“All that is necessary for evil to triumph is for good men to do nothing.” Wise words that have served over the centuries and could still be invoked today in our attempts to figure out why so many parents still seem to be so apathetic when it comes to the safety of their own kids.
One question that I’ve probably been asked over the years by worried parents more than any other, is “How do I protect my kids on (or from) Facebook?” And top of the list of my recommendations to these parents has always been that they should start by creating their own Facebook page.
It’s simple advice and an easy fix. By going through the process of creating their own Facebook page, parents will get a much better understanding of how Facebook works, how their kids can be exposed, and how to use Facebook’s own security and safety options to limit the risks to their kids. And if they persuade, or force, their kids to be their friend, even better. At the very least it should help dilute some of the guilt parents feel when they allow their kids to roam Facebook world un-chaperoned.
So how many of these parents over the years have taken to heart at least that one piece of advice? As far as I’m aware, none. Case in point – I recently spoke to one friend I had given this advice to more than four years ago. She has a son and a daughter – the son had just created his own Facebook page and her daughter, although just twelve at the time, was pestering Mom to be allowed “to Facebook.”
When I asked her recently if she ever got around to creating her own Facebook page, she said she hadn’t. She was just too busy. And besides, her son was off to college now, was much more mature, and so the danger had passed. And he said he didn’t use Facebook much anymore because most of his friends were too busy to check in. If his friends were no longer on Facebook, there was no need for him to be there.
I guess that’s one way to deal with danger. Stand your ground, even plant your head firmly in it, cross your fingers, and hope the danger will pass you without noticing you. Like the Wildebeest in the center of the herd.
It reminded me of a similar experience more than a decade ago, when I led an innovate program called Think Security First, a unique experiment by an entire city to make cybersecurity awareness a top priority for the city for an entire year.
Identity theft, online predators, and child safety were major media headlines at the time, so we organized a town-hall meeting at a local school to introduce parents to a team of experts we had assembled to help teach parents and kids about these risks.
The event was heavily promoted and backed by the city council, Chamber of Commerce, school district and many others. It was promoted to dozens of local schools that in turn invited more than 10,000 parents. We picked a location, date, and time that local school principals advised us would make it easiest for the most parents to attend.
We also picked a school that was central to everyone, had plenty of free parking, and had a fantastic auditorium that could seat 400. We hoped that four hundred seats would be enough, especially because the FBI had sent one of their top experts from the Innocent Images task force who had some startling and eye-opening research to share with parents.
We also had the support of the Mayor and the Police Chief, who were there to remind parents just how seriously the city viewed the issue of child safety, and how it was up to all of us to work together to protect each other.
In total, about twenty people showed up. Out of nearly 10,000 invited. And at least half of those were our own volunteers and supporters.
It’s just a reminder that the biggest ally for cybercriminals is the apathy and indifference of their targets, and that cybercrime and identity theft continue to surge because so many consumers won’t get involved in their own protection. Even if it’s very simple and uncomplicated. And it’s also a reminder that things will probably never change – they certainly haven’t in the last ten years.
Or maybe parents were right and experts like me were over-thinking the dangers. After so many years on Facebook, many kids just outgrew it. There’s growing evidence that kids are abandoning Facebook in their millions so at the very least that reduces the number of potential victims, right? And maybe the best way to dodge the dangers is to simply hide in the middle of the herd and hope that by blending in, you won’t be singled out.
Maybe after thirty years in security I should think about changing my focus. Instead of researching the cure for insecurity, I should pursue the cure for apathy. Even if I know there probably isn’t one. The triumph of evil quote was originally pinned on Plato, more than 2,000 years ago. So I guess human nature is constant enough to be its own worst enemy.
The recently published 2012 Internet Security Threat Report from Symantec offers a deep and sometimes chilling insight into the world of cybercrime, the crooks, and the victims.
