Archive for the ‘Tips’ Category

Your cell phone can be taken over by hackers who will view through your camera and watch you enter your passwords and other information.  Here in Austin at the IEEE “Globecom” conference on global communication last December, I attended a presentation from Temple University researchers who compromised an Android cell phone. 

Doctoral candidate Longfei Wu and five colleagues from Temple University, the University of Massachusetts, and Beijing University exploited vulnerabilities in the Android cell phone to seize control of the camera.

Having done that – and having reduced their footprint to one pixel – they then watched finger touches to the keyboard in order to guess passwords.  Some sequences were more secure than others.  1459 and 1479 were easy to identify.  1359 and 1471 were harder to guess.  The fundamental fact remains: They took control of the camera without the cell phone owner being aware of it.

Moreover, the Android operating system does not provide you with a log file of usage.  There is no way for you to review what your phone has been doing. However, the researchers fixed that. 

“We make changes to the CheckPermission() function ofActicityManagerService, and write a lightweight defense app such that whenever the camera is being called by apps with CAMERA permission, the defense app will be informed along with the caller’s Application Package Name.

[…]

There are three parts of warnings in our defense scheme. First, an alert dialog including the name of the suspicious app is displayed. In case the warning message cannot be seen immediately by the user (e.g., the user is not using the phone), the defense app will also make sound and vibration to warn the user of spy camera attacks. Besides, the detailed activity pattern of suspected apps are logged so that the user can check back.” — from “Security Threats to Mobile Multimedia Applications: Camera-based Attacks on Mobile Phones”,IEEE Communications Magazine, March 2014.”

If you want to protect your phone, you have to figure out how for yourself.  Very few ready-made defense apps exist for Android, or iPhone.  You could join a local hacker club such as DefCon.  (For Ann Arbor, it is DefCon 734; for Minneapolis it is DC612.)  That brings up the problem of trust.  When I go to computer security conferences, I never take a computer; and I do not answer my phone.  I do trust the organizers of our local groups, LASCON, ISSA, OWASP,  and B-Sides; but I do not trust everyone who comes to every meeting.  If you want someone to “jailbreak” your phone, and program something on it for you, then you really need strong trust.  It is best to do it for yourself.

“Unfortunately, it’s not uploaded online. To support the defense scheme, I modified the Android system and generate new image files. This means if someone want to use the defense function, he/she must flash the phone. As a result, all the installed stuff may get lost. I think people wouldn’t like that to happen. Besides, the Android version I used for testing is 4.1-4.3, while the most recent release is 5.0.” – Longfei Wu, reply to email.

As “the Internet of Things” connects your washing machine and your car to your home thermostat and puts them all online along with your coffee-maker and alarm clock, all of them connected to the television box that never shuts off and always listens, you will be increasingly exposed to harm.

A friend of mine called me for help after she started getting pop-ups every time she opened her web browser. She asked me how her computer got into this mess. While I could not pinpoint an exact cause (no log files), I suspect she downloaded crapware with a software installation she trusted.

She also wanted to know why anyone would want to inflict this malware on her computer. The answer is simple: Money.

So what can you do to avoid this problem? The consensus advice is to only download programs from a trusted source. Ok! That’s great advice! But what is a “trusted source”?

HowToGeek.com explains in “Yes, Every Freeware Download Site Is Serving Crapware” that all the major free download sites–Tucows, CNET Downloads / Download.com, FileHippo, SnapFiles, MajorGeeks, and yes, even SourceForge–include adware and even malware with their installers. While some sites are better than others about telling you what they’re including and about allowing you to uncheck those additions, they all do it.

What to do instead? Go to the developer’s website and download from there. And support those software authors that do not include crapware by donating to support their development work.

