This photo is a crime! (yeah, right). Security checkpoint at Nairobi airport.
My sister had the most terrifying experience in Nairobi a few weeks ago.
“As you know,” she said to her jet-setting family members, “flying out of Nairobi there’s a security checkpoint where all passengers have to get out of the cars in the middle of a five-lane road and walk through a security inspection. Meanwhile, the drivers of the cars go through their own check. It’s a confusing mess and takes time to identify your car and driver after you have been cleared.”
That alone freaks me out. I usually refuse to be separated from my luggage, though sometimes during international travel there is simply no choice.
“After we passed through security and were waiting for our car, I started to video the chaos. I should have known better…
“With some difficulty, we finally identified our Uber and got in the car, relieved to be reunited with our stuff. Suddenly, a military police officer with some big-ass machine gun stopped the car and demanded to know why I was videoing the security checkpoint.
“I explained that I had never seen a process like this before and I found it interesting. He replied that it’s a crime to film there and that he is going to charge me with a crime and I will have to go to court on Monday!
“I apologized and said I would delete all photos. He said no—I committed a crime by using a camera at a security checkpoint. He said he is charging me with the crime and I will have to go to court and I will miss my flight.
A still from my sister’s illicit video at the Nairobi airport security checkpoint.
“In the meantime, our driver is whispering to Drew [our nephew] in the front seat that the officer wants 500 shillings ($5) but he was now demanding US $50 to me through the back window. At this point we’d have given him anything. We were even ready to give him our phone! We were also so worried we’d miss our 11 p.m. flight!
“We were literally shaking. I saw my future working in a labor camp in Kenya for the next 12 years!
“We continued to apologize, saying it was a mistake. The officer continued to insist that he had to charge me regardless; he would not let us delete any pictures and we would miss our flight and will have to go to court Monday.
“Of course it was all about the bribe, but when you’re in the moment, in the middle of the situation with a jerk, in a foreign country, you never know how far he’ll take it.
“I asked if I could pay the ‘fine’ now and skip the ‘court’ date so that I could make my plane. He made me delete the video then, and $60.00 later (I wasn’t about to ask him for change!) it was done. But at that moment, I would have paid much more!!!!
“The Uber driver then got out of the car and shook hands with the officer. I’m sure money was exchanged.
“The Nairobi airport security officer put his face in our window again, smiled, and told me to let my friends know what a wonderful time I had in Nairobi!
“And I still had the video, which would stay in my deleted file for a month!”
A wonderful time in Nairobi, duly and publicly reported here!
I wrote about this ages ago, way back in Hotel Oddity #6, but back then the idiotic installation was in the Miami Radisson Mart Plaza Hotel. I thought it was a unique display of incompetence, a one-off, a singular example of the Peter Principle, combined with management negligence. And look! Here it is again!
Millennium Biltmore security lapse in Los Angeles hotel
This time at the historic Millennium Biltmore Los Angeles, the art deco beauty whose lobby is a show set and whose rooms are pretty ordinary. Our room wasn’t ordinary though. At least I hope not. Could all the rooms have “security” like this?
Need I point out the upside-down installation of the chain receptacle? It doesn’t matter if the door has other security measures, a deadbolt for example, because a guest may choose to use the chain and not the deadbolt, believing himself secure. (No comments on the insufficiency of that particular guest…)
The Millennium Biltmore security lapse does not take away from the beauty and drama of its downstairs lobby and rooms. It’s definitely worth a visit. But management? Would you please fix this?
They know who you are. They know what you buy, where you live, where you work, where you go in between. They know your most intimate secrets, not because you told anyone; they simply put the clues together and joined seemingly unrelated tidbits. Your shopping history, your online searches, words used in your email, the cell phone towers your phone used, even how fast or slowly you type. Combined, it all points to you. You leave data dribbles like greasy fingerprints to be dusted, collected, identified, and assembled.
