‘Tis the season to be breached
As we roll into another holiday season just having passed through Black Friday, it’s wise to understand how to best protect yourself from these accidental data breaches at retailers (see: Bebe’s Data Breach). Let’s explore.
What is a data breach anyway?
A lot of people shop with credit cards without first understanding what they are or how they really work. By this statement I mean, I think people understand that the purchase extends credit for the items in advance and then pay the actual bill later to the credit card company. But, that’s not what I’m talking about. I’m talking about what happens when you swipe your card at a terminal. Let’s understand payment processing.
When you enter a store and swipe your card, information is exchanged between the terminal and the cash register. That information is whatever is on the back of the card (the card number, expiration, name, etc). All of that information is now accessible by the register (and cashier). Additionally, stores have networks that connect all of their registers (a type of computer system) to a central controller and ultimately to a company wide network. The company wide network may be connected to the Internet, but may only have direct connections to payment authorization providers.
When you swipe your card and that information is exchanged by the register, a program takes your card info along with the payment amount, securely asks a remote payment authorization service whether the card has sufficient funds to support the transaction (at least this part is secure). If your bank says yes, the transaction is approved and given a transaction number. This is a payment authorization and it instructs your bank to hold this dollar amount aside until the closing paperwork arrives (around 24 hours). If the paperwork never arrives, the authorization falls away and the money being held is released back into your account.
Now, if you don’t have enough funds (or for other reasons), the payment service receives a decline from your bank. The retailer and payment authorization service never know the reason for the decline, only that the transaction was declined. You will need to contact your bank to find out the reason for the decline. Declines can range from not enough funds to bad expiration dates on cards to reissued cards to fraud detection holds. Again, you will need to contact your bank to determine the reason and then rectify it. Note that if you are significantly over your limit and your card hasn’t seen a payment for several cycles, the screen may request the cashier call into a number. The person on the other end might request the card be taken and cut up. This typically means the account has been closed by the card issuer and you are no longer authorized to use the card. It is always wise to pay your bills if you value using that card.
Card Info Data Transit
The problem with data transit on a network is that, depending on the network and who built it, it could be designed to transmit your data as encrypted or in clear text. Let’s understand the difference. Encrypted data means that a key is needed to unlock the data to view it. This means that only devices that have the proper key can view and use the data. However, many network operators don’t use this type of security. A lot of people who build internal networks for corporations feel they are inherently ‘safe’ and choose to use clear text transit. What is clear text? Clear text is just like this blog article. It’s humanly readable without any extra work. Thus, many companies fail to adequately protect data transit between internal network devices under the assumption that no one should have internal access except authorized internal devices. In other words, because of the external border protections such as firewalls that prevent unauthorized inbound traffic, internal networks should be a ‘safe place’, thus adding extra safeguards only serves to slows down processing and, if you happen to be a retailer, could make the customers wait at the register longer.
Internal networks designed with limited or no encryption are a hacker’s paradise. If they happen to get into a network like this, everything is easy to read, easy to find and easy to download. It’s basically a dream come true for the malicious hacker. With little to no constraints on viewing data, it’s a kid in a candy store and that’s exactly how and why data breaches begin.
How do hackers get into a network then?
Because most companies today require their computers to have internet access, especially retailers who need access to payment authorization services, bugs in network and computer devices are impossible to squash. Internally, companies typically hire IT and operations teams to manage their network systems. They also typically hire security teams to help protect their networks. The security teams do their best to mitigate attacks and watch for data breaches, but it is the operations and network teams that manage the network gear and keep them updated. Because the security team and operations and network teams are separate sets of people, getting equipment updated with the latest-greatest version isn’t always expedient. This means that companies could be running one, two or five versions behind the latest version.
It happens for a lot of reasons. It could be old equipment that simply won’t support the latest update. It could be that there are thousands of servers that could be impacted by a single update. It could be that that single update might break custom software written by the company. There are a lot of internal factors as to why any piece of equipment is not on the latest version. Yes, sometimes it’s even a matter of complacence.
