Hey, did you hear about the Target breach?
As people tuned into the morning news, anchors around the country opened with a solemn look and the proclamation that they were about to reveal a story of significant national interest: the retailer Target experienced a data breach.
For morning news, this is a trifecta: connection to Black Friday and holiday shopping, "hacking," and a recognizable household name. This is the sort of thing that generates interest!
For most, this is a story to skip. Another day, another breach, another generic story about another complex, confusing attack, followed by the same generic and somewhat confusing guidance.
Like the stories and headlines themselves, the call to action rapidly fades into the background noise of life.
Don't believe me?
Walk around and ask a few people if they've heard the news about Target (don't mention the breach). Most likely, they have, and they'll recall a headline about the Target breach. Or that Target decided to boycott selling Beyonce's latest album.
Probe further, though, and the awareness doesn't reveal much in terms of specifics. After all, people are focused on winding down work and starting their vacations. They have shopping to finish, presents to wrap, houses to clean, parties to attend, and trips to take or guests to host.
This lack of understanding isn't, in itself, surprising or problematic. It's not an indictment of people. It's just an optional exercise to reframe the challenge we need to overcome if we want to make a difference.
It begs the question: does the Target breach matter?
Target was breached. So what?
Here’s the reality: it’s another breach. People are essentially immune to breaches. They don’t care about the details.
In the security community, Brian Krebs broke the story yesterday [link]. Shortly after, the parade of security folks posting it up via Twitter and Facebook started.
Some even added comments along the lines of, "if you shopped at target, check your accounts." I even read one person suggesting that people should *cancel* their credit cards. That's bad advice.
But the real challenge is that these brief attempts to inform people link to industry views and technical discussions that don’t likely read well by people without our background, passion, and interest. Linking people to the sites we glean our information from does them no service.
To provide value, focus on the relationships. Offer a service to the people in our lives. That means we need to first consider the impact, and then offer specific, actionable advice that people can use.
Considering the impact of the Target breach
Anytime a breach rises to the level of national headlines, we have a few basic opportunities to provide value:
- analyze the situation, and in the case of the Target breach, assure people commerce is okay (I don’t think they need much assurance)
- provide appropriate context and guidance to help them better understand what happened with realistic potential impacts
- help them take actionable steps, if appropriate, to protect themselves from payment card fraud or, in some cases, identity theft
Sort out what we know
Based on reporting and the official statement issued about the Target breach [link], the initial assessment is 40 million affected accounts.
This passage is interesting:
"We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code)."
To get more insight into the significance of the Target breach and suggestions on how to handle it, I spoke with Branden Williams. Branden literally wrote the book on PCI [Link] and has been involved at the leading edge of these issues for nearly a decade. Currently the EVP of Strategy at Sysnet Global Solutions, he wrote an excellent commentary on the Target breach this morning [Link].
Williams noted the Target breach is reported as affecting the retail stores only, and does not currently appear to affect online transactions.
That likely means the magnetic stripe data on the back of the cards. What's interesting, then, is that this is not the 3-digit code on the back of the card as suggested in the official statement. Williams pointed out it's nothing to worry about, and it likely an oversight and misuse of somewhat confusing terms as a result of the pressure and timing to issue a statement.
Assess what we don’t know, and avoid speculation
This is a fresh, fast-moving story. The challenge for security professionals is to avoid the tempt of speculation and wait for actual information.
"Be careful of what speculation you engage in or consume," cautioned Williams. "The people who are engaged and know what actually happened are unable to speak about it. And those folks take that responsibility seriously."
Preparing to provide value: timing is everything
As we race to the end of the year, people have less time and attention than normal. To make a difference means we need to spend a little extra time to think about how to explain this to parents, grandparents, siblings, and other family members.
The way to provide value is to translate the technical into understanding:
- Gather the known context and give people a general sense of what happened and if they should care
- Share relevant experiences and stories to help connect actions to impact. Pull back the curtain on what really happens, the potential impacts, and what people should specifically be concerned about
- Distill to 3 or less actionable steps; ideally, provide steps that people can incorporate into their normal routines (outlined below)
In the case of the Target breach, the fact that the attack appears to have been on magnetic stripe data itself is interesting.
According to Williams, this signals that the biggest risk is for thieves to duplicate the card using the captured magnetic stripe data and use it.
