With holiday shopping upon us, the most frequent question I'm asked is, "Is it safe to shop online?" The answer is, of course, "that depends." Not all online--or even brick-and-mortar--stores engage in safe security practices. And even those that do may have third-party partners--for processing orders or credit cards--that are not secure. We see the numbers--47 million customers of TJX had their credit card data stolen--but the reality, as I found out when talking with Dan Geer, CTO of Verdasys, a data loss prevention company, the overall numbers may not be that bad. Why? Because some people have had their personal data stolen many times. It could that they were unlucky in choosing with whom they did business. But the problem might not be with primary retailer; the issue might actually be with someone that retailer does business with down the line.
More data breaches, but fewer affected
I asked Geer about the headlines we've seen in 2007 associated with data loss. "At this point," he said, "250 million Americans had their data stolen. Well, it's not actually quite correct. Speaking now as a statistician, what you have here is sampling with replacement. One person can have their data stolen several times. So it isn't 250 million individuals who had their data stolen out of the 300-plus million people in the U.S. It's 250 million pieces of information related to a person."
One person can have their data stolen several times. So it isn't 250 million individuals who had their data stolen out of the 300-plus million people in the U.S. It's 250 million pieces of information related to a person.
My guess would be that people who have lost personal data have likely had it happen more than once. When we see all these counts of how much personal data has been lost, some people are double, triple, and quadruple counted, and so forth."
Often it's not the company, but their partners
In the case of TJX, it came down to the criminal hackers listening in on a wireless connection. This is flaw that Neil Krazwetz identified many years ago, but few in the credit-card-processing industry wanted to acknowledge. Krazwetz recently went public (click for PDF) with the details of the flaw he first observed in 1992, a flaw that Verifone and other companies still haven't addressed. One bright spot has been new merchant security standards implemented by Visa and Mastercard. As of June 2006, there are new requirements for retailers and others called the Payment Card Industry Data Security Standard (PCI DSS). Unfortunately, as of today, only 40 percent of the Level 1 merchants--merchants who generate 6 million transactions or more annually--are fully compliant. The PCI DSS has 12 requirements that, for some reason, large retail stores just can't implement. You can learn more about specific requirements from the PCI DSS standards organization itself.
If you are on the (secure) side, who you share your data with and whether you enforce controls on them at their location now becomes a critical question.
Even with these standards, how would a company even know that a particular customer data file was breached? "One thing to remember," Geer said, "is that if you are, as a company, doing a good job of data protection--if you, for whatever reason and by whatever mechanism, have come to the point where you're doing a good job--then the question is 'Well, what risk do I have left?'" His answer is what is called, at least in the banking world, a "counter-party risk."
The "counter-party" threat
As Geer explains it, a counter-party risk is a relationship, a buyer-seller agreement, where you have to have the exchange of information with someone else who is outside your parameter. The risk is that the other party will let you down. "If they don't protect (your) data, it is nevertheless still a data loss in the ordinary sense. Indeed, all of the stuff that Visa and MasterCard are trying to do with their PCI standards is like that."
"A lot of the credit card losses--and I'll skip TJX--have been not so much the merchant or the card association itself, but some third-party processor in between. It's the counter party to the transaction that you don't see."
Third-party threats elsewhere
"These days, you go to a doctor; the doctor and your insurance company communicate with each other. You get referred to a specialist that's a different corporate identity and probably a different location. If you live in New England, it's quite possible it's in a different state. You get the idea. Pretty soon, there's information quite naturally being shared across many legal boundaries. Yet from your point of view, you don't, as an individual, care how it's lost. You just care that (your personal data) was lost."
"I think that's true across the board. Nobody is really going care how you lost it. All well and good to talk about…but generally speaking, the public doesn't care, and to that extent, the number of ways you can lose things is large and likely to get larger, to be honest, because we connect more things together." It's the connections, the outsourcing of individual parts of a data transaction that are the weak link. "I can show--in numbers--that the spread between the skill of those firms that are doing the best and those that are doing the worst (security) is broadening. That said, if you are on the (secure) side, who you share your data with and whether you enforce controls on them at their location now becomes a critical question."
Everyone does it
Geer said companies aren't alone. Home computers, especially those engaged with social networks or even e-mail, can also be the source of data leaks as well. "As an example if you look at the average home computer that has a piece of malware on it. The odds are, by the way, greater than 50 percent that the average home computer has at least one piece of malware."
"If you limit yourself to them talking about the ones that have at least one…odds are they've done it more than once. So like if you've got one tropical disease, maybe you have several. The same thing, I think, is true in terms of data loss."
Do you bank online; do you shop online? TalkBack to me.