How do you protect yourself?
Before strolling into your latest big box retailer, you should arm yourself with knowledge. Knowledge like the above to better understand how your data gets moved around in company networks. Then, you can better understand when to take the risk to use your card and when to use another form of payment.
Use Store Cards
First and foremost, the safest card to use at a retailer is a store card without a Visa/Mastercard logo. These cards can only be used at the retailer where they were issued. They cannot generally be used anywhere else (unless the company owns several retail shops and shares the card among them). So, if you purchase at Target or Macy’s or Sears with a local store card, if there is a data breach, your ‘store card’ card number is no longer the lowest hanging fruit. The lowest hanging fruit are the Visa, Mastercard and Amex branded cards. With store cards, it will take time for a hacker to understand what that card is and how to use it. Also, once they realize that it only works at that single retailer or at that retailer’s web site, it’s much less appealing. Especially considering that many hackers today don’t live in the US. They might be living in China or Korea or Russia where that store may not exist and where they may not ship abroad.
So, sticking with store issued cards is really your safest bet when shopping at big box chains. Using a Visa or Mastercard or Amex branded card, if stolen, can be used anywhere around the globe (unless you call your bank an explicitly ask to prevent its use outside of your country). Note, not all banks can stop international transactions on branded credit cards, but most can. Call your issuing bank and ask.
Of course, should you plan travel abroad, you will need to make sure your bank authorizes international use before you leave. If you forget to call from home before you reach to your destination, you could have problems.
Limit transaction amounts
You can also limit your per day transaction amount to a much smaller amount. This can make it difficult if you want to buy a big ticket item with your card, so you’ll need to weigh just how often you make large purchase (and how big they are). However, lowering your per day transaction amount to $500 or less limits how much a hacker could put on the card per day. Again, your card would then no longer be low hanging fruit. Hackers want cards with high dollar amount transaction limits to they can spend a lot of money per day quickly and get away from it. As soon as a hacker tries to buy something expensive and they get a decline, that card is marked as not usable and they move onto trying another card.
Use gift cards
Because there are now Visa and Mastercard branded gift cards, you can put a dollar amount on the card that you wish to use while shopping. If this card number is lost to a hacker, it’s has limited liability (because of the logo) and it limits how much damage they can do to you financially. Also, because it’s a gift card, there’s limited personal information they could obtain about you in relation to this card. So, identity theft is much reduced by using gift cards. You should read Visa, Mastercard and Amex branded logo gift cards carefully. Some require fees after 1 year. So, you will need to use up the balance on the card within 1 year or you could start losing your balance to the monthly fees.
There are also store branded gift cards without any logos such as iTunes, Sears, Amazon, etc. These gift cards can only be used at their respective issuers. Again, these cards offer limited liabilities if stolen.
Though, if a gift card number is stolen, you will also want to read the terms and conditions with the card issuer. Not all of them assume replacement liability. So, if your gift card is stolen, you may be out whatever money was on them. So, you should always read gift card terms and conditions carefully.
Use good ‘ole cash instead
While cash does have its uses, I don’t believe holiday shopping is really one of those times. Because you’re typically buying large ticket items for holiday gift-giving, carrying a wad of crisp $100 bills around to pay for them can be downright dangerous. During the holiday season, you may be trading your financial safety for personal risk. For example, the first store you visit could lead someone seeing your cash, stalking you and taking your money and gifts from you by mugging…especially if you just happened to walk out of an Apple store. Depending on the city where you live, it’s sometimes not worth trading the potential safety of your financial security by putting your personal safety at risk. If you are mugged, they’ll likely steal your cards too, which also leaves your financial safety at risk.
And, if muggers rip off your cash, there is no replacement at all. It’s gone. Using credit cards, especially Visa, MC and Amex branded cards, these cards offer limited loss liability. So, if someone steals your card number and begins using it, your total loss is quite limited. The bank will pick up the tab on your behalf and then chase down the perpetrators for their involvement attempting to get the money or merchandise back.