Other steps to take:

  • Back up regularly (at least once a week or oftener), then disconnect the media. Test your backups by periodically restoring a file. I also recommend alternating backup media to offsite storage, such as a safe-deposit box. Backup media–just like any other technology–can break, become corrupted, get lost or stolen.
  • If you back up to a  cloud provider, your back ups can become unavailable if their storage media becomes unavailable for any reason, so use physical backup media as well.
  • On Windows systems, set System Restore Points.
  • Change your IMPORTANT passwords as soon as you can from a computer that is not infected. Use a unique, strong password for each site.
  • Can’t remember all those passwords? Use a password manager. Note: Do NOT lose this password! I use the Professional versions of KeePass and Portable KeePass, and KeePass2Android (available from Google Play), but cloud-based LastPass is also very popular. (LastPass is more convenient, but I am leery of cloud-based services for availability reasons.)

If you have recent back-ups and your files get locked by a version of CryptoLocker / CryptoWall, you may not have to pay to get your files back (depending on how recent your backups are).

For an interesting read, check out Kaspersky’s 2014 Trends in the Internet Security Industry.

The amount of information collected on each of us is growing astronomically every day. What can you do to help protect your—as well as your family’s—information?

Note: This information is meant to be a starting place.Technology is constantly changing, so you must consider whether the information provided is timely and applicable to your situation. In order to adequately protect yourself and your family, you also might need to consult with your attorney or accountant or obtain other professional advice.

What information do you want to protect? Here are some categories you might want to consider:

Ad/cookie tracking Identity information Reputation
Digital identity Intellectual property Social media
Electronic devices Location Trash
E-mail Mailbox Travel
Family Medical information Voting
Financial information Personal safety Work information

Where are the threats to your information? Here are some common threats:

Data loss or theft

  • Backup media
  • Mail/trash
  • Organization w/ your info goes bankrupt
  • Paper
  • Website
Types of Malware

  • DNS Changer
  • Drive-by downloads
  • Keyloggers
  • Phishing email
  • Rootkits
  • Search engine poisoning
  • Social media malware
  • Torrents
  • Spyware, Trojan horse, virus, worms
  • Zombies/botnets
  • Etc.
Device loss or theft

  • Computer
  • DVD/CD
  • Backup media
  • USB drives
  • Portable electronic devices
  • Laptop, iPad, smart phones, tablets
Natural or man-made disasters

  • Fires
  • Floods
  • Tornadoes
  • Earthquakes
Personal safety

  • Craig’s List
  • Data leakage
  • Identity theft
  • Social media
ID theft Social engineering / Pretexting

Who do you trust with your information? Here are some organizations that you probably trust:

Accountant, lawyer, other professionals Religious & charity organizations
Employers Schools & Libraries
Financial institutions—banks, credit unions, loans & credit cards, brokerages Retailers & e-commerce sites
Government agencies Social sites
Health care—doctor, dentist, hospital, labs Websites
Insurance companies And …?

Why do you trust people or organizations?

  • Do they have a legitimate need for your information?
  • Do they have policies and procedures to tell you what they do with your confidential information?

When do you trust people or organizations?

  • Do you give confidential information on the phone, in email, texting, or in person?
  • Did you initiate the information exchange?
  • If you don’t feel comfortable, don’t do it.

How do you give people or organizations your confidential information? Think about advantages and disadvantages to giving out your information in person, over the phone, in email or in text messages, on a secure website. If you’re uncomfortable giving out information in a particular situation: don’t do it! Find another way to give the information.

General Tips

  • Don’t leave your electronic devices—cell phones, laptops, tablets, iPads, etc.—unattended in public, including hotel rooms.
  • Don’t ask strangers to watch your things while you go to the restroom or load up on more coffee.
  • Don’t leave your purse or briefcase unattended in public: including shopping carts, restaurants, and coffee shops.
  • Don’t use easy-to-guess passwords: http://www.dailymail.co.uk/sciencetech/article-2063203/This-years-easiest-guess-passwords–discovered-hackers-worked-out.html
  • Don’t post private information on social websites. Remember you have no expectation of privacy on social websites.
  • Data leakage:
    • Be careful about the information you throw in your trash.
    • Collect your mail as soon as possible.
    • Use vacation holds or have a friend collect your mail if you will be gone for more than a couple of days.
    • Do not announce on Facebook or other social media that you are going on vacation. Wait until you get back to share those fabulous pictures!
    • Keep your electronic devices and other valuables out of sight in your vehicle.
    • Read software and services licenses.
    • Use a password or a pin to protect your smart phone.

