It's beginning to look a lot like . . . cyber hack season!!!
To the list of Christmas villains—think the Grinch, Scrooge, King Herod, Scut Farcus, Professor Hinkle —let's add the opportunistic, mean-spirited cybercriminals who steal the identities of others. (We'll just put third-party aggregators/resellers of individual marketing information on Santa's "Naughty" list for now.) The season is kicking off impressively with the theft of names, birthdays, addresses, passwords, secret questions, photos, chat logs of customers and their children from VTech, maker of baby monitors and educational toysi. That's a learning moment!
Initially reported as affecting almost 5 million adults, further investigation suggests that that data of 6.4 million children was exposed.ii Granted, these young tykes do not have credit cards that can be abused or resold on the dark web. Rather, their personally identifiable information (PII) is a hacker's gift that just keeps giving: from a name, address (especially hometown or birth place), date of birth, and gender, identities can be researched and crafted for use in tricking credit card companies, government benefit agencies, and so on. Generally speaking, a child's credit history is much cleaner than an adult's, thus convincingly more credit worthy. It can be years before a child learns about credit cards or loans floating under his or her name.iii
Why was VTech even gathering this information? Photos? Chat logs? On kids? Remember what happened to Disney? How does this help shape safe internet habits for all those little Ashleys and Madisons and Jacobs?
Of course, there is money in identity information, whether gathered by apps and vendors you choose or by unauthorized harvesters. The going rate for consumer information varies, from a low of about $.05 per address change record from the USPS to data brokersiv to a high of $300 for online payment service login credentials (for account balances of $8,000). Bank login credentials marketed on the Dark Web—where online video streaming service "discounts" are also available—can go for more.v
Key Countermeasure to Information Shoplifting:
Share Less Personal Information
Birthdays. I must confess: I'm not above a little online fibbing. When a web application insists on a birth date I willingly comply. There are so many birth dates to choose from! And it is always a pleasant surprise to receive a special birthday greeting or coupon offer months away from any likelihood of someone actually treating me to a dinner or free gift.
Online Credit Card Storage. When a vendor insists on recording credit card information "just in case" I sign up exuberantly for a for-fee service (perhaps a special class at any already pricey gym). I just provide a valid card number for an account I've closed (the numbers follow the right pattern, after all), adjust the expiration date, and ta-da! Everyone is happy. (Really, if the back-end system is that unsophisticated and trusting, why would one ever store payment card information there?) And I never, ever, record credit card information in a web app to make checking out easier the next time. That convenience carries too heavy a risk.
User Name. Here's your chance to be creative. Pick a favorite literary character, gemstone, or mythical figure. No harm, no foul.
Harden Your Communications Channels
Bluetooth. Turn it off when you are not specifically using it (e.g., for hands-free driving).
Text/Voice Calls. Credit card scammers are exercising their robo-dialing rights (or wrongs). I use the free service at www.411.com to look up unknown numbers. Report any repeated, annoying calls to the Do Not Call Registry. Validate email messages before opening them. Check out the Federal Trade Commission (FTC) for other signs of fraud.
Wireless Networks. Change default settings (name, password) on your wireless router at home. Do not ever make purchases over a public WiFi network, even one that is "password protected."
Desktops/Laptops/Tablets. Clear cookies and search history from devices used for financial transactions. Your bank might ask you to re-authenticate "out-of-band" (e.g., send a one-time use access code to your phone or email), but seconds spent in verification purchase peace of mind.
The bottom line is to be aware, especially during a season when distractions prevail. Challenge requests for personal information that is not legally required to complete a transaction. Retail stores do not need your zip code number to validate your credit card, for example, although the information is useful for their marketing information. Asking for that information is, in fact, illegal in some states (e.g., Massachusetts and California).vi
If you accept that attempts will be made to capture personal information you do not wish shared, and accept that some attempts could be successful, the reasonable next step is to be conscientious about checking your credit card and bank account activities. Make sure that you recognize transactions made. Report suspect activities or requests to the FBI's Internet Crime Complaint Center. Happy Cyber-Safe Shopping!
i Aaron Smith (30 November 2015), "Kids' info is exposed in toymaker hack," CNN. Retrieved from http://money.cnn.com/2015/11/30/technology/vtech-hack-kids/
ii Jim Finkle (1 December 2015), "Toymaker VTech hit by largest-ever hack targeting kids," Reuters. Retrieved from http://www.reuters.com/article/2015/12/01/us-vtech-cyberattack-idUSKBN0TK5ML20151201#VuiUF8txpRKlW2lu.97
iii Equifax. "Why is identity theft protection important?" Retrieved from http://www.equifax.com/credit-education/identity-theft/
iv The USPS realizes about $8 million per year from licensing access to its database of 160 million or so address change records within the most recent four-year period. Adam Tanner (8 July 2013), "How The Post Office Sells Your Address Update To Anyone Who Pays (And The Little-Known Loophole To Opt Out)," Forbes. Retrieved from http://www.forbes.com/sites/adamtanner/2013/07/08/how-the-post-office-sells-your-new-address-with-anyone-who-pays-and-the-little-known-loophole-to-opt-out/
v Yoni Heisler (1 December 2015), Here's how much your stolen data is worth on the Dark Web," FoxNews.Retrieved from http://www.foxnews.com/tech/2015/12/01/heres-how-much-your-stolen-data-is-worth-on-dark-web.html?intcmp=hplnws
vi Aditi Mukherji (4 April 2013), "Is it legal to ask for customer ZIP codes?" FindLaw. Retrieved from http://blogs.findlaw.com/free_enterprise/2013/04/is-it-legal-to-ask-for-customer-zip-codes.html. The Privacy Rights Clearinghouse (www.privacyrights.org) is a rich source of information and tips for individuals and organizations.