Can You Really Protect Your Online Data?
In Tuesday evening’s Democratic Primary Debate, the candidates were asked about the biggest threat facing America today.
Naturally, Middle East volatility and the rise of ISIS were cited, in addition to nuclear weapons falling into the wrong hands.
But it was somewhat surprising that only one candidate – former Virginia Senator Jim Webb – mentioned cyber crime.
Cyber crime continues to be a constant menace to businesses and consumers alike – and it’s far easier to perpetrate than making physical war or acquiring nuclear weapons.
We’ve covered this topic many times.
In August, for example, I covered the particularly embarrassing hack of internet “dating” site Ashley Madison, which exposed the details of millions of cheaters, as well as how Fitbit put details of some users’ sex lives on the internet.
As quickly as we put new safeguards in place, unscrupulous hackers find a way to break through. So how safe is your digital data?
Samsung and Google Suffer the Wrath of Hackers
We’ve recently seen two other serious data breaches.
The first instance involves Samsung Electronics Ltd. (SSNLF), which revealed that hackers had infiltrated LoopPay, the backbone of the Samsung Pay mobile payment system.
Samsung was quick to claim that specific customer data had not been stolen. But that wasn’t really the point. If hackers can learn enough to identify vulnerabilities, they can get customers’ data at the point of sale or some other way, instead of taking it directly from the network.
More shocking was the fact that it took Samsung five months to even discover that its system had been invaded. So it’s premature for the company to be so confident about what was and wasn’t stolen.
The second case involves Google Inc.’s (GOOGL) Android operating system. Earlier this year, the company created a patch to fix a software bug called Stagefright. The company thought that had solved the problem… but the issue recently resurfaced and is now spreading though music and video files rather than text messages.
In addition, a new vulnerability has millions of Android users in Asia and Europe seeing tons more ads and even seeing hackers take over their entire phones. Android’s problem is compounded by the fact that its fixes are slow to trickle out to users.
So with all these breaches, how can you keep your online data safe?
We’re Screwed, Right?
I’m sorry to be the bearer of bad news, but the simple answer is that there’s no failsafe way to keep your data from falling into the wrong hands (unless you go completely “off the grid,” of course).
Heck, even the National Security Agency, one of the most secretive and security-conscious organizations on Earth and undoubtedly the world’s leading encryption authority, can’t keep its data safe. So what chance do the rest of us have?
The only assurance is that the companies that hold our personal data spend billions of dollars per year to secure it – as they should. But the truth is, once your personal information is out there, it becomes vulnerable.
Take the data breach at Target Corp. (TGT) in late 2014…
A Sneak Attack Through the Air Conditioning System
Hackers basically sent an email “phishing” scam to Target’s air conditioning supplier.
Now, corporate firewalls and anti-virus programs block most phishing attacks, while most other attacks are ignored or deleted by recipients. But someone occasionally falls for the spoof. That’s what happened here.
The phishing message was designed to look legitimate, which gave the thieves enough information to log onto that company’s network. As Target’s air conditioning supplier, it had legitimate access to Target’s network, in order to remotely manage the temperature at stores around the country, so the thieves were able to access Target’s network.
By itself, this didn’t give them access to customers’ banking information. They then had to figure out where to look for that data and exploit existing software weaknesses to get it.
So they created a new user account with administrative privileges. Target had actually done a good job of encrypting customers’ credit card details, but the thieves wrote software that collected it on the stores’ terminals instead.
There’s no doubt that pulling off a heist like this requires intelligence and a lot of work. But it might shock you to learn that all the tools needed to accomplish it are actually freely available on the internet.
It was worth the work, too. While nobody has revealed exactly how much money the hackers made, Target agreed to pay $67 million to Visa Inc. (V) and its affiliated banks to cover the damages.
So that’s the bad news. No matter what companies do, how much they spend, and what they promise, no data is 100% safe because so much information whizzes across the internet and so many companies are interconnected.
What’s the good news?
Assessing the Real Value of Information
The bottom line is that having your information online depends on what you’re doing and what you get in return.
In short, it’s often worth the risk.
Case in point: Of the 40 million credit cards that hackers stole from Target, no customers actually lost any money. Yes, some were inconvenienced, but Target, the credit card companies, and banks ate the financial losses.
Ultimately, companies have much more to gain from credit cards and online transactions than to allow consumers to become fearful of using them.
In other areas, too, information leaks aren’t terribly damaging.
Take health records, for example. Most people consider this information highly personal, but would it really be monumental if some of it got compromised? It’s not like thieves are broadcasting the information to employers or family members. They’re using it to gain access to drugs and scam insurers.
Although the value of health information to thieves can be even higher than credit card numbers, the risk to consumers is small. And having your health information widely available to doctors and pharmacists can help you get higher-quality healthcare.
If you do have something that would be embarrassing if someone found out – such as having an affair or admitting that you’re a New York Jets fan – you might want to be careful with what you share online.
And whenever a company asks you for information, always ask what you get in return. If it’s just going to send you an auto-generated birthday email, forget it. But if it’s going to send a coupon or special offer, it might be worth the risk.
Ultimately, just know that once you put information on the internet, or share it with people who’ll store it digitally, it’s vulnerable. It’s surprising how many people forget this.
To living and investing in the future,