Who’s not secure? ……. Holler “I”!
Well, it seems lots of organizations have spent the year playing hide-and-seek with the computer hacker and many are still struggling with finding an effective strategy for data security and personal privacy.
As we settle into October, and names more befitting of a Halloween horror movie like Rescator, HeartBleed, and ShellShock make the rounds in the media, computer hackers have harvested a cornucopia of passwords, bushels of personal information, and a bumper crop of credit card data. While the big news centers around Home Depot, Target, iCloud, Community Health Systems, and JP Morgan and their record amounts and high profile data compromises, there have also been breaches the last couple of months at SuperValu, Shepler’s, Beef O’ Brady’s, Goodwill Industries, and Dairy Queen. The academic community is not immune to these tricksters as we began the year with large data compromises at The University of Maryland, the North Dakota University System, and more recently reports from St. Francis College and George Mason, Temple, California State, Duke, and Louisiana State Universities.
So what can you do to prevent your information from falling into the hands of the ghoul and goblin geeks seeking to sell your personal data candy for a quick buck? Well, much like sending the kids out to trick-or-treat we’ll give you some quick advice.
Wear Bright Colors AND Carry a Flashlight!
We send out the kids wearing bright colors AND carrying a flashlight, and in just that way, you can protect your information with two-factor authentication. If you use a service that offers it -- USE IT! The Apple iCloud hack of celebrity photos was a flaw in Find My iPhone App that allowed simple password guessing. Many a tricky hacker dumps username and passwords from sites hacked onto the Internet, and if you fall for the disguise of Phishing, your username and password alone cannot just provide an attacker access. Apple iCloud Two-factor authentication is called Two-step Authentication (security semantics at work here) and they are offering its use as does Gmail and other services. The iCloud service configuration steps can be found through this FAQ link http://support.apple.com/kb/ht5570 and on the Apple and iCloud websites as well. What any two-factor authentication does is use something YOU HAVE and the hacker doesn’t … your smart phone or other device to either “click” an acceptance or enter a unique value to get you access. It can provide an early warning if someone is knocking on your username and password door.
Know Any Good Card Tricks?
So if all of these hackers haunting retail establishments have got you spooked, just know there are some safety steps you can take with your credit and debit cards. It is especially disturbing that in the case of the Home Depot breach there were reports that IT professionals within the company were recommending to friends to use cash for all Home Depot purchases, but that shouldn’t scare you as the consumer and send you screaming to a cash machine. Just like some simple Do’s and Don’ts to Halloween fun there are some things to know about your cards and it’s as simple as counting 1,2,3,4!
One … Don’t just “pick a card, any card”. If you use credit cards regularly and have multiple cards, being strict about use of a particular card per merchant can limit your exposure as well as ease the impact on you should that retailer experience a breach. It also makes it easier to spot fraud on statements.
Two … Check those statements! Always know that if the breach occurred and it just nicked the end of your billing period, catching that one transaction that alerts you can save tons of hassle later!
Three … Not all cards are equal! While there is federal law that protects credit card users with a liability limit, the same cannot be said of debit cards. While debit cards may require the additional PIN to work, banks are not equally obligated to reimburse the consumer for losses and often when they do, those limits are often much higher. Use credit cards for all online, vacation, and all large purchases as you don’t want that debit card PIN captured!
And Four …Be wary of your surroundings. The Payment Card Industry Security Standards Council still warns of many small merchant rogue “skimmers” at gas stations, parking garages, and other “out-of-check” type places that capture card data. If your server at a restaurant is leaving your table with your credit or debit card, you may want to re-think using cash at that establishment as many have changed their practices to bring the transactions “to the table” or customer for better security.
If Offered Should I Take The Candy???
So you’ve done everything to protect your personal data but you’ve been notified or suspect your information has been compromised. What should you do?
Well, it’s fairly simple. If offered, take the monitoring! If you are the victim of a corporate data breach you should be contacted by the business or an agent on their behalf. All states have laws in place where specific data requires notification but the limits of accounts compromised may vary. In the case of some of these high profile breaches the consumer data has been posted broadly and sold on the hacker black markets so consider the possibility of fraudulent activity as “HIGH”. If you suspect you’ve been a victim of an individual or smaller breach, know that you can contact one of the three credit bureaus and issue a fraud alert on your credit report. Resources for cybercrime breaches as well as other great tips can be found at www.staysafeonline.org and in particular the document in this link: http://www.staysafeonline.org/stay-safe-online/protect-your-personal-inf.... There has even been chatter out there about offering consumer protection-type monitoring as part of some employee benefit programs! So if offered the benefit goodie bag? Grab it!
Fall Into Some Good Habits
October marks National Cyber Security Awareness Month and in addition to the particular document above at StaySafeOnline, there are many other great resources as well! Lehigh University and LTS have again this year registered as Champions in promoting security awareness and we are doing a number outreach programs. Also know that Information Security welcomes any questions or concerns about data security issues either with Lehigh data or personal information. They can be contacted at Security@Lehigh.edu or by calling 610-758-3994.