Let’s look back at 2014 to review events that could impact our information privacy. Some substantial vulnerabilities occurred this year including the Heartbleed bug, Shellshock, and POODLE, along with the usual Microsoft, Java, browser, and Adobe Flash and Reader problems. There have been some notable payment system breeches: Sony, Kmart, Jimmy Johns, Home Depot, Apple, Dairy Queen, Community Health Systems to name a few … even some Goodwill payment systems got hacked.

What can you do to protect yourself? Here are a couple things to do:

  • Protect your information!

Don’t give it out unless it’s absolutely necessary. If your doctor—like mine did—asks you to sign a release so they can use your deidentified data in a study, ask them what information they are sending and who they are sending it to: Does it include your initials, your first name, your zip code, your street, your age and gender, your diagnosis, your treatment? If they frown at you and say it’s deidentified, ask them what that means to them.

According to HIPAA, there are 2 main methods to de-identify patient data, the “expert determination” method and the “safe harbor” method. The safe harbor method is usually safer because it removes 18 specific identifiers from the research data, such as name, age, dates must be year only, telephone numbers, address, full-face pictures, and account numbers. The expert method depends on an “expert” to determine what’s safe to disclose.

For instance, why do you care if someone shares your birth date? The birthday paradox is a probability theory that explains if you’re in a room with 23 other people, the chances that at least 2 people in the room will share a birthday is 50%, and in a group of 70 people, the probability that at least 2 of them will share a birthday reaches 99.9%. However, the probability that 2 people will share the same birth date is considerably smaller.

A recent article in American Medical News explained how Latanya Sweeney, PhD, a Harvard University researcher, was able to attach 241 identities to the deidentified medical information of a database of 1,130 research patients, using birth date, gender, and zip code combined with public records, such as US Census records or voter registration. That’s 22%! Yikes!

To see how identifiable you are by using those parameters, visit the Data Privacy Lab.

  • Make your important passwords unique for each account, change them often—every six months or sooner, especially if the web site is hacked—and implement two-factor authentication on sites that allow it, especially sites like email, banking, or e-commerce.

What is two-factor authentication? Two-factor authentication means that instead of using just a password to access your account, you add an additional method of verifying your identity.

Google Authenticator is a way to add a second factor; it’s easy to use and it sends a code via a text message to your device. You can set it up so that you only have to input a code if a new device tries to use the account or your password changes. In case you don’t have an Internet connection or cell phone service, you can download a set of 10 codes for backup authentication. Make sure you keep these codes safe! I store mine right in KeePass.

  • Back up your personal information on all your devices—documents, photos, music, videos.
  • Lock your devices: Use PINs, passwords, puzzles, or biometrics.
  • Install software like Find My Phone (Windows, Android, or iPhone) or Prey; if your device is lost or stolen, send it a lock and erase it. Be safe, call the police. Do not try to recover it yourself.
  • Don’t save password information in your browser! Here’s an article on how to disable saving passwords in IE, Safari, and Firefox browsers, and Chrome.

Can’t remember all those passwords? Neither can I! You can use a password-protected Excel 2007 or later spreadsheet (do not save in compatibility mode), download a password manager like KeePass, or use a cloud-based password manager like LastPass.

Do not lose the master password! If you might forget, put it someplace safe like your safe-deposit box.

I have used all three options, and I prefer KeePass, although Excel is in some ways more convenient because you can decide on the fields you use. The data is stored on your device (unless you load it in the cloud yourself). I use KeePass’s professional and portable versions, and KeePass2Android. Try to only update the KeePass database on one device and copy it to your other devices so you don’t get confused as to which device contains the most up-to-date copy of the database. I date the database when I add a new account or change a password (BlahXX-XX-XXXX), so I know to move it to my other devices.

It is very important to back up this database and store a copy that you update regularly —as well as a printed copy—in your safe-deposit box.

