Everyone is aware of the epidemic of hackings of major companies, such as Target, P.F. Chang’s, Neiman Marcus, Michaels, Sally’s Beauty Supply and Goodwill Industries and, as I have repeatedly warned you, these hackings will only increase in frequency in the upcoming months. Yesterday, the Department of Homeland Security issued a report that details how these hackings occurred and what needs to be done to reduce them. A major part of the problem is that more and more companies permit both their employees as well as third party contractors to access the company’s computers over the Internet. There are many legitimate reasons for doing this, but it tremendously increases the chances of major data breaches as employees and third party contractors who may not be following proper security practices are being hacked and, in essence, providing identity thieves and hackers with access to the computers of the targeted companies. In addition there are some inherent security flaws in the Microsoft and Apple software used by these employees and third party contractors. Thus the hackers exploit the weakest links, which they are doing quite effectively.
The Department of Homeland Security identified a malicious software which they have called “Backoff” that, when it makes its way on to the Point of Sale credit and debit card processors, is able to steal credit and debit card information, account numbers, expiration dates of credit card and debit cards and PINs. Backoff is a very evolved type of malware that, to date, has avoided detection by the anti-malware and anti-virus software used by companies today to protect their computers from data breaches and hackings.
Corporate America has a lot of things it should be doing, but it is unlikely that these steps will be done in a sufficiently timely manner to stop data breaches in the upcoming months. A switch to smartcard technology with computer chips in the credit card would render this type of credit card data unusable to identity thieves, but retailers have been extremely slow to adopt this technology. Requiring employees and third party vendors to use stronger passwords and to change those passwords regularly would help as would the requirement of two-step verification rather than merely using passwords to provide access. Another important step for companies to do is to limit access to the credit card and debit card processing systems by people having access to other computer systems within the company. Credit and debit card processing systems should be isolated.
But what can we do?
The most important thing to do is to recognize that data breaches will be occurring. Everyone should regularly monitor their credit card usage carefully to recognize security breaches as soon as possible and then to report the breach to your credit card company. In addition, limit your use of your debit card to use as an ATM card. Do not use it for retail purchases. The consumer protection laws available to you if your debit card is hacked are not as strong as the laws that protect fraudulent use of your credit card. In addition, even if you do become aware and report a breach of your debit card security right away, your access to your account will be delayed while your bank investigates the matter.