By now we’re all used to being tracked and spied upon. We pretty much accept it, most of us. We know our web-browsers act as spies and report our every move. Our credit cards and loyalty cards provide a treasure trove to someone (but who?), and our cell phones even more. We’re spied upon even with the cameras and microphones built into our own computers and cell phones. What can we do but shrug our shoulders and give up?
We’re vigilant about not clicking on spammers’ links, we’ve learned to look for “https” URLs when we make online payments, even to recognize spoof emails. But enough is enough, right? We have to live life! Today’s technology is as vital as food and water and we have to use it. Who can spend time worrying about all this info-gathering, especially since it’s invisible, and does not present an inconvenience. Forget it. That’s life. Move on…
Or…?
Trade-offs
We constantly and willingly give up our data for something in return. And it seems like a fair exchange: handing over data is painless; the benefit is all ours! We get free stuff, convenience, points, discounts, rewards, elite status, the privilege of using a “free” app… [Warning: rant coming…
WhatsApp is my pet peeve. Many, many of my friends and colleagues, even those in the security business, use it. And what’s the first thing the app does after you download it? “WhatsApp would like to access your contacts.” “OK,” you say and—whoops!—there they go, all your contacts, including my info if I’m in your address book (and I’m not even a user!), against my will, handed over so WhatsApp and facebook can “share information with third-party providers,” in other words, so they can sell my personal info. Thanks, friends. Yet, prominently, ironically, WhatsApp proclaims on its site “Privacy and Security is in our DNA.” Okay, its messages are encrypted, but what’s private or secure (or honest) about sucking up all the contacts of a naive user? True, WhatsApp is not the only app that commits this surreptitious theft of information. Uber is another. But, I digress. …Whew. Okay, end of tirade.]
Where was I? Trade-offs. Security is a trade-off which costs us in convenience, simplicity, expense, dignity, time, and much more. Wouldn’t it be swell if we didn’t need passwords, locks, or TSA? But we do need these, obviously. Luckily, the average person can deal with the minimum required amount of security.
Privacy is another matter though. We can shut our curtains but… do you have tape over your webcam? Put your birthday on facebook? Unknowingly hand over all your contacts’ info to What’sApp or some other software company? Use a credit card, loyalty card, agree to “our terms and conditions”? Yeah, privacy is pretty hopeless nowadays. If you browse the internet or use a cell phone, you’re being tracked. Not only tracked, but micro-tracked. Data about you is collected at every turn, codified, traded, bought, sold, and used to build a scarily detailed dossier—which is also bought and sold. It’s your data shadow; it sticks to you and grows as the minutes pass, like the setting sun’s lengthening silhouette attached to your feet.
To avoid being tracked, to stay under the radar and off the grid, to be invisible, is a huge trade-off. A Sisyphean task. Kevin Mitnick lays it out in his book, The Art of Invisibility, step by step. And he should know, having evaded the FBI for two and a half years before he was arrested and imprisoned for five years. Remember “Free Kevin”? I highly recommend Kevin’s entertaining and page-turner previous book, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.
Entertaining, The Art of Invisibility is not. Page-turner…uh-uh. But it is fascinating, and after a good primer on the basics, goes into technical detail that might be more interesting than useful for many of us ordinary people. For every scary spy technique revealed, Mitnick tells us how to avoid that particular trap. They’re not easy to thwart—short of living in a cave secluded and self-sufficient, it’s a lot of work. As in, huge trade-off. And Mitnick tells us repeatedly: we will make a mistake. We will trip ourselves up. That’s how hackers and leakers are discovered. They make some tiny mistake that allows them to be traced and their identities revealed. But most of us don’t really want or need invisibility. We just want to avoid the obvious pitfalls and take, at least, the easy precautions.
Mitnick tells us there’s much we can do easily, and tests we can run to see just how vulnerable we are online. We should do as much as our tolerance allows, up to our own personal trade-off limit. You lock your car, right? Do you use a LoJack? You lock your home. Do you have a security system? Do you use it? Do you have iron bars on your windows? We’ll each go to a certain level, then hit our quitting point.