LastPass is convenient, but I don’t like the idea of not knowing where my data is stored. Also, if the service is down—as happened last August for over 12 hours—can you access your accounts? According to their documentation, you should be able to. However, it is always best to keep a non-cloud-based back up for cloud-based services.

  • Keep your operating system and applications up to date. When an operating system is no longer supported, it is time to either get the device off the Internet or—if the option is available—upgrade to a new operating system or download and install an open-source operating system. If none of those options work, wipe the device and recycle it here or at one of the Goodwill locations that partners with the Dell Reconnect program.

Spring clean your installed apps: if you don’t use it, uninstall it. Fewer apps will free up resources like memory and drive space, and your device might even run faster.

One application to consider installing on a Windows machine is Secunia’s Personal Software Inspector. It makes sure that all your updates and patches are current. I test a lot of software and some apps don’t always have automatic updates; this app is wonderful!

Everyone here at IntentionalPrivacy.com wishes you a prosperous, happy, healthy, and safe 2015! We’re happy you read us.

Trading convenience for security

Posted: December 22, 2014 by IntentionalPrivacy in Tips
Tags: , , , ,

These are some great tips from Gary Miliefsky at SnoopWall. You can either watch his video or read the interview. I just installed his SnoopWall Privacy app on my Android phone. I’ll let you know how it goes!

You might know and follow the general rules for creating a good password. Apparently, no one else does.

The “25 Worst Passwords” is an annual press release from SplashData, which sells password management tools. They also tap into the resources provided by similar security reporting firms. Those reports from recent news stories illustrate that most people seem to be really bad at inventing new passwords. Writing about the Adobe website breach of 2013 PC World revealed that ‘adobe123’ and ‘photoshop’ were very common choices. An article from the BBC cited security researcher Per Thorsheim. He pointed out that the color schemes of Twitter, Facebook, and Google, all lead people to include the word “blue” in their passwords.

As a result, more websites require you to use a Mix of Upper and Lower Case, and also to include $pecial C#aracters and Numb3rs. The password photoshop becames !Ph0t0$hop* and that should be more secure.

However, what really makes that more secure is not the mix of characters but the two additional symbols. The ! and * at the beginning and end turn a string of 9 characters into a string of 11. The basic arithmetic of computing says that the longer something is, the harder it is to guess. Your bank transfers money with cipher strings of 200 digits. We call them “computationally difficult” to crack.

“Black hat hackers” build special computers to attack passwords. One of those homebrew boxes broke every Windows-standard 8-character password in under 6 hours. A lesser machine revealed 90% of the passwords on LinkedIn. However, if you have an 11-character password those powerful crackers would need 515 years to work through all the possible combinations. And yet, long as they are “AmericanTheBeautiful” and “ToBeOrNotToBe” are known phrases.

Those networks of multiple game processors also grind through huge databases of words and proper names in English and their many variations. . Passages from the Bible, quotations from Shakespeare, and other cultural artifacts add to the databases.  Black hat hackers have mammoth dictionaries of known passwords. Those are compiled from the revelations of each successful attack.

Password Cracking Machine

Jeremi Gosney’s High Performance Computer. The rapidly-moving graphics of games are computationally intensive. So, the central processor and parallel processors of the Xbox, PlayStation, and others rely on co-processors designed for rapid arithmetic. That makes them perfect for running billions of guesses per second.

It is also true that some websites prevent you from using special characters. You might be instructed to keep your passwords to Upper and Lower Case Letters and the numerals 0 through 9. Restricted like that, all of the possible 11-character passwords can be broken in just 4 years. Turn the computer on; let it run day and night; it churns out passwords.

The reason why you sometimes are restricted from special characters is that the Dollar $ign and <Greater-than Less-than> and @some others# are common to programming systems and languages such as SQL (pronounced “sequel”) and Java. So, in place of the password, a hacker inserts a line of computer code to open up the website to their commands. Such SQL attacks are common.

