The rash of security breaches continues unabated, especially in the retail sector. It’s getting to the point where I feel like just pulling my money out of the bank and putting it under my mattress. I had slowly transitioned to using my ATM for all my daily purchases and now I’m back to carrying more cash.
To highlight just a few recent events:
Kmart has a blue light special on malware
Why the Home Depot breach is worse than you think
Chase warns customers about massive data breach
Staples is investigating a possible data breach
If you go back even a year the list is waaaay too long. ATM hacks abound (Did you know most of them still run Windows 95?!) Gas pump card readers have been compromised for years.
I used to worry more about using a credit card at a small retailer because of the potential for employees to steal your data and use/share/sell it. Now with big software hacks in play, little guys aren’t profitable targets. Why compromise a store with hundreds of customers when you can nail a chain with millions?
In all this paranoia what can you really do about it. I’ve put together a short list of actionable things anyone can do. In a follow-up article shortly I’ll talk more about what the industry can and should be doing.
For consumers the list includes many things that don’t have anything to do with your computers.
- Use more cash. The software that is being used in these breaches is just to cheap, readily available, and easy to use. Expect to continue hearing about major breaches, and eventually more minor ones as well. Trickle-down hacking.
- Don’t pay at the pump. I know, this is a pain, but seriously this is the one I hear about the most from real people I actually know who have been affected. It was the card reader at the pump. So pay inside, and don’t forget, most stations are part of large organizations, making them tempting targets for the same POS attacks we keep hearing about. Use cash for gas. Or drive an electric, like I do.
- Don’t pay at suspicious places. Well I guess I don’t mean dine-and-dash, but don’t pay at credit cards at places that you’re unsure of. Look around and ask yourself if you’d leave your wallet or phone on the table unattended while using the restroom. If not, pay in cash.
- Big retailers are at least as unsafe as small ones. Hacks are happening just as often at big reputable places because it’s simply more profitable. More customers = more cards. It’s simple economics. So pay cash when you can, and keep track of announcements from retailers you use, including silly looking envelopes in the mail that look like junk mail. They could be security alerts.
- Don’t click links in unsolicited email. This is a corollary to above – be extremely careful clicking on email alerts about password updates, account info, etc. Phishing is too easy and too common. When in doubt, either put the URL in by hand (always a good idea) or get on the old-fashioned phone and actually call: Did you guys just email a security alert? The time you spend on hold (you know you will) is better than getting hacked.
- Use good passwords. I’ll be writing more about this at some point, but for now remember that longer is better. I’m shocked that some organizations still don’t allow really good passwords. In terms of complication longer is often more important and secure than the old adage of numbers, letters, and special characters. But the bigger the better. If your password is 8 characters, even with all of the above, it’s hackable, nearly instantly. Just remember that.
- Change passwords when a hack occurs. Even if you don’t get a notice from the company, just change it. If for example you heard about Staples today and are sitting around waiting for an email or letter, remember that the hackers aren’t waiting, in fact they may have had your data for weeks or even months. Just change your password now. This is a great case of better safe than sorry.
- Use a password manager You need something to manage all your passwords and other important secure data, otherwise you’ll never do steps 5 and 6 above as you should. There are quite a few good ones out there. Just make sure it’s got good encryption, comes from a reputable company, and supports ALL of the platforms you need so that you’ll use it. A few off the top of my head are Lastpass, 1Password, and Msecure. Some of them even support a USB dongle to make sure that your password manager data is secure.
- Use two-step authentication. This is a configuration option you can get from Microsoft, Apple, Google, etc. where they send a text message to your phone when you try to login. Sometimes they also have an authenticator app instead of the text message, which is nice because you don’t need a data connection like you would with a text message. Google announced security key support today, which is a USB device you put on your keychain instead of a text to your phone.
- Keep software up-to-date. This is especially important for both your operating system and your browsers. Major PC OS vendors like Microsoft and Apple issue regular security updates once a week or month. Phone vendors like Google do likewise, although updates depend greatly on both your phone manufacturer and your service provider. I know, it’s crazy, but it’s true. Android phones are frequently out of date and cannot be updated for no good reason. This is on advantage of an Apple or Nexus device – frequent OS updates. Watch Adobe too – that flash engine is a common attack surface.
- Get rid of old hardware that can’t be updated. Old phones, old computers running insecure operating systems, etc. It’s all more dangerous than it’s worth. How old – simple, if it isn’t supported with regular security updates, it’s time to junk it. I know you think you’re saving money, but the cost of a hack is bigger, not to mention the time you spend keeping old hardware running. And yes, there are all kinds of tech geeks that can keep stuff running forever. That’s fine as long as they’ve made sure it’s secure. When in doubt, throw it out. (Like in politics.)
- Avoid websites that don’t support secure connections. This means look for “https” instead of just “http” in the URL. Plus depending on your browser you should see some kind of lock that indicates a secure connection. Facebook had this problem for way too long, and what it means is that although you need a password to login, your password is sent over the internet unencrypted, just waiting for that pimply kid across the table at Starbucks to steal it. For a list of sites that you’d think are secure but aren’t, check the HTTP Shaming blog.
- Use a prepaid credit card for internet purchases. Come to think of it, that’s not a bad idea for gas pumps and restaurants either. You can get a “credit card” that you can reload at any grocery or convenience store. T-mobile has one that is particularly nice because it has no reload or monthly fees. The prepaid card severely limits your exposure in a breach, and it’s easy for you to walk away from by just getting a new one. They can’t take more out of it than you have sitting on it.
If you’ve got more tips, let me know and I’ll add them to the list. In the meantime, keep safe.
Pingback: Closing the Barn Door - Software Security - The Code Curmudgeon