Yes it is cold and flu season. But we are referring here to another kind of viral risk – online hacking. It has again crept into the news and hit some of us right in the pocketbook. We explore two recent hacks that have had an impact on the financial security of millions of users. While not much information is released as to how these attacks occur – perhaps so as to not promote further offenses – we can focus on the effects of these attacks and what can be done to protect ourselves. A counter measure to these breaches is the onset of new technological security advances. It can be a challenge for us to keep up with it all but we endeavour to understand it and explore the options.

There have been two recent hack attacks: one that compromised Yahoo mail users and another that targeted Target credit and debit card information. We will begin by looking at the Yahoo attack and provide some password recommendations.

Yahoo Hack

On Jan 30th Yahoo, the second largest email provider with 273 million accounts, confirmed an attack and announced that malicious computer software was able to access a list of Yahoo Mail accounts’ usernames and passwords. Although details were not provided they point the finger at a third-party database compromise. The statement was made:

Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts^[1].

This type of cyber crime has been considerably more prominent in recent years. Identity theft can put your financial earnings at risk should an intruder gain access. Hackers focus on theft of passwords as people frequently use the same password for multiple accounts and these stolen credentials may provide access to one’s finances.

Recommendation:
You need good passwords and effective management of passwords. Some tips we have provided here are as follows:

Create a password that is both easy to remember and that is difficult to guess. There are many tricks to this including memory hooks (using the first letters of a popular saying or rhyme), number substitutions (using “1” for the letter “l” or “!” for “I”), and personal formulas (including a birthday with a phrase for example)^[2].
Use different passwords. Although it can be difficult to recall numerous passwords you do not want to use the same password for your banking as you do to log into Facebook. If a single password is compromised it could lead to loss of finances. When creating passwords you can use memory hooks associated with the site or service. For example, for a banking password you could use a combination of initials and letters that are meaningful and still difficult to guess or to hack. If your name was Jane Smith you could have: “tlpwttb@nkJ5” using the memory hook of “this little pig went to the bank” and J5 for the initials.
Create passwords that use a combination of letters, numbers, and that are long enough – at least 8 characters. Ideally you should have 12 character long passwords… but of course, you still have to rely on memory.
Change your password when you feel it has been compromised. You need to be careful not to share out your passwords or have them written down somewhere. If you must keep them in a Word file or spreadsheet, name the file something that does not have the word “password” in it.
Keep your password private! Do we need to spell it out? Don’t share it or print it out and leave it next to the computer. Let’s look at an example. Marko uses the password: “w3Lc0m3!HERE”. This is a good password with a memory hook “welcome here”, it uses numbers and symbols, and 12 characters long. However if this was broadcasted on national television during the pre-game show of Super Bowl 48, you can bet it was compromised and needed to be reset^[3].

One final point… many people feel that they are safe as they have an anti-virus application running on their system. There is a false sense of security that can come from feeling completely safe and protected by having an anti-virus tool. It would be a bit like having a very secure PC system complete with firewall and anti-virus protection and then emailing your credit card details to someone. Also, keep in mind that your information can be made available as described in the hack examples provided in this article.

Target Hack

If you feel safe with the anti-piracy system you have set up – and granted, you are less of a target for attackers – consider how much time and money large corporations put into their protection systems. Yet, we continue to hear of online violations. Wouldn’t you think that those that have been the victims of an attack would have greater immunity?

StoreExterior2013_610x343 — Credit: Target

In 2005, Target was among a list of retailers that suffered an attack that resulted in the theft of millions of credit card numbers. In that attack, Target was reported to get off easy as only a limited number of credit cards were stolen. On Jan 30th of this year, another Target cyber attack was made known to the public.

What Was Stolen: The heist began in November 27th. For two weeks 40 million customer credit and debit cards were stolen from the company’s point of sale system. This data was unencrypted and it took until December 15th before the intruder’s presence was detected. There were also 70 million customers who had personal data stolen including names, addresses, phone numbers, and email addresses. Some of these were the same victims of the credit and debit card theft. In all 11 gigabytes of data was sent to a system in Russia.

Who Is At Fault? One question comes to the forefront – who is to blame? Surely these established retailers have secure systems in place and what about the standards that they need to adhere to?

The security measures that Target and other companies implement to protect consumer data have long been known to be inadequate. Instead of overhauling a poor system that never worked, however, the card industry and retailers have colluded in perpetuating a myth that they’re doing something to protect customer data — all to stave off regulation and expensive fixes^[4].

If proven to have not properly secured its network, Target will have to pay out millions in fines to card companies.

Authentication: Have you ever wondered what happens when you pass your credit or debit card to purchase some groceries? For small business, the transaction goes to a third-party processor to determine whether to send it for authorization. Larger organizations typically use their own processor in such a manner that the information from these transactions travels from the store to a specific destination on the corporation’s network and then once processed it goes off to the proper destination for authorization. The Payment Card Industry (PCI) standard does not require the company to encrypt this data when transmitting over their own private network – only if having to travel via the public internet. The focal point for companies like Target is to secure the passing of information on their private network.