BBC Cat 2

“If you have a cat, or any other type of pet, do not use its name as part of a password.” – BBC

That brings us to the corporations and organizations that allow your data to be stolen. SQL attacks are an old, known problem. But everyone is busy. And businesses cut costs by releasing employees. So, successful attacks are inevitable. The key to security is not just to put up barriers. Victims must act quickly, decisively, and effectively when those firewalls are breached. And they will be breached. It is not a matter of “if” but of “when.” For over 20 years, even the FBI has suffered periodic intrusions.   Rather than requiring you to have a ridiculously difficult password, the system administrators should just do their jobs.

But this is the Information Age. We all have computers, phones, pads, notebooks, and networks. That puts the burden back on you.

We give out our usernames and passwords all too easily. Spam Nation is new book by Brian Krebs. Formerly a technology writer for the Washington Post, Krebs more recently investigated two Russian “businessmen” who apparently controlled the world’s largest floods of spam email. They sold fake Viagra and fake vicodin, fake Gucci and fake Rolex. Millions of people bought them. From all indications, the crooks really did deliver the goods. In doing that, they acquired millions of usernames and passwords. And people are lazy.

If you have the same log-in credentials for illegal drugs that you do for your bank account, you have only yourself to blame when a drug dealer steals your money.

Brian Krebs writes a very readable blog.

Brian Krebs writes a very readable blog.

But the same breach could come through the garden club, the library charity, your school, or work. How many log-in accounts have you had since the Worldwide Web was launched in 1991? According to Brian Krebs, it is your responsibility to keep yourself safe by keeping your identities separate.

Even Wonder Woman, Superman, Batman, and Batgirl manage only two lives each, not twenty. You may need a password manager. PC Magazine, PC World, MacWorld, and InfoWorld all review and evaluate password managers. It is a start. Of course, if your home Wi-Fi network is open to the public, then you have a different problem, entirely.

RESOURCES

The methods of securing data are robust. Your financial transactions, health records and other sensitive information are safeguarded by strong mathematical processes. You can use these same tools yourself to keep your emails private. It is not much harder than learning a new phone and installing an app.

Usually, when your personal data is exposed by organized gangs of Russian “businessmen” or the Chinese People’s Liberation Army, it because of failures in computer security allowed by weaknesses in the programs. The cell phone companies deliver records to the NSA. The NSA does not break your ciphers. As far as we know, no one has ever cracked one of the public key methods developed since 1975. Some theoretical weaknesses have been suggested. Brute force attacks by the NSA have been hinted at, but never demonstrated. The mathematics is as immutable as the Law of Identity: A is A.  It is absolutely true that 1 + 1 = 2, always and forever.

A Crazy Idea

In the early to mid-1970s, independent researchers Whitfield Diffie and Martin Hellman at Stanford, Ralph Merkle at Berkeley, and Ronald Rivest at MIT, along with his doctoral candidates Adi Shamir and Lenard Adelman, all sought and found ways to encrypt information that were not based on any of the historically known methods. As a result, when Ralph Merkle submitted his papers to the Communications of the Association for Computing Machinery, they were rejected for denying the established wisdom of 2000 years. Working on his doctorate at Berkeley, he was told by his professors that he obviously did not know the basics of cryptography.

Codes and Ciphers

A code is a secret translation of one set of symbols for another. If we let
Handkerchief = Train
Scarf = Bus
Blouse = Plane
Red = 2:00PM
Blue = 3:00PM
Green = 3:45 PM
Then, “Thank you for the red scarf “ or “Thank you for the green blouse” could be sent via email or on a post card and the real meaning would be hidden. The weakness is in exchanging the key. Someone has to pass the translation table. However, given the security of the key table, the code is unbreakable.

A cipher is an orderly substitution. Taking the alphabet backwards, A=Z, B=Y, C=X,… turns BARACK OBAMA into YZIZCP LYZNZ. Another kind of cipher just takes the letters in turn say, every third in rotation so that HILLARY CLINTON becomes LRLTHLYIOIACNN.

