In recent days, Target customers were shocked to learn that since late November, hackers have managed to steal the names, credit and debit card numbers, expiration dates and security codes from as many as 40 million Target customers. Target customers should be very concerned, but they shouldn’t be shocked, because dozens of stores, companies and government agencies have been hacked in recent years, opening millions of Americans to identity theft, fraud and the possibility that sensitive personal information will be misused.
In just the past two years, hackers have gotten into the computers of J.C. Penney, 7-Eleven, Nasdaq OMX Group, JetBlue, Dow Jones and others, and made off with similar information on 160 million of their customers. The hackers who successfully targeted Target could cost the U.S. economy an estimated $4 billion, and the potential total cost of all these security breaches could be many times that amount. It has been estimated, in fact, that the total cost of these thefts to the U.S. economy could be the equivalent of 450,000 average wage earners working for a full year.
That is a lot of money down the drain in an economy still struggling to recover from recession, and the sad thing about it is that it wouldn’t have happened if security experts at these companies had thought well enough ahead to anticipate the nature of the attacks on their systems and put security measures into effect to thwart the hackers.
Many of the measures taken by companies and government security experts are either designed without anticipating the nature of the next assault on the system they are charged with protecting against or without fully realizing that human beings are fallible and too often give hackers the very openings they are trying to eliminate. Preparing for the last attack, like military organizations that train for the last war, is of limited value, as is a strategy that ignores the human factor.
We have the technology today that can be utilized to at least keep institutions one or two steps ahead of the hackers if put in place and managed with an eye to what individual customers will and won’t do to assist in protecting their own and the institution’s data.
For example, in today’s world, cardholders can be easily empowered to control how, when and where their credit and debit cards can be used. Smartphones are ubiquitous, and apps can be developed for these phones that would allow individual customers tremendous flexibility by allowing them to disable their cards when they are not in use and enable them just prior to a purchase. The individual cardholder could be given the power to control his or her transaction limits and the types of purchases that can be made on the card, as well as where and when it can be used. With such a system in place, hackers couldn’t use whatever data they might get their hands on without hacking in to the phones of individual cardholders, a daunting and virtually impossible task.
We know, too, that even those charged with protecting computer security within government security agencies often use dated technology or like those in the private sector, develop systems that ignore the frailty of the human beings who use them. The idea that someone like Edward Snowden could waltz into the NSA, gain access to virtually every secret stored there and walk out with it shocked the nation and the world, but it happened. We learn almost monthly that state-sponsored hackers have broken into supposedly secure government databases, either because of a human breach or because the agency is several steps behind the hackers in employing technology to protect the nation’s secrets.
In a few cases, the people charged with putting complex systems in place either disregard or don’t appreciate the importance of protecting the data they will be protecting. This happens rarely, but those who built the government’s Obamacare online system did so without giving much thought at all to the fact that hackers might gain access to the system and thereby to sensitive information on tens or even hundreds of millions of Americans. The stories about successful hackers stealing data from Target or 7-Eleven will seem minor by comparison to those we could see next year as these same hackers go after the Obamacare system as the mother lode of data on individual Americans.
Within public- and private-sector institutions, the human element must be factored in from the beginning. Human beings with the best of intentions make mistakes that can compromise the privacy of others. Simple human curiosity is a trait often used by hackers. Hackers frequently use curiosity to gain access to an institution’s security system. For example, a major European corporation was hacked recently by placing a USB memory stick on the ground next to the parked car of one of the corporation’s security employees who found it and picked it up. It was labeled “weight loss” and the employee, who the hackers knew was struggling with weight issues, took it back to her office and inserted it into the USB slot in her computer to see if it might contain information she could use. The hacker’s program immediately took control of the company’s security system, and millions of dollars’ worth of data was stolen.
Institutions must address the human element with the same thoroughness they put into the technological component of the security systems they devise to protect our privacy. Technological flaws, such as occurred with such glaring visibility in the Obamacare system’s design and deployment are relatively rare, but human mistakes are common.
If we don’t learn from our mistakes, what occurred at Target will become a daily threat to the privacy and financial security of every American.
John McAfee is an information-security specialist. His website is whoismcafee.com