jim

Given the high number of data breaches where a merchant loses voluminous quantities of customer’s credit card numbers, what should you do?

• Don’t buy anything?
• Worry all the time?
• Get help from technology?

Virtual credit cards are available from CITI and Bank of America.

1. Tied to your normal credit card account, but use a different number.
2. Usable only by the first merchant to charge to it.
3. Good only for a period of time that you choose.
4. Good only for an amount of money that you choose.

This capability is tremendously useful for shopping on the Internet.  If virtual credit card numbers are sitting in a database and get stolen–I don’t care.  If I sign up for a short term service and forget to cancel–the card automatically expires.  If I have to give a credit card which “will not be charged to”–I can limit it to $1.  If I’m only “pretty sure” of an Internet store–my real credit card number is not at risk.

​The case against virtual credit card numbers is amazingly whiny and off base:

1. Verifying transactions is such a bother:  How, exactly, would anything be different from your normal verification of monthly charges?
2. Returns are so, like, hard:  Uh, no, you just return them normally.
3. Charges can go through after number expires:  The one surprising kernel of useful information is that an unscrupulous merchant could charge the number.  When you catch it on your statement you immediately win the dispute–no charge.
4. Only work online:  So, it “only” protects me when my information is most vulnerable?
5. No additional liability:  Huh?  Why would I need more than the $50 liability if I don’t report the card stolen and $0 if I do report it stolen before it’s used?
6. Not always convenient:  Neither is my car–get rid of it.  Neither is my bike–get rid of it.  Neither is unlocking my front door–get rid of it.

What password guidelines are you given?

1. 87 characters long
2. No words, only gobbledygook
3. Upper & lower case, numbers, symbols
4. Change it every 27 minutes
5. Don’t use symbols
6. Use a different password everywhere
7. Don’t write it down
8. and…Make it easy to remember!

Let’s look at each of these recommendations:

1. Length:  Longer is better, if you can remember it.  Passwords of 12 or more make it harder to pre-crack your password.
2. Dictionary Words:  To remember your password you’ll either have to use dictionary words (more than one so it’s not trivially easy to break), a personal algorithm (easy to remember but hard to guess), or a password manager (you can have hideously complex passwords, but not need to remember them).
3. Upper/Lower/Numbers/Symbols:  Many sites will force you to use 3 or more categories so that you can’t be easily defeated by brute force guessing.
4. Changing it:  This is a huge pain, but not much gain.  Frequent changes probably tempt you into using little yellow stickies.
5. Don’t Use Symbols:  Strange as it sounds, some financial institutions limit good passwords, often so that you can use a phone keypad to enter your password.
6. Use a different one everywhere:  Horrifying as this sounds, there are good reasons to have different passwords.  Many websites store your passwords unencrypted, and if they get hacked, you don’t want your one password to be public domain.  A personal algorithm (see above) allows you to have different passwords  AND remember them.
7. Don’t Write it Down:  What if you have 200 passwords?  If you feel you must write them down, use password reminders, not the actual password.  A password manager is a way to have your cake and eat it too.
8. Make it easy to remember:  This sounds cruel after all the other requirements thrown at you.  Once again, pass phrases and personal algorithms help a lot, and password managers mean you don’t have to remember all of them.

Common Sense Tips:

• Never use cutesie passwords such as “password”, “123456”, “letmein”, a birthday, or “porsche”.  Those are in the most common 500 passwords and are trivial to break.
• Put a password on your laptop.  If it gets stolen you don’t want the thief to own your information.  Admittedly, a tech savvy thief could steal some information anyway, but defending against 95% of thieves is still not bad.
• Have your screen saver lock automatically so the password does you some good.
• There is no perfect defense, but a little bit of work makes you much safer.

So, what do the leading presidential candidates have to offer?  How do they balance individual freedom and national security?  Do they grasp the technological concepts?  What is their reasoning process?

All good questions, but you may not like the answers.

• Donald Trump – Mr. Trump argues that we have fallen down on the job with computer security.  That appears to be true, particularly for Trump Hotels.
• Hillary Clinton – Mrs. Clinton speaks reasonably on the topic, but fails spectacularly in practice, despite having experiencing problems with email security and records requirements in the Clinton White House.  The defense offered is that it was stupid but legal, and that the problem emails weren’t marked as classified.  (What a novel approach–the violation is the defense!)
• Bernie Sanders – Like every candidate he wants to find “a balance“.  Without an explanation of what he’s balancing, and how he would seek balance, who knows?
• Ted Cruz – Emphasizes national security but seems a bit confused on the technology.
• Marco Rubio – Emphasizes national security & seems to understand the technology.

The good news is that we have good tools to protect our data.  The bad news?  That’s not our biggest problem.

Although many large corporations and the government inexplicably fail to spend a few hundred thousand to prevent losing millions in sales/fraud/bad publicity, the biggest hole in our defenses is very strange:  we freely give access to the bad guys.

We very readily give access to the wrong people if they ask nicely or cleverly.  So much of our culture depends on trust, but we have to be smart, too:

• Targeting CEOs–brilliant.  Targeting their staff–even better.  When someone says, “the boss needs this”, our brains turn off.
• Help Desk personnel don’t need or want your password.  The nice guy asking for it is actually NOT a nice guy.  He wants to rob you.
• When “Microsoft” calls about problems you didn’t know about, and asks you to install some software, it isn’t Microsoft, they want to rob you.

All the security in the world won’t help if you unlock the door for the burglar when he asks.

New tech is great, but sometimes it doesn’t get pointed in the right direction.  What about the Internet of Things?  Is this an exciting advance, a dangerous pit,  or the same old stuff repackaged?

The creativity unleashed by the ability to network devices never before networked is exhilarating.  Should we do this?  Yes!  Unfortunately, the current state of security for these devices tends to be poor.

• Household appliances – The bad guy gets to control your furnace.  Some fixes are available, but who thinks to check for furnace firmware updates?  Spamming refrigerators, anyone?
• Cars – What if someone could break into your car and install malware that would mess with the climate control, the windshield wipers, the radio, and even the steering wheel?  They can, but how likely is it you won’t notice a laptop wired into your OBDII port?  On the other hand, what if someone could override your climate control system, your radio station choice and volume, activate your wipers, deactivate your transmission, or deactivate your brakes?  What if they could do all that, and more, wirelessly from anywhere in the country?  In other words, the 2015 state-of-the-art.  On the plus side, auto manufacturers have started working together against threats.
• Medical Devices – We’ve never had to think about hackable pacemakers and hackable wireless insulin pumps before.
• Industrial Equipment – Rogue blast furnace, anyone?
• Air Traffic Control Systems – We’d better fix hackable ATC systems now, not after a disaster.

The point is not that we should run for cover, switching back to mimeographs, Franklin Stoves, buggies, and home smelting.  Given that smart cars, smart roads, and smart medical devices could save lives, we need to move forward.  We do need legislators to set basic requirements for security and updates.  Right now, it’s mostly funny stories, but we’re going to have to start caring soon.  In about 5 years we’ll have gone from today’s 2% of Internet enabled devices to 75 billion connected devices.

• In 2003 a geological statistician cracked a lottery ticket code and reported that to the lottery, but then kept finding new ways to break other lottery games.  It appears organized crime skims off winning tickets for profit and money laundering, leaving mostly the loser tickets and small winners for the public.  Anomalies in prize redemption make this seem likely.
• There is always the direct approach–hacking the lottery computers, though fortunately the perpetrator was caught.  The insider threat is hard to stop.
• All-in-all, there is a long history of hacked games of chance, and it seems extremely unlikely, that given the rewards available, the hacking will stop.