Ciphers often can be broken with applied arithmetic. In English, e is the most common letter, followed by t a o i n s h r d l u… Among the complicated ciphers was the Vigenere in which a table of letter keys allowed shifting substitutions. During World War II, the Germans employed their “Engima” machine with its shifting and changeable wheels. It fell to the first of the computers, the “Bombe” of Bletchley Park and “Ultra” Project. In The Jefferson Key by Steve Berry (Ballantine Books, 2011), a supposedly unbreakable cipher finally falls to a modern-day sleuth. As constructed, it involved writing the letters vertically, then inserting random letters, then writing the letters horizontally. However, again, common arithmetic allows you to use the fact that any English word with a Q must have that letter followed by a U; and no English words have DK as a digraph. (Until DKNY, of course.) So, the cipher was broken.

Speaking to LASCON in Austin, October 23, 2014, Martin Hellman said that he and his co-workers were considered “insane” for suggesting that an encryption method could be devised in which the formulas were public. In fact, this idea had old roots.

The 19th century founder of mathematical economics, William Stanley Jevons, suggested that certain mathematical functions that were “asymmetric” could be the basis for a new kind of cryptography. Just because A=Z does not mean that Z=A. His idea did not bear fruit. However, Martin Hellman asked his colleagues in the mathematics department if they knew of any such asymmetric functions. Indeed, many exist.  They can be called “trapdoor functions” because they are easy to do in one direction, but computationally difficult in the other.  In other words, they are are unlike the four common arithmetic operations.

The Diffie-Hellman system employs modulo arithmetic.  RSA (Rivest-Shamir-Adleman) uses the totient function discovered by Leonhard Euler in 1763. In 1974, Ralph Merkle, then at Berkeley, thought of using a set of puzzles, where each one is moderately hard, but the full set of 15 becomes computationally difficult. Working together, Merkel and Hellman created a “knapsack” function in which the challenge is to put the “most important objects” (numbers) with the smallest weights (numbers) into a bag (solution set).

You can get the papers online. If you loved high school algebra, and get a kick out of crossword puzzles (especially acrostics) this will be fun. If not, just accept the fact that they work.

The salient facts remain: the cipher system is clearly described, yet stands cryptographically secure.   That is a mandate called “Kerckhoffs Law” named for Auguste Kerckhoffs, a 19th century Dutch linguist. A cryptographic system should remain secure, even if everything about it is known, except the key. Thus, in our time, you can find the mathematical theorems and computer code for public key systems. You can download almost instantly clickable applications to secure your email.

Pretty Good Privacy
A hundred years ago, codes and ciphers and the study of cryptography all were controlled by the secret services of governments. In our time, academic theoreticians publish papers. To be patented, a device must be published. And so, Phil Zimmermann took the mathematical theorems and processes of the RSA encryption algorithm and recoded them from scratch to create a new system, just as powerful, but available to anyone without need for a license. Zimmermann was threatened with lawsuits and such, but he prevailed. Today, PGP is a free product offered by software sales giant Symantec on their website here. It is something a “loss leader” for Symantec. You can get PGP from other places as well, see here.

With it, you can encrypt your emails. Know, however, that (1) you would need to be “approved” by another PGP user (easy enough) and that (2) anyone you send emails to with this also needs it to read your emails to them. Be that as it may, it is no harder than setting up a really cool Facebook page, just a bit of work and some close focus.

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.

I shop at Target about once a week. Last Saturday, I was dismayed to discover that an estimated 40 million debit and credit cards used at Target had been stolen. This isn’t the first time my card number has been stolen, and it probably won’t be the last, unfortunately.

Many of those cards will be duplicate numbers, so the total number of cards stolen will probably be fewer than 40 million. Still, it is a very large breach, the second largest to date. The biggest breach—90 million credit/debit account numbers!—in the US occurred at TJX over a period of 18 months and was discovered on December 18, 2006 (TJX data theft).