Simple, important steps include turning off location-sharing, blocking pop-up windows, deleting cookies, killing super-cookies, using end-to-end encrypted messaging, and many, many more.
But to truly reach online invisibility, Mitnick addresses three large categories: hide your real IP address; shield your hardware and software; and defend your anonymity. The hoops one must clamber through for each of these are many and challenging.
You can hide but you’ll still be seen
Offline is another matter. How many times per day is your photo captured by surveillance video or someone’s ordinary camera? What might they do with it? Are people flying drones over your house? Retailers can now capture the identity of your cell phone when you enter their store, and look up all kinds of details about you. So can law enforcement, in large crowds of protestors, for example.
Facial recognition software is in use in some places, namely churches, to log your attendance, and not necessarily with your knowledge or permission. (Fix: wearing special, light-emitting glasses.)
You’re tracked in multiple ways and recognized using almost every form of transportation (bus, train, subway, taxi, your own car). Uber maintains your ride history; and that’s nothing compared to what Tesla knows about its car owners. And get this: if you take a subway train, the accelerometer log on your own cell phone can be matched to the subway line you took and exactly where you boarded and debarked. Is that creepy, or what? (Fix: drop out of life entirely?)
Have a voice activated TV? It’s listening for your command; what else does it hear, and where does the speech it records go for recognition? Use Siri, Alexa, Google Assistant, or one of those voice-recognizing gizmos? They’re always on and listening; how secure are they, and who’s eavesdropping? Where does the recording go for artificial intelligence interpretation and how long is it stored?
What do you have connected to your home network? Lighting, doorbell, thermostat, baby monitor, pool control, security system, door lock, webcam, refrigerator? The Internet-of-Things (IoT) is most troublesome, because most of these peripherals you control with your phone or tablet are not built for security and are not patched or updated. A hacker can use these convenient connected systems to gain access to your entire home network. (Fix: live in a cave?)
“To master the art of invisibility, you have to prevent yourself from doing private things in public.”
Need to conduct personal business while at work? If you want it to be private, don’t use company computers, printers, or company issued cell phones. Use your own, personal device, and use your own personal cellular data network, not the company wifi. Actually, don’t use any other wifi, devices, or printers, including the library’s or the copy shop’s. They all save logs and PDFs of documents you print that you can’t delete. Your data crumbs are dribbled everywhere by default; actively preventing the leakage is not easy.
(A top secret foreign military unit recently hired Bob and me for training. But because of the insecurity of communications, and because Bob and I, mere civilians, did not have access to a “cone of silence,” the group flew us overseas without even telling us about our assignment. That’s military-grade security.)
I got a special kick out of the beginning of Chapter Fourteen. Mitnick describes a harrowing incident in which he was detained for hours by customs agents upon flying into Atlanta from Bogatá. Bob and I had also flown into Atlanta at the same time, and were to speak at the same security conference, the American Society for Industrial Security (ASIS). We were waiting for Mitnick at the airport… and waiting, and waiting. We finally left without him, and learned late that night what had happened to him, which you’ll have to read the book to find out. He was cool but shaken, if one can be both of those at once, and angry because he was unable to prepare properly for the panel he’d be moderating in the morning.
Mitnick lays out the pitfalls and tricks of returning to the U.S. from abroad, and how to keep your data out of the hands of curious Customs and Immigration officials. He explains in great detail how to use a Tor browser, a VPN, and Bitcoin to set up anonymous browsing; oh, and first turn off your home network, use a separate computer (which you purchased anonymously with cash), change your MAC address, use a personal hotspot on a burner phone (purchased anonymously), stay on the move, and remember not to check Facebook or your personal email. I skipped some steps, but you get the idea.
Know the difference between the Surface Web, the Deep Web, and the Dark Web? Mitnick explains all that, and why a law-abiding citizen might have a legitimate need to browse anonymously. If you really want to do it, all the steps are detailed. It’s a lot of work. And, as Mitnick emphasizes, a nanosecond of lapse will blow it all completely.
