemon Institute, with sponsorship from Identity Finder, conducted 2014: A Year of Mega Breaches to understand if and how organizations have changed their data protection practices as a result of these breaches.

Respondents believe security incidents such as Target and other mega breaches raised senior managements’ level of concern about how cyber crimes might impact their organizations. We surveyed 735 IT and IT security practitioners about the impact of the Target and other mega breaches on their IT budgets and compliance practices as well as data breaches their companies experienced. The participants in this study are knowledgeable about data or security breach incidents experienced by their companies. They are also very informed about the facts surrounding the Target and other mega breaches. Following are key steps companies have taken because of mega breaches:

More resources are allocated to preventing, detecting and resolving data breaches.

According to respondents, the Target breach did have a significant impact on the their organizations’ cyber defense. Sixty-one percent of respondents say the budget for security increased by an average of 34 percent. Most was used for SIEM, endpoint security and intrusion detection and prevention.

Senior management gets a wake up call and realizes the need for a stronger cyber defense posture.

More companies have the tools and personnel to do the following: prevent the breach (65 percent of respondents), detect the breach (69 percent of respondents), contain and minimize the breach (72 percent of respondents) and determine the root cause of the breach (55 percent of respondents). Sixty-seven percent of respondents say their organization made sure the IT function had the budget necessary to defend it from data breaches.

Operations and compliance processes are changing to prevent and detect breaches.

Sixty percent of respondents say they made changes to operations and compliance processes to establish incident response teams, conduct training and awareness programs and use data security effectiveness measures.

Many companies fail to prevent the breach with the technology they currently have.

With new investments, companies will hopefully prevent more data breaches. However, 65 percent of respondents say the attack evaded existing preventive security controls. Forty-six percent say the breach was discovered by accident.

Companies confident of understanding the root cause of the breach had incident response teams in place.

They also had the right security management tools and the expertise of a security consultant to help determine the root cause. After knowing the root cause, these companies stepped up their security training and enhanced their security monitoring practices.

Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control.  The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big.  Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.

It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.

What’s broken here is the system.  What’s missing here is bold action.  While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better.  Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value.  So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.

But there’s more going on here than chip card change.  Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data.  The new thinking: Grab everything, and we’ll figure out how to monetize it later.  It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk.  Turning private data into an extortion payout is much easier.

So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data.  They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways.  New account fraud. Phishing. Extorting consumers.  Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.

Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets.  Why would Anthem leave such data in an unencrypted state, lying around for the taking?  More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?

The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not.  Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store.  Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.

Change must come.  Data is everyone’s core business now.  Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked.  Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.

That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.

See you in another week or two when the next big hack hits.

Sign up for Bob Sullivan’s free email newsletter.