First, let’s look at what happened:

  • On December 15, 2013, malware was discovered on Target’s point-of-sale systems at US stores. Target eliminated the malware, and notified card processors and payment card networks.
  • According to some sources (a Reuters story posted on Yahoo!), Target did not find the breach; it was discovered by a security researcher. That is worrisome.
  • According to Target, the issue only affected US stores; purchases made online at Target.com or in Canada were not part of the breach.
  • In their statement, Target explains the breach occurred between 11/27/2013 and 12/15/2013.
  • PIN data was stolen (Reuters – Target says PINs stolen, but confident data secure), but not the key, which according to Target’s statement, resides at the external card processing center. They are not giving out the name of their processing center. The PIN data is encrypted with Triple DES encryption.  To decrypt the PIN data, the thieves need the key.
  • There are 2 types of security codes used with credit/debit cards. Each card issuer calls the security codes by different names.
    • The first code is embedded in the magnetic stripe of the card and is used when you present the card to a merchant; it’s often called the CVV code. This one was included in the stolen data.
    • The second number, often called the CVV2 code, is not included in the magnetic stripe data and therefore was not stolen. This is the number used when you make card-not-present transactions, such as online or over the phone. American Express prints the four-digit number they use on the front side of the card, while most other issuers use a three-digit code printed on the back of the card next to the signature area.
  • The US Secret Service is investigating, as well as an unnamed outside investigator.
  • Stay tuned for more details. I don’t think investigators have a good handle on this theft yet, so the details are likely to change.

Note: PINs are not the safest way to protect your financial information; there are only 10,000 combinations (0000 to 9999). Europe uses electronic chips in their cards; another method is a dynamic pin generated through a text message or some other media, such as an RSA token. The problem with dynamic pins is that they’re slow and expensive.

According to Krebs on Security, stolen Target credit/debit card numbers are already being sold in underground black markets in batches of one million cards.

What to do?

  1. Monitor any account(s) used at Target at least daily for evidence of tampering.
  2. Check out the Target breach details.
  3. Get a copy of your credit report. You get 1 free credit report from each credit agency per year. https://www.annualcreditreport.com/index.action
  4. Target says they will pay for credit reporting; they will have more details later.
  5. Replace your card:
    • If you use a Target REDcard, contact Target for a replacement card.
    • Ask your bank or credit union to replace each card used at Target during the dates the breach occurred.
  6. If you choose not to replace your card, at least change your PIN number.
  7. When you choose a PIN, do not use your birth date or consecutive digits, such as “1234.”
  8. Some cards allow you to add an alert when it’s used; check with your card issuer to find out if they have this feature. The Target REDcard does give you this ability.
  9. Do not respond to any scam emails, texts, or phone calls asking for your PIN or your social security number or your credit card number.
  10. Some people suggest buying a prepaid credit card or using cash instead of using credit/debit cards. I’ve never used one, so I don’t know anything about costs, but I’m going to look into it.

If you notice fraudulent activity in your account:

  1. Notify your card issuer immediately at the number on the back of your card and cancel your card. This greatly limits the payment portion of fraud you’re responsible for.
  2. Put a block on your credit report at one of the three credit reporting agencies:
  3. Read the FTC’s tips for “Lost or Stolen Credit, ATM, and Debit Cards.”

Who pays the costs?

While it’s true that the banks and the merchant eat the losses initially; ultimately, we all pay the price of such theft through higher costs.

Do you check your child’s credit reports?

It’s really important that you check your child’s credit report while he or she is a child because a child whose identity is stolen can have problems finding a job, getting credit, or renting a place to live after they become an adult. The older the records, the more difficult they are to clean up. How can someone get credit in the name of a juvenile? Credit reporting agencies do not have a foolproof way to check age when financial information is posted, so it is difficult for them to know that the victim is a child.

And what if your school has a data breach? Yes, that happens. You can check different types of breaches that have been made public at http://www.privacyrights.org/data-breach

Also think about what information you allow to be public about your children … on Facebook, at schools or school events, through Twitter.

For more information about protecting your child’s identity, consult the Identity Theft Resource Center article on “Identity Theft and Children.” http://www.idtheftcenter.org/artman2/publish/v_fact_sheets/Fact_Sheet_120.shtml The FTC also has a very good article on child identity theft at http://www.consumer.ftc.gov/articles/0040-child-identity-theft