Basically, cash is unsafe and insecure if carried in large amounts. Whipping out your wallet and flashing that set of crisp $100s once is all it takes during a busy shopping season to get you mugged.
Use a debit card
Last, but not least, use a debit card. Though, while liability on your debit card might be higher (check your debit card terms), you have a known pin code that is required to buy anything. A pin code is a lot stronger of a protection than a signature on a credit card. Basically, stores are not required to collect signatures from purchases. They can simply state ‘signature on file’ when that may not be true. This is how you can buy with a credit card from Amazon or Newegg without ever having to sign for your purchase. Even some retailers today are not asking for signatures on cards if the transaction amount is under $50.
Debit cards always require a pin for the transaction. With web site access today, pin codes are also relatively easily changed. You can also usually get the pin code changed long before the hackers are dipping into these cards to make purchases. Again, hackers prefer low hanging fruit. This means that most hackers would opt to use Visa, MC or Amex branded cards rather than trying to use someone’s personal debit card.
Though, keep in mind most debit cards issued by banks today contain a Visa or Mastercard logo. So, that means the card can be used like a credit card with a signature alone. Instead, you should ask your bank to send you a debit card without the logo. This card can only be used where debit cards are accepted or at ATM machines. It cannot be used to buy at places that don’t accept debit cards. Again, this keeps your card from becoming the lowest hanging fruit.
Limit your shopping days
When you do shop, keep your receipts so you know the date and time that you shopped and where. Keeping receipts is always smart if you need to return something, but it’s even smarter when there’s a data breach so you know if you may have been affected.
Also, limit your shopping to a limited number of places and keep record of when and where (use receipts or write it down). Four months after the holiday shopping season when a breach is announced, you might not remember that you shopped at that random store that lost data which then subsequently led to some random hacker racking up a large bill on your Visa card. In fact, you might only discover the breach yourself after you notice the large bill on your card.
If you limit the number of times you shop and use cards as suggested above, you can help eliminate your cards as being the easiest to rob.
Shop where breaches have previously occurred
This may seem counter to safe practices, but companies have have endured breaches are less likely to be breached again. This is especially true of big box retailers such as Target, Walmart and the like. These retailers have a whole lot to lose if they are breached a second time. It’s very likely that these companies networks are a whole lot more secure after the breach than before it.
Shopping at companies who have not yet had a breach doesn’t mean that their networks are insecure any more than they are secured. Yes, it could mean that. But, it could also mean that these yet breached companies are lucky not to have been targeted. If hackers focus their sights on a victim, they will chip away at the security until they find a way in. They also have plenty of time to do it. Let’s also note that way into a network may not be through the front door. The hackers could get in just as easily through an executive’s lost or stolen cellphone or notebook or a third party vendor (like HVAC, plumbing or other contractor who’s network might be less secure). Note that hackers may also work on several company networks at the same time until they find one to breach.
What about Sony?
Sony is a bit of an unusual case. Instead of strengthening their network security across the board, it seems their management team may have decided to only tightened security on the division that was compromised. Sony is a very large corporation containing many different entities all over the world. SCEA (the games division) was where the last breach occurred prior to this latest breach on the Motion Picture Group. So, anyone who has read through the MPG spreadsheet of salaries knows that there are at least 6 people in the US alone that are taking home well more than $1 million dollars a year in salary. You would think that these highly paid staff would understand the risks of computer networks and make it their top priority to secure their personnel and other records through best security practices. Nope. For example, an easy best practice is to use a password to open a spreadsheet. Sure, these can be easy to crack, but that’s extra effort required on the part of the hacker.
Unfortunately, these people are not doing their jobs. Some could argue, it isn’t their job. Their job is to be Senior or Executive VP of blah. Part of being a Vice President is to make sure your company is secure. If you can’t ensure that your division is secure, then you shouldn’t be taking home a million dollars in salary. It’s quite simple. These people are way overpaid for the job they perform for Sony. I digress.
Sony is clearly a situation where the left hand doesn’t know what the right hand is doing, and frankly they don’t care as long as they walk away with their pay. So, what about Sony? Here’s the takeaway.
