Brian Krebs, journalist and author of Spam Nation, had an interesting Christmas Eve. First, he realized that his PayPal account had been hacked. Because of that, he had to make multiple calls to their customer support line. At some point in between, he realized the hacker was trying to send money to ISIS. Up to you to decide which of those three is worst.
You might be wondering how the hacker got into Kreb’s Paypal account. Did they crack his password? Did they get into his email account and reset his password that way? Nope – they just called the same customer support lines that Krebs eventually called. The PayPal representative reset Krebs’ password when the hacker gave him just two pieces of information: the last four digits of Krebs’ Social Security number and the last four digits of an old credit card.
Krebs was most likely hacked because he writes about information security and cybercrime (this isn’t the first time he’s been targeted by criminals), but these kind of attacks can (and do) happen to anyone. They don’t even take a lot of effort. Would-be hackers can buy big batches of static identifiers – information like your name, address, Social Security number, credit card number, phone number – on underground marketplaces. From there, all they have to do is call up a company like PayPal that relies on static information to authenticate your identity.
The security issues here stem from two sources: data breaches and slack authentication practices. The former is a really big problem, to put it lightly. In 2015, there were 781 data breaches in the United States alone. In total, over 169 million records containing static information were exposed to thieves. Considering there are only 300 million people in the U.S., that number is insane.
Now, imagine you’re one of the many companies – Paypal, sure, but also most utility companies and banks – that uses static information, delivered over the phone, to authenticate a user’s identity. Could you seriously and in good conscious look at the statistic above and then tell me that your security practices are actually secure?
Probably not, right? And yet many companies, banking and financial companies especially, pretend as though their security practices are totally fine. Even tech startups, which you could assume may take cybercrime more seriously than stodgy old banks, struggle with security issues. Take Venmo, for example. They’ve been criticized since 2011 for their lax security practices. It wasn’t until a Slate article last year that they patched "basic security holes that you could drive a truck through." To this day, they still don’t have a dedicated customer support phone line. (By the way, Venmo was purchased by Braintree in 2012. In 2013, Braintree was purchased by Paypal.)
Consumers are mostly apathetic to data breaches – over 60% don’t do anything when they find out their information has been leaked, and over 50% use the same password for every single website they visit. But while it’s easy to pass the buck to consumers – "When will they learn?" – it ignores the fact that security holes can affect users no matter how conscious they are of basic cybersecurity practices. Take Brian Krebs – he’s literally an expert on information security and he still got hacked because Paypal trusted some random bozo on the phone!
And while I’ve focused on financial companies like Paypal and Venmo in this article, every company or organization that holds personal information is at risk of a data breach. Harvard University was hacked last July, as was the Army National Guard. My own data was stolen in the T-Mobile / Experian breach in October. Every company has a duty to protect personal data, and while I don’t expect breaches to stop entirely, we can’t act as though data breaches are normal or "business as usual."
In addition, all companies need to stop taking easily breached static information over the phone to authenticate users. While two-factor authentication can seem complex, it’s a necessary step that should be mandatory for all user log-ins and phone calls. 90% of Americans owned a cell phone as of last January – there’s no reason that most companies and organizations can’t mandate two-factor authentication via a text message for crucial account interactions.
What can the average consumer do in the meantime? Vote with your dollar. Stop using companies that experience data breaches. Complain on Twitter. Complain through official support channels. Don’t shut up until they do more than issue an a paltry apology.
Oh, and make sure you stop using the same password for every site.