Sunday, December 28, 2014
YOLO COUNTY NEWS
99 CENTS

Joe Nocera: Unto the breach

By
From page A6 | January 21, 2014 |

By Joe Nocera

Last Wednesday, a letter landed in my email inbox from Gregg Steinhafel, the chief executive of Target. He wanted me to know that there was a decent likelihood that some of my personal information had been stolen by criminals who had “forced their way into our systems,” as Steinhafel put it, and pulled off one of the biggest data breaches in history.

I’m not a regular Target shopper, so I had to think about this for a minute. Then I remembered: In mid-December, while marooned in Houston after missing a connecting flight to Rio de Janeiro, I went to a Target store to buy some clean clothes. I paid with my debit card, which I swiped through the little “point of sale” machine, and then entered my passcode — something I probably do a dozen times a day. The very ordinariness of the transaction is partly why it hadn’t stood out in my memory.

Since receiving Steinhafel’s letter, however, I’ve been brushing up on data breaches, and I’m here to say it is going to be a while before I’m sanguine when I make that little swiping motion with my debit card. In the battle between hackers and retailers, it sure looks as though the hackers are winning.

If you have read anything about the Target data breach, you know that from Nov. 27 to mid-December, hackers siphoned off the credit card information of 40 million Target shoppers, including card numbers, passcodes and the three-digit security code on the back. They also took names and email addresses of tens of millions of other Target customers.

Target acknowledged the breach Dec. 19, but only after a reporter named Brian Krebs had broken the news on his authoritative blog, Krebs on Security.

When I talked to Krebs, he told me that while Target was “hardly a poster boy for how to secure data,” the company probably wasn’t all that much worse than most other retailers. Its digital system undoubtedly had all the current anti-virus software, none of which had detected the malicious software — “malware,” as it’s called — that had infected it. Krebs was pretty convinced that the hackers were Russians. It was obvious that they were extremely sophisticated in how they went about stealing credit card data.

After burrowing into a Target server, he explained on his blog, the malware would then grab data from Target’s point-of-sale terminals all across the country shortly after customers swiped their cards. At that moment, a moment of maximum vulnerability since all the data was unencrypted at that point, the magnetic stripe would yield all the information the hacker needed.

Another security expert, Gerhard Eschelbeck, the chief technology officer at Sophos, wrote in a recent report that “one trend that stands out is the growing ability of malware authors to camouflage their attacks.” Eschelbeck described modern hacks as “innovative and diverse.”

Virtually every security expert I spoke to said it is likely that a lot more retail companies have been breached than has been acknowledged. Indeed, earlier this month, Neiman Marcus admitted that its systems had been breached. And just the other day, the Department of Homeland Security sent a report to retailers and banks warning about point-of-sale malware, which it suspects has infected more systems than just Target’s.

So why don’t retailers do more to stop such attacks? Part of the reason is that nobody is forcing them to. It costs a lot of money to completely revamp their systems in ways that would make them harder to breach. However disruptive to customers, there really hadn’t been any business consequences, not until the Target breach, anyway. (Target saw its Christmas sales decline after the breach was announced.)

The simplest thing we could do to diminish data breaches would be to move away from magnetic stripes, which are relatively easy to copy, and go to a system in which credit and debit cards are embedded with chips. In widespread use in Europe and elsewhere, such cards are practically nonexistent in the United States (although a rollout is supposed to begin in the fall of 2015). In 2009, a payment company called Heartland suffered a breach that was even larger than Target’s. You would think that would have been a wake-up call, but apparently it wasn’t.

The most galling part of Steinhafel’s letter is its advice to consumers. “Never share information with anyone,” he writes. “Be wary of emails that ask for money.” None of this advice, of course, would have helped anyone who had the misfortune to shop at Target during the three weeks the malware was doing its devious work. The fault was not ours, Mr. Steinhafel; it was yours.

As for me, it turns out that the Russian hackers won’t be able to use my debit card information after all. I had to get a new card — after I was hacked in Brazil.

— New York Times News Service

Comments

comments

New York Times News Service

  • Recent Posts

  • Enter your email address to subscribe to this newspaper and receive notifications of new articles by email.

  • .

    News

     
    Yolo makes hydrogen connection

    By Elizabeth Case | From Page: A1 | Gallery

     
    NYC officer mourned at funeral as tensions linger

    By The Associated Press | From Page: A2

     
    N. Korea uses racial slur against Obama over hack

    By The Associated Press | From Page: A2

    AirAsia plane with 162 aboard missing in Indonesia

    By The Associated Press | From Page: A2

     
    Sacramento man convicted for 2011 bar shooting

    By Enterprise staff | From Page: A2

     
    Drugs, stolen car lead to women’s arrests

    By Enterprise staff | From Page: A2

    Pedal around Davis on weekly bike ride

    By Enterprise staff | From Page: A3

     
    USA Weekend calls it quits

    By Enterprise staff | From Page: A3

    Nominate teens for Golden Heart awards

    By Enterprise staff | From Page: A3

     
    Sweet success: Cancer Center helps young patient celebrate end of treatment

    By Special to The Enterprise | From Page: A3 | Gallery

    Supplies collected for victims of abuse

    By Enterprise staff | From Page: A3

     
    Holiday hours continue at The Enterprise

    By Enterprise staff | From Page: A3

    Reserve tickets soon for Chamber’s Installation Gala

    By Enterprise staff | From Page: A