One thing Mitnick does not address in The Art of Invisibility is healthcare. I wonder how he would get medical treatment if he were trying for invisibility today? How did he do it when he was on the lam in the 90s (though things were much different way back then)?
A lightning bolt of fear shoots down your spine when, returning late to your hotel room, you see the door is not fully closed. You know you closed it—and checked it.
Pushing the door a little you see that, not only is the door open a crack, but its bolt is thrown so that it can’t close.
This is what happened to my sisters at the Hotel Mercure in a Stockholm suburb. Luckily, it wasn’t the same day that they accidentally left their smartphone on the bed. (The phone was still there when they returned late that day.)
After the physical attributes of a hotel room, housekeeping holds our security in its hands. We can perform our hotel room security check and follow good security practices, but the maids can make our efforts moot.
A traditional hotel security threat has come from social-engineering burglars who enter rooms while maids are cleaning them and pretend to be the room’s occupant. To behave appropriately in these confrontations, hotel housekeeping staff must rely on their training, perhaps balanced by their own judgment and discretion. And anyway, rules are one thing; compliance is another.
Human error is a separate factor. How many times has that housekeeper finished a room, unbolted the door, closed up, and ticked it off her clipboard? Or, oops! Out of shampoo—she’ll just fetch it in a moment…
Mercure hotel management did not seem overly concerned by the security lapse. In compensation, my sisters were offered “a small dessert” at the lobby restaurant. The attitude, apparently, was that if they weren’t claiming a loss of property, well, no harm done!
I usually forsake maid service, leaving the “do not disturb” sign on the door. If you like your room tidied up (and even if you don’t), this is yet another argument for locking up your valuables, either in the safe or in your largest luggage.
It happens. For the most part, it’s rare. At the risk of tempting fate, I’ll admit that we’ve never been victims of hotel theft, though we practically live in hotels (200-250 nights per year for the past 20 years.)
Of course we take some precautions and listen to our own advice, particularly based on our version of the hotel room security check. But travel makes us weary and sometimes we become lax. Laziness is part of reality.
Though I believe in locking valuables into the room safe or alternatively, into my largest hard-sided suitcase, there’s always the security-versus-convenience trade-off to be considered, not to mention the gut-instinct and informed-decision. In other words, a lot of variables. I might start out vigilant, then slack off. In my book, I said:
Electronic access points on the underside of a keycard lock.
I also consider the relaxation factor. If you stay in a hotel for several days, a week, perhaps more, you get comfortable. Maybe you get to know the staff. Maybe you let down your guard. If I were a hotel employee bent on stealing from a guest, I’d wait until the guest’s last day in hopes she might not miss the item. Then she’d leave. Are thieves that analytical? I don’t know. But I like to make a policy and stick with it.
Logical, but idealistic. I can’t say that I always follow my own rules. I get complacent. I get tired of the drill. Constant travel is draining.
A looming threat is door-hacking. For a few bucks, anyone can build a small electronic gizmo that will open keycard locks made by Onity, which are currently installed on millions of hotel room doors around the world. The electronic lock-pick, revealed in July 2012 by hacker Matthew Jakubowski, opens our belongings to yet another potential risk. Perhaps our safety, too.
Fixing or replacing door lock hardware will be expensive, so some hotels have resorted to simply plugging the tiny access port—with a removable plug. Hotel security chiefs tell me that most hotels will do nothing until they get a rash of theft reports. Now, the thefts have begun.
So much personal information on display at quaint, old-fashioned hotels like the one we recently stayed at in Bali. Which rooms are occupied? What are the names of the guests in each room? When did they arrive? When will they check out? Who are they traveling with? Have they paid yet?
A modern hotel wouldn’t give out any of this information. A modern hotel won’t even speak your room number out loud. A modern hotel won’t give a caller a guest’s room number. A modern hotel certainly wouldn’t advertise which rooms are occupied by single women! (Rooms 69, 72, 74, 209, 217 for starters.)