For any company that has been double or triple breached (like Sony), you should stay as far away from that company (like Sony) as you possibly can. Sure, you can buy Sony products at a retailer because the retailer is responsible for the transaction. But, you should not use Sony products that require storage of credit cards for payment. You should also not purchase software from any site that Sony owns. It’s crystal clear, Sony cannot be trusted and they seriously don’t care about data security. If you must purchase something from Sony, use a Sony branded gift card, Paypal, Google or Amazon checkout. These payment systems are not owned or operated by Sony, but can send payment to Sony for whatever it is you need to buy. But, don’t buy directly from Sony (or any other company) that has repeatedly been breached.
Best Practices for Personal Finances
While these are but a few best practices to protect your home finances, there are plenty more common sense approaches to keeping your finances secure. Here are a few top examples of how to secure your own finances:
- Keep your credit cards in a safe place.
- Regularly check your bank statements for unauthorized transactions. Some banks now offer email notification of suspicious activity, use it.
- During the holiday season, make sure you know what stores you shopped by keeping receipts in a handy place.
- Open a second bank account to move small amounts of money in when you need to purchase items online or in stores. Secure your primary account using limited access to services like debit cards, ACH and other third party access. Use the second account much smaller account for these services. It’s easy to move money between accounts in the same bank using your phone app or on the web, so take advantage of this extra security.
- Call the bank immediately if you’ve lost or stolen your card. You should write down the number on the back of the cards into your smart phone so you have it in case the card is stolen or lost. Don’t write the account numbers down next to the phone number.
- Make use of the free credit report you can get once a year and check your credit every year.
- Don’t purchase from any retailer where they are not following proper credit card practices. For example, they should not have to double swipe your card, write the numbers down or ask for any further information aside from looking at the back of the card.
- Don’t allow any retail cashier to walk away with your card. They should only need to hold the card long enough to look at it or swipe it once at the register.
- While it is a regular practice for waitstaff to walk way with cards and bring them back to the table as a convenience, you should be wary of this practice. In fact, it might be best to take the check to the cashier at the place where they ring up your meal and watch them ring up your bill. Allowing waitstaff to walk away with your card out of sight means it could be duplicated, swiped through a cell phone or written down.
- Throughout the holidays, you should search through a major news site for data breaches at least once a week. As soon as you hear of any store that has breached where you may have shopped, you should ask for a replacement card if logo branded or change your pin immediately if debit. For Visa, Mastercard or Amex logo branded gift cards that may have been used at that retailer, you should call the number on the back to have a replacement sent immediately. Unused gift cards are not a problem.
- Request your bank place a fraud watch on your account if you suspect anything amiss with your cards. You should also request a replacement card if you have any reason to believe your card number has been lost. Yes, I know that can be a hassle during the holiday season while you wait for a new card, but it can potentially save you thousands of dollars lost to a hacker.
It is up to you to secure your own home finances. Using the above best practices should help aid you in achieving that goal. But, you should immediately become suspicious of anyone who attempts to do anything out of the ordinary with your card. If a cashier asks to do something with your card that doesn’t make sense, you should immediately ask for the card back and call over the store manager to clarify what’s going on. If they are the only person in the store, you should leave without making the purchase, step out of the store and immediately call your bank and put a fraud watch on your card.
As the Holiday shopping season gets fully underway, you need to be ever vigilant over your finances because the stores won’t do this for you. Worse, because there are many people who need money to meet their own bills and cover holiday shopping expenses, fraud and theft can be anywhere from anyone. That’s not to say that most people working at retail establishments aren’t screened and trustworthy, but for some people, the temptation of all of that money gets the better of them and they resort to taking other people’s money. By far and away, though, data breaches are the biggest problems of all because you don’t know who or where the attacker is. So, this is where you need to watch your finances closely and use your card very limited amounts over the holidays. Use cash where you can, but don’t jeopardize your personal safety by carrying too much cash.
Wishing a Happy and safe holiday season to everyone from Randosity!