The report is pretty comprehensive but one of the first snippets to jump out at me was Symantec’s discovery that the largest growth area for targeted attacks in 2012 was the small business. Businesses with fewer than 250 employees accounted for nearly a third of all attacks detected by Symantec. And that was double the previous year.
Yet another clear sign that the small business is clearly a hot target for hackers. According to Symantec, “small businesses believe they are immune to attacks targeted at them. However, money stolen from a small business is as easy to spend as money stolen from a large business. And while small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property, and keep money in the bank.”
Small business owners have argued for years that they can simply hide in the crowd because there are simply so many of them (27 million in the U.S. alone), and hackers will never find them. They forget though, that hackers are using sophisticated automated tools to prod and probe millions of small businesses, and jump on the ones, the many, they find vulnerable.
Those vulnerabilities can lead to data and identity theft, the distribution of malware and ransomware, the launch of crippling Denial of Service attacks, and even the blacklisting of the business web site by search engines.
Symantec also made another argument that could point to the selfishness of some business owners when it comes to security. And that even if you won’t do it for yourself, do it for others. “The lack of adequate security practices by small businesses threatens all of us,” says Symantec. “Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small business that has a business relationship with the attacker’s ultimate target, using the smaller company to leap frog into the larger one.”
In the coming weeks I’ll be highlight even more research that reveals the stunning number of small business web sites that are identified with major security vulnerabilities each month, and evidence that hackers are actively hijacking these sites.
Yesterday I received a call from a victim of identity theft who had been informed through one of those now-common data breach notification letters that thieves had obtained her personal information and she could be a victim of identity theft.
The letter came from a Southern California healthcare company called Crescent Healthcare, owned by pharmacy giant Walgreens. According to the letter, the stolen information could include her Social Security Number, along with her name and address, phone numbers, and her date of birth. And as if that wasn’t enough the worry about, the thieves may have also stolen her medical records and health insurance information.
Although she was now panicked at the thought of how much damage this information could do to her credit and her life, she got little comfort from the letter. No further information, no web site to answer questions, no hotline number for victims, and no offer of any identity protection or credit monitoring.
She was, however, given the phone number of one of the credit bureaus who would gladly freeze her credit for a fee of $10 – for each credit bureau. That’s hardly a robust response to a data breach, given that any consumer in the country can freeze their credit reports for a fee.
According to the victim, the credit bureau did offer to waive the fee if she could produce a police report to verify she was indeed a victim – again, a right every consumer has. The problem with that request is two-fold; as she doesn’t yet know if she’s a victim of identity theft and not just a data breach, her police department refuses to take a report. As far as they’re concerned, she has yet to be the victim of a crime.
Even if she could get a police report, it would probably take a couple of weeks. Then she’d have to mail the report, along with a bunch of other information, to each credit bureau to request the free freeze. By the time the freeze is in place, weeks or even months could have elapsed, giving thieves plenty of time to wreak havoc on her identity and her life.
I tried to learn more about the breach from Crescent, but not surprisingly, they were trying hard to pretend like it never happened. There was no mention of the breach anywhere on their web site, no information for victims, no-one to contact for more information.
When I checked the Walgreens site, I got the same result. Nothing. Complete radio silence. But I wasn’t surprised. There are plenty of CEOs out there who are completely, and probably genetically, unable to do the right thing. They hope that by shifting very quickly into denial mode and ducking behind their executive desks, they can escape the wrath of a data breach.
And they’re probably right. Victims can do little to hold these indifferent executives responsible. And with an average of one new reported data beach every single day in the U.S., there’s little the media can do to publicly shame these companies.
What these heartless executives don’t realize is the enormous long-term emotional impact that data breaches can have on victims, even if the carelessness of the breached business never actually leads to identity theft. Victims of identity theft liken it to severe stalking. You know that someone out there has enough information on you to make life very difficult, but you just don’t know when the manure is going to hit the air conditioning system.
At the end of our conversation the victim asked me directly “If they have all this information, including my Social Security Number, will I have to look over my shoulder for the rest of my life?” I had no good answer for her.