You’re only given one key per room at this hotel, and the key is on a wooden fob the size of a doorknob, meant to inspire you to leave the key at the front desk when you go out. Not wishing to advertise our comings and goings, I detach the key, leave the wooden chunk in the room, put the Do Not Disturb sign on the door, and keep the key with me.
I’m not sure if the safety deposit box numbers correspond to the room numbers, but I think they do. If so, it’s easy to see who hasn’t bothered to use one.
The hotel is charming, despite and partly because of its old-fashionedness, and despite being called Swastika. (I refuse to allow the Nazis to own this ancient Sanskrit word for the symbol of well-being.)
In what could be called a social experiment, it is proven that a man in a police-like uniform has great power and ordinary citizens are easily bamboozled into idiotic obedience. When the intent is robbery, pseudo-cops usually rely on flashing a fake badge; compliant victims then hand over their wallets.
In the following cases, “pseudo-cops” detain and accuse innocent passersby of theft. Watch the accused squirm under interrogation and threats; remarkably, they never question the legitimacy of the uniformed authority.
Bob Arno, preeminent pickpocket, was asked to help make a commercial for Toshiba and Intel. The idea was to slip the company’s new laptop into the bags of unsuspecting people as they strolled through Culver City, California. The laptop, called “UltraBook,” is so thin and light, the company believed that no one would even notice.
Preposterous! It turned out to be a challenging assignment.
Ben Seidman and Bob Arno
Bob roped in the talented and adorable magician Ben Seidman and together, the two deceivers rehearsed the teamwork and choreography necessary to “put-pocket” the computer.
Now, a computer, no matter how light, is a noticeable weight factor when added to a tote someone is carrying. And it is of a size that is difficult to slip in, between straps, handles, zippers, and buckles. It took some doing to distract the victim and mask the PLUNK! of the extra weight dropping in.
In practice, the two sneaks were more than successful. After brief, seemingly innocent encounters, more than a dozen unsuspecting victims wandered the streets unknowingly toting a Toshiba UltraBook.
Our security guard accuses a victim. The cleaning cart holds a mobile hidden camera, one of many on the set.
Each victim was then questioned by a “security guard” about a laptop which had supposedly been reported stolen. After a polite request to search the victim’s bag, the shocking discovery of the “stolen” laptop, and the victim’s protestations of innocence, the pseudo-cop became rude, belligerent, and provocative.
“For a criminal, you’ve got excellent taste,” the security guard said while admiring the laptop.
“You’re going to jail, missy!” the bad cop threatened one poor victim.
“Your fingerprints are all over it,” the guard told another victim after making him feel the weight of the laptop.
“But you told me to hold it!” the vic protested.
“We have no record of that,” the guard said.
To victim Claudia the guard says “You have great taste in stealing products.”
“Thank you,” Claudia replies, stunned almost speechless.
“What else do you have that’s stolen?” the guard demands.
Ryan denies the theft of a Toshiba Ultrabook
One victim broke down and cried. Another ran away. One accused the guard of racial profiling. But most stood in compliant disbelief.
The video series is a fantastic study of human behavior. It’s amazing to see how obedient people are when ordered around by an actor in a bad uniform. They’re blinded by authority. Most victims obeyed even his most ridiculous commands.
Watch Claudia’s frightened confusion:
Check out Ryan’s reaction:
http://www.youtube.com/watch?v=2l5-ul-Z0kA
See Tiffany’s disbelief:
http://www.youtube.com/watch?v=EV_nCLykZ_w
Here’s a montage of many victims:
http://www.youtube.com/watch?v=yoGYjtCo350
And meet the pickpockets who did the job:
http://www.youtube.com/watch?v=D49VH2Fav_4
The video ads were directed by Michael Addis and Jamie Kennedy. Though the experience was briefly brutal and sometimes frightening to the victims, comic relief was brought into each scene at the last minute, and some of the victims were rewarded with the gift of a laptop.
