Over 80 lawsuits have been filed as a result of a data breach that exposed 100 million records containing personal information about Target customers.
Target says that it plans to dispute any claims from payment card networks that the company wasn’t in compliance with security industry standards.
If Target really was in compliance with current industry security standards, then clearly those standards aren’t good enough.
Protecting data isn’t just a good business practice – it’s a survival strategy.
Target’s fourth-quarter profit for 2013 fell 46% after it disclosed its data breach on December 19.
Although many companies now carry dedicated cyber-attack insurance coverage, those policies don’t cover the loss of trust (and customers and sales) that comes with losing customer data.
And companies also need to be much more concerned about losing their own proprietary data.
Corporate espionage has been called “the greatest transfer of wealth in history” by General Keith Alexander, direction of the National Security Agency.
In November of 2013, 14 US intelligence agencies released a report describing an industrial espionage campaign by Chinese spy agencies.
Among many other losses, a single metallurgical company lost technology that cost it $1 billion and 20 years to develop. Another company lost its biggest customer, accounting for more than two-third of its $315 million in revenue – along with 84% of its stock value – after its source code was stolen.
Losing the Battle
Current security protocols are simply ineffective.
Any eight-character password can be cracked in six hours or less.
The prevalence of BYOD (bring your own devices) in work environments is an IT nightmare.
And human behavior is the weakest link.
Most people pick passwords that are easy to remember – and thus easy to crack. A study of the 10,000 most common passwords revealed that the number-one choice was “password.” The second most popular was “123456.” Many people also use the same usernames and passwords for multiple accounts; once those are cracked, data thieves have “the keys to the kingdom.”
What Doesn’t Work
Getting people to change their behavior is hard. People are lazy. People have bad memories. People don’t think they’re at risk. Even in the wake of well-publicized data thefts, most people still use weak passwords and rarely (if ever) change them.
Multiple passwords stored in the cloud are only as secure as the cloud itself. To date, there have only been a handful of reported data breaches in the cloud, but that may change as data thieves become more sophisticated, and as more users move their sensitive data to the cloud.
RSA SecurID tokens are widely used, especially in large organizations, but their one-time-use password technology remains vulnerable to man-in-the-middle and man-in-the-browser attacks.
A man-in-the-middle (or browser) attack lets a hacker get in between the user’s initial verification handshake and the destination server, allowing the hacker to pretend to be a trusted endpoint. The supposedly encrypted connection is thus open to attack.
It was a flaw in Apple’s IOs and OS X platforms that allowed such an attack that led to Apple’s security upgrade in February, 2014 – to fix a problem that had existed since 2012. One commentator suggested that “Apple’s security protocol breach is nearly as bad as handing your credit card straight to a hacker rather than making them steal the information through the magnetic stripe readers.”
PACid’s Bolt-on Strong Security (BoSS) addresses both the technical and human-factor weaknesses in current security measures.
BoSS generates long (256-bit) user IDs and passwords (Personal Authentication Credentials), which are used only once. In additional the connection is encrypted and that encryption changes every few seconds. This level of cryptography is considered unbreakable if implemented properly.
BoSS is also immune to man-in-the-middle and man-in-the-browser attacks.
BoSS lets people be people. Users only have to remember one ID and one password. Biometric access control – such as the fingerprint control available on newer iPhones – can provide a further level of protection.
The New Industry Standard
It’s clear that the old industry security standards aren’t working. Data theft is a huge and growing problem that’s already costing billions and killing companies.
PACid’s vision is a world where BoSS has become the new industry standard – a world where identity fraud and data theft are things of the past.