Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Whats Worse: Credit Card Or Identity Theft?
Threaded  |  Newest First  |  Oldest First
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/9/2014 | 10:51:57 AM
Identify Theft
Personal Information loss can make someone's life miserable. The tasks that people must through to get credit files straightened out and the fraudulent accounts that have been charged up closed are daunting at the very least. Social media is one way the bad guys get some of the information they ues, we need to understand the hazards of telling too much about ourselves. Good article.
jmshipe
50%
50%
jmshipe,
User Rank: Apprentice
4/9/2014 | 11:34:58 AM
Re: Identify Theft
For the consumer, identity theft is far more devastating than credit card theft.  As for the company that lost it, I'd say the jury is still out.
NeiraJ312
50%
50%
NeiraJ312,
User Rank: Apprentice
4/9/2014 | 11:47:50 AM
Re: Identify Theft
Hi Kerstyn, excellent post, and yes the consumer is all too often forgotten and they may see the fall out of a breach affecting them month or years after the breach itself... I wrote on the subject myself a while back and would very much appreciate your view :)

YOUR PROVIDER IS HACKED, YOU'RE ASSURED OF NO FINANCIAL LOSS. BUT ARE YOU SAFE?...


Kind regards,

Neira
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/9/2014 | 12:35:01 PM
Re: Identify Theft - a new conversaton
Kerstyn. Let me throw your own question sback at you: Why has PII data security taken a back set to CC info? Where does the "new conversation" begin and with whom? 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/9/2014 | 3:37:10 PM
Re: Identify Theft - a new conversaton
To me CC data takes a back seat to PII because of the obvious, credit cards can be cancelled but sensitive data loss is a much greater difficulty. Thoughts?
Kerstyn Clover
100%
0%
Kerstyn Clover,
User Rank: Moderator
4/9/2014 | 3:44:46 PM
Re: Identify Theft - a new conversaton
Randy - That's the same way I tend to see it as well - I would much rather lose something that I can track (and freeze, report, cancel, whatever) at my own will than something that's nebulous and much harder to keep track of or identify.

 

Meredith - I can't speak for media as a whole, but I would wager that part of the reason CC data loss gets so much coverage is that it's a lot easier to sum up in sound bites and advice for consumers. I would much rather advise a client on how to handle their credit card being stolen than on trying to rein in their personal data, so if I'm a news organization trying to do a consumer alert story then that's the way to go. Not to mention, cardholder data is something we know is out there and there are still plenty of people who can't begin to fathom how much data is being collected about them. I'm not even sure I can.

 

I think the new conversation starts in a lot of places. Constantly pushing for security that's above and beyond requirements or regulations is a great place to start; we know there are controls for card numbers but it gets a lot greyer when you're deciding how you can and can't store or transfer, say, favorite colors.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/9/2014 | 4:28:06 PM
Re: Identify Theft - a new conversaton
Agreed, that is a much easier conversation to have than to "try" to explain how to straighten out their credit file, fraudulent charges,life, etc.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/9/2014 | 6:42:44 PM
Re: Identify Theft - a new conversaton
Credit card numbers should really be one-time use numbers.

I wonder if stiffer penalties for identity thieves -- like being forced to manually correct grammatical errors in spam messages -- would create more deterence.
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
4/10/2014 | 9:01:37 AM
Re: Identify Theft
Neira,

 

I read over your blog and you touch on a lot of great points that I did not have the space for in my own. This in particular jumped out at me: "...education and awareness is still failing in most organisations as it seems to be merely driven by compliance and regulation..." and I think that almost anyone in the industry would agree.

A lot of security comes from being aware, trained, and practicing frequently. Unfortunately those are all things that can be very difficult to compel companies or people to work on because they tend to be intangible and require a lot of effort.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/10/2014 | 10:28:39 AM
Re: Identify Theft
@Kerstyn & Neira: Nothing like hitting the nail right on the head! I can't remember how many times I've made that statement about awareness training. Many times, C level executives simply do not see the ROI from awareness training. I attribute this to the failure of security personnel to effectively communicate the business need and impact of all IT security aspects to the organization. If C level executives see IT security in terms of compliance and current bottom line impact only, budget decisions become a matter of spending the least amount to gain an acceptable level of security comfort or compliance. The axiom that compliance equals security has been disproven many times, with the Target breach serving as a glaring example. Security expenditures must be viewed in terms of an investment in the organization's future. Yes, it is intangible, but so are many other investments ourside of security. As far as effectiveness of training, much can be gained by designing the material in such a way that users see a personal gain from it. The training material I prepare frames security practices that affect the organization, and also their personal lives. When seen from that perspective, users will adopt practices that improve the security posture of the organization as well as their own personal security. Not surprisingly, users have thanked me for the information, and told me how they have changed their personal behavior to improve their own personal security, and even disseminated the information in their personal circles. We are creatures of habit and we usually engage in similar practices at home or at work. When you think about it, those practices do not differ much from organizational and personal standpoints. Secure practices do not necessarily have to precipitate from the top down; they can be adopted in a widespread fashion to accelerate and elevate the security posture of any organization much more quickly.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 11:36:40 AM
Re: Identify Theft -- Awareness Training
To your point about security awareness training. Did you read Tim's story today:

Majority Of Users Have Not Received Security Awareness Training, Study Says

The survey of 600 employees, conducted by EMA Research and sponsored by training firm Security Mentor, indicates that 56 percent of workers say they have not had security or policy awareness training from their organizations. The remainder of employees (44 percent) say they have received annual training.