In the real world, thieves take advantage of our engrained respect for authority when they play pseudo-cop. With nothing more than a fake badge and a flimsy story, they make demands similar to our actor’s: open your bag, let me look inside, give me your wallet, give me your money… etc. We tend not to question them; we are obedient. And only later do we realize our gullibility. The thieves exploit our respect for authority and take advantage of our trust—that’s the CONfidence-building that gives the con artist his title.
Contrast Mamak with our New Year’s day dinner at Appetito, also in Sydney. Recommended by two people, nearby—and most important: open—it seemed a reasonable choice, if not exciting.
The sourpuss staff seated us promptly, took our drink orders, and quickly brought our glasses of wine. From there on it was all downhill. Granted, we were tired, having slept only after the people in the room next to ours checked out—or were arrested—sometime after daylight broke.
Noisy parties might be expected on New Year’s eve, even in an airport hotel. But that’s not what went on at the Sydney Ibis. Its paper walls projected every groan, cry, and vulgarity uttered by our neighbors, and of course their fighting, shouting, wall-punching, and door-slamming. All night.
SLAM!“Get your ass back here, you fucking junkie!” Sob. Whack. SLAM!
The couple moved to the parking lot outside our windows, where they joined others for rollicking beer festivities laced with anger. We later learned the others were traveling companions staying in rooms on other floors.
There were sirens. Police. Ambulance. The woman “was hurting herself.”
Here’s the problem. The Sydney Ibis Airport hotel has no onsite security. It contracts with an outside company, but pays for each “house call.” The hotel’s night manager, who received nighttime complaints from many others in addition to us, was loathe to spring for an officer call and confronted the rowdy couple directly; and only much later called police.
So we may have been a bit cranky as we waited 40 minutes for our New Year’s day dinner. It was an appetizer of seafood frito misto and two pizzas—all quick items to prepare. They weren’t bad. Nothing special, either. Certainly not worth the $102 bill. The place left a bad aftertaste. There must have been many, many better choices.
There goes our iPad. Swallowed by the security conveyor belt, immediately under the prominent sign that says “The tray stays until it is emptied.” After many uses, I came to
trust that sign.
I didn’t at first. I’d grab and hold the tray before it got to the dangerous end-of-the-line, and fight the force of it’s mechanized trajectory. Because I knew: at the end of the belt, the tray drops swiftly to a lower level and is carried back to the security officers and then on to line’s starting point, where passengers take an empty tray.
At some point I noticed all the stuff mounted above the end of the conveyor belt. There’s a video camera, a mirror, and some sort of sensors. I tested the tray-trap—warily, I left a jacket inside. The tray waited at the end of the line until I removed the jacket. Huh.
I became complacent. Next time, I didn’t pick up my jacket from the blue-bottomed tray until I had my computer re-stashed. I let my belt lie while I grabbed my mini-toothpaste.
And when Bob’s iPad sailed through with it’s light gray cover, I kept an eye on it but didn’t fetch it.
Bob takes a long time to get through security. He travels with his MacBook Pro, MacBook Air, iPad, video camera, and six or seven hard drives. (Gotta be productive on the road…) We have a strategy: I whiz through and pack up my stuff in 45 seconds or so, then keep an eye on his stuff while he’s spreading out equipment in multiple trays and taking off his belt.
Luckily, I saw the machinery swallow his iPad. If I hadn’t have noticed, it could have been forgotten in the confusion (and rush).
“Stop, thief!” Or no. I said something else. “Our iPad’s been eaten!”
“Would have made a nice little present for the security officers,” Bob said.
We could easily have walked away from it. I wonder how many people do? This security check point is at Stockholm’s Arlanda Airport. London Heathrow has the same setup. I’ve seen it in other airports, too, but I can’t remember where. Copenhagen? Munich?
People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”
So let’s put these questions to rest. Then we can move on to the real risk.
First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.
No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.
Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.
The real risk of identity theft and credit card fraud
It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.
Database data loss
If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.
We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.
Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.
The advantage goes to data thieves like RogelioHackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.
“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.
Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.
Read this for the state of cybersecurity:
A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …
To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:
http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded
http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning
http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers
And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?
Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.
More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.
I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:
1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.