Target was likely using such a secure channel within its network to transmit unencrypted card data. But that wasn’t good enough. The attackers simply adapted by employing a RAM scraper to grab the data in the point-of-sale device’s memory, where it was not secured^[5].

PCI DSS: There is a Payment Card Industry standard in place known as PCI DSS created specifically for organizations that handle cardholder information for major debit, credit, ATM, POS, and other credit and financial transaction cards. This standard stipulates explicit requirements that companies dealing with payment card transactions adhere to proper firewall, anti-virus, and most importantly, data encryption when storing or transferring financial data via a public network.

Despite this being in place, the Target hack occurred. Post-breach investigations show that hacked companies are frequently not in compliance. And, what about the blame game – remember Yahoo blaming a third-party database? With the standards in place, companies are required to obtain regular security audits from third-party businesses. Even if a company manages to gain a level of compliance, it could be that these third –party audits are riddled with inaccuracies and system vulnerabilities are available to hackers.

The challenge with implementation of security standards is that these measures are costly for organizations to implement and can potentially result in a longer transaction time which would adversely affect sales and frustrate customers. So what solutions are being offered to you so that you can better prepare yourself?

New Advances

There are new counter-measures and novel technologies hitting the market to address these issues and, rest assured, you are going to be hearing more about them. We will introduce three of these and we will point out their shortcomings and make one recommendation – with the others we will simply say “watch and wait”.

Password Managers: There are a whole host of password managers hitting the market to address being able to help organize and remember your passwords for you. They work by encrypting the password and storing it on your system in a local database. Many have automatic form filling capabilities to fill in the user and password credentials for you. A good password manager is capable of detecting a site that is fraudulent and using phishing techniques (designed to gain personal data or credentials), or other form of cyber attack.

Shortcomings: While these applications are convenient, users are at risk if their computer is left on or their device is stolen. Password managers typically use a master password but again, this requires the user to come up with a good password that cannot be hacked or easily guessed and in some cases, these master passwords are not encrypted and vulnerable to cyber attacks. In some cases, accessing unencrypted passwords can be extracted when the data is swapped to memory of the user’s hard drive. We recommend looking into all the functions and capabilities of a password manager before trying one.

Recommendation: At first we thought it would be a challenge for us to suggest a Password Manager application as there is a lot at stake. We soon found that one stands out: RoboForm (http://www.roboform.com/). This program includes support for all types of platform such as Windows, Mac, and mobile devices. It is not a free solution but it is under $20 and you get a single license that is good for all your computing needs including all your computers and mobile devices. While it does not have phishing capability – you will have to rely on the security provided by your browser for this – it does have automatic form filler and encryption technology.

Biometrics: This is also known as biometric authentication and it is likely something you have seen in several movies. It involves identification of human traits or characteristics such as fingerprint, iris recognition, face recognition, voice, and much more^[6]. Ease of use is likely the greatest advantage to this form of authentication.

Shortcomings: While it may seem very sci-fi and high-tech, biometric devices can be compromised with what is known as replay attacks and forgeries. An example would be stealing electronic versions of your fingerprints. There are other concerns as well. It was reported that a Mercedes owner had a finger cut off to gain access to the vehicle^[7]. Another drawback is being able to change the biometric data in the case of compromise.

There is considerable potential to this system and we will see more of this form of security. Some predict that by 2016, 30% of companies will be using some form of biometric security. The bottom line is that it should be used with a Personal Identification Number (PIN) or password so as to have a two-part authentication.

New Smart Cards: The latest in smart card technology can be found with credit and debit cards that use the EMV standard; EMV stands for Europay, MasterCard, and Visa. These cards are also known as IC cards or integrated circuit cards. Companies such as Visa, MasterCard, American Express, J Smart, and Discover/Diners Club International are beginning to implement these. The early reports suggest that there is a reduction of fraudulent infractions and improved security. You do have to remember a PIN and authentication is further enhanced with cryptographic algorithms. Transactions are reported to take less time than our existing credit card authentication.

Shortcomings: There are vulnerabilities to this EMV card technology including harvesting PIN’s and cloning magnetic stripes. If you are interested, go to this Wikipedia page to find out more. Since June 2012, EMV has been introduced into the US but it appears to be in its infancy and there are those that remain skeptical about the ability for merchants to update their systems and support this so consumers can use smart cards to do their transactions.

Recommendation:

Some of these new technologies seem a bit daunting when you first encounter them. What we suggest is to simply be familiar with them and be aware as they are more adopted into our daily computing and banking practices. Once the dust settles with the emergence of any new technology we are more likely to safely venture forward where others have previously experienced pitfalls. One thing to take from this article is to get a handle on your passwords and keep your online banking as secure as you are able with proper password protection.

We hope this article and the information provided here have brought you up to speed on potential security risks and what is being made available to counter these cyber threats. We will continue to introduce new technologies in a manner that is not beyond the reach of average, everyday computer users.

[1] Important update for Yahoo Mail useres
[2] http://idtheft.about.com
[3] ZDNet.com
[4] Wired.com
[5] Wired.com
[6] Wikipedia.org/wiki/biometrics
[7] http://news.bbc.co.uk