Shame on Walgreens for victimizing their customers, twice in a row. I hear there are rumblings of a class action lawsuit but I doubt this will be of much consolation to the victims, as these lawsuits rarely fix the long term fallout.
Ever wondered if you have a ghost identity? Not necessarily a doppelganger or a fetch (you’d have to be Irish to get that) but a real person living secretly and mysteriously under your identity? It’s more common than you might think, and it’s often because of something in your credit report called a sub-file.
Take the case of Marco (not his real name). He’s an artist, in his late sixties, and leaving a very peaceful life in Northern Arizona. Peaceful, that is, until he gets yet another alert from his identity monitoring service that someone else is using his Social Security number.
Thinking immediately that he had become yet another victim of identity theft, he went straight to his credit reports to see how bad the damage was. But there was no damage. The problem for Marco is that there’s no sign of any fraud or identity theft in his credit report, no fraudulent accounts opened, no damage to his credit score, and no debt collectors looking for money from him.
Marco is the victim of a sub-file, an almost secretive additional credit file that the credit bureaus keep on millions of consumers. Credit bureaus are really like intelligence agencies, and some boast that they have more personal information gathered on U.S. citizens that all the U.S. national intelligence agencies combined.
The bureaus are hounds for information, and any time a Social Security number is used in the wild, it usually ends up in the files of the bureaus. Even if it’s the wrong name associated with the SSN, even if no credit is applied for, and even if no fraud has been committed.
That information can simply come from a mistake, an incorrect filing, a typo, or some other innocent event. But as soon as the bureaus come across the information, and can’t figure it out, it usually ends up in a consumer’s sub-file where it lives forever.
And that’s why Marco continues to get these alerts. Some other person or persons are associated with his Social Security number, which keeps triggering the alerts. The bureaus won’t do anything about it because they either don’t know or don’t care who the real owner of the Social Security number is.
As the bureaus are very quick to point out, they don’t grant credit and can’t be blamed for people who give credit to the wrong identity. Bureaus simply gather personal information, package it, and sell it. Even if there’s a ghost or two in the machine.
As a story on NBC reported, often the ghost identity is as a result of identity theft. Illegal workers might purchase or even invent a Social Security Number in order to get a job, and if the new employer doesn’t verify the person’s identity, that new hybrid identity is now in the system. But it’s not in the credit report of the person that Social Security Number really belongs to because his or her name doesn’t match.
And in the NBC story, that same SSN can then be shared among and between other illegal workers so that eventually dozens of people are all working under the victim’s Social Security number. Yet no trace of it in credit reports, Social Security earnings, or anywhere else. Except that is, in a sub-file somewhere in the deep dark basement of a credit bureaus.
In another blow to the dishonest peddling of questionable credit monitoring and identity protection services, today the Consumer Financial Protection Bureau (CFPB) announced a massive fine of $210 million against Capital One, for allegedly tricking consumers into paying for things like credit monitoring services without their consent.
$150 million will go to reimburse an estimated 2 million consumers who were affected by this scam, with the remaining going into a Civil Penalty Fund to help future victims.
It looks like the CFPB is not done either, and may have many other financial services companies in its sights, companies that engaged in practices to trick customers into subscribing for worthless services.
In an interview with Reuters, Ed Mierzwinski, consumer program director of advocacy group U.S. PIRG, said “Consumers should know that credit protection and monitoring are the worst add-on products you can buy.” According to Reuters, Travis Plunkett, legislative director of the Consumer Federation of America, is no kinder, referring to these services as “junk products.
Capital One seemed to be blaming its vendors and identity protection partners. According to an investigation by the Wall Street Journal, the settlement ordered that 500,000 customers who were signed up for identity protection through Affinion, makers of the PrivacyGuard monitoring service, and Intersections, makers of the IdentityGuard product, also be reimbursed
It never cease to amaze me that an industry that is supposed be based on absolute trust – inviting consumers to trust their identities to these vendors – deliberately and without apology breach that trust as part of their business model.