He pointed out that savvy criminals often sit on the information for up to year to allow attention and vigilance to die down. This is similar to the concept outlined in the value of identity black market story [link].
Provide value: offer the minimum viable steps for the Target Breach and beyond
Because of the hype, it’s a good time to think about it. It’s the right time to talk about it. Because of the season, people have even less interest and less attention span.
These are the minimum steps I'll be advising my family on:
1. Check their accounts
The common advice is to encourage people to "check their accounts," and review statements. The reality is that with online banking, this takes roughly 1-2 minutes a day. Even better, some banks now offer automated alerts and daily emails with a record of spending.
This should be easy.
Yet I see few people who do this or sign up for these services. Perhaps it's because the advice never explains what to look for.
What people should look for:
Look for charges they didn't make, especially if they are small amounts ($10 or less), from vendors they don't know, and from locations they haven't recently traveled to.
Branden Williams offers additional advice for reviews in light of the Target breach. He suggests thinking about places where a thief could use a physical card where they are less likely to be challenged, asked for identification, or caught on camera.
Williams offers these common categories to scan for in your account history:
- Pre-paid calling cards or long-distance cards - from a telephone shop or carrier, sometimes overseas
- Gift cards - but especially the small amounts of $5, $10, $20; he notes that if they are successful, the thieves quickly escalate the purchases and max out the card
- Gas stations, usually $1-$2 transactions; this is used to test the card to see if it's active before they embark on their spending spree
What to do when it doesn't make sense
If you see something that doesn't make sense, cut and paste the name of the merchant into a search engine, like Google, to see what comes up and where they might be located. Keep in mind that the business may be legitimate and is simply used by the thieves.
If it doesn't seem right, call your bank and ask them to help you figure it out. Often, it's because a company you made a purchase from uses a different name. Sometimes, however, it's the pre-attack to check if your account is valid. The bank is trained to help you here.
Here's the good news: consider that anti-fraud systems and techniques are improving, often to the point of annoyance (since they sometimes are a bit too aggressive), which further reduces the risk for the consumer (and for us).
For the most part, the banks will detect and alert you to the fraud before you'll see it on your account.
2. Check on the liability for their credit and debit cards
Williams pointed out that it's important for consumers to understand the liability they carry on their credit and debit cards. Understanding the difference helps guide which cards to use for which transactions.
For the US Consumer, credit card liability is zero.
Debit cards are a bit different. Some banks honor zero liability, others have up to a $50 limit. But that limited liability doesn't necessarily mean they won’t be inconvenienced.
If someone accesses and cleans out your debit/checking account, it can be quite a shock -- especially during a holiday weekend. Consumers tend to get their money back, but it often takes 24 hours or longer. A long 24 hours.
Sometimes breaches like this foster a call to cancel credit cards and return to cash. While that works for some, Williams explains, "If you get mugged and someone steals your cash, you don't get your cash back. Because of the reduced liability of payment cards, it's still the safest and easiest way to buy goods."
If concerned about the need to replace cards, work with the bank to determine if or when you need a new card issued. Sometimes, in place of assigning a new card, they may encourage you to visit a branch and reset your pin.
3. If they don't already get their free credit reports, this is a good time to sign up.
They can go to the government run AnnualCreditReport.com [link].
Here's the added value: Point out that individuals are entitled to one credit report PER agency PER year. There are 3 agencies, so only request ONE now, and then the next 4 months from now. And the third in 8 months. Set reminders.
Similar to reviewing bank statements, the purpose of requesing credit reports is to scan the information for surprises. Look for unexpected accounts, incorrect information, and anything else that seems out of place. Credit bureaus have different requirements and ways of handling errors, and each can be consulted for further information.
The time to act is today
That's it. Three steps. Total initial investment is probably 15-20 minutes, but can easily be spread out over today, tomorrow, and the next day.
Ideally, this is the potential to help cultivate new habits that take only minutes on a regular basis. In my house, we check banking statements as a matter of routine; more when I travel.
Right now, take a few minutes to prepare, and then properly advise people on how to proceed (or share this article with them - they can even send me questions and I'll help with answers).
Actively reach out to people if you believe they need to act; provide them a reason, and explain the three steps -- and why they matter.
Don't forget to include yourself in the process. Lead the change we need to see. It'll make handling the next breach just a bit easier.