Thoughts on how training can be more prevalent and/or effective? 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/10/2014 | 12:39:00 PM
Re: Identify Theft -- Awareness Training
I did read it, and unfortunately, I'm not surprised. In fact, I'm inclined to think that the survey results may have understated the number of users who were not trained. Additionally, it begs the question whether or not the training was actually effective. Unfortunately, the true measure of effectiveness would be the examination of a breach to see if it was a direct result of unsafe practices. Accidental exposure does occur, and it can be argued that accidents are a result of unsafe practices, but we are all human beings and we do have weaknesses. So on a more practical side, the measure of effectiveness cannot devolve to a simple Q&A test - it has to be a simulated real world test like an internal social engineering exercise. Automated auditing tool reports can also provide data regarding those practices; i.e. filters or applications that prevent storage of PII or PHI or CC data in insecure locations such as workstations, etc. An example of lack of awareness: a few years ago while we were undergoing an HR application implementation, I was contacted by the vendor's conversion specialist to ftp a file so they could import data into the application. The file name was empdata. Naturally, alarm bells rang in my head, and when I examined the contents of the file, I saw that it contained employee data including banking information for direct deposits, SSNs, dependent infotmation, etc. Normally, the ftp request would have gone through someone else in our organization, and not someone in IT, but for some reason, the request came to me. What shocked me was that I was informed that such a request was "routine" and other clients simply complied without question. When I told them that I refused to ftp the file due to security reasons, the conversion specialist asked me if I would email it to them instead of ftp. I almost lost it right then and there. Long story short, I caused the vendor to implement a more secure way of transfering the files, and they made it a standard procedure with all their clients. Imagine a client having to educate an HR software vendor on secure practices regarding sensitive employee information - what's wrong with that scenario? That incident shows the lack of awareness in too many organizations.
Cypherpunk
50%
50%
Cypherpunk,
User Rank: Apprentice
4/10/2014 | 2:48:26 PM
Re: Identify Theft
Identity theft and credit card data breaches by retail merchants are driving consumers to seriously look at bitcoin as an alternative payment network. Bitcoin transactions are peer-to-peer "push" operations so they do not require any third party intermediary, cannot reveal personally identifying information and are verfified by a worldwide network of computers so the payments are confirmed in minutes instead of hours or days. As an added bonus, transaction fees on the bitcoin network are miniscule compared with credit card fees (~$0.004 paid by the customer, as compared to 3%-5% of the purchase price paid by the merchant to the credit card processor).

The credit card system is entrenched 1950's era technology that hasn't had to evolve for decades; cryptocurrency is 21st century technology that is designed for today's mobile marketplace which places security as the first priority, not tacked on as a hastily-written emergency patch. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 2:54:28 PM
Re: Identify Theft & bitcoins
@CypherpunkI - In my state -- Massachusetts, they've installed bitcoin ATMS in South Station and a major subway hub. But the state consumer protection agency is advising consumers to be careful.  Personally, I'm still a little bit leery of them..

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/9/2014 | 11:16:51 AM
ID Theft
ID theft gets my vote as being worse. If my CC number gets stolen and reused, it's relatively easy to get the charges removed. But if my ID gets stolen (Social, address, etc.), then trying to prove that I'm me and that other guy isn't me turns into a Kafka-esque, bueracratic existential nightmare.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/9/2014 | 7:54:41 PM
Data Masking and PII
I feel that as the years progress that the amount of data that is considered PII is increasing. I think one reason this situation is difficult is because you have to way data accessiblity versus security. How can you be secure but also be able to perform your tasks? I think one item that might help is data masking. Now understand like encryption methods, authentication, and other security safeguards, this is a measure that can still be exploited but I think that if multiple masking methods are leveraged for different data sets it makes the data that is being worked with much harder to access.

Also we need to realize its impossible to prevent 100% data leakage. We need to focus on the best ways to prevent as much as possible.

Any one else to posit solutions that may help protect against identity theft and data leakage?
gosmartyjones
100%
0%
gosmartyjones,
User Rank: Apprentice
4/10/2014 | 1:34:50 PM
Without Question, it's Identity Theft
Remember something very important about identity theft, and that's the notion of "one and done". You only have one birthdate, social security number, and other unique vitals. Once they are breached, they've been forever compromised and cannot be changed. As a PCI-QSA, breaches occur – and will continue to occur – but how lasting is the damage, really? You can replace your credit card number, but not your unique vitals and it's why I strongly favor compliance assessments that should be focusing on critical aspects of Personally Identifiable Information (PII). 

Only in very extreme circumstances can you get another social security number, but as for credit cards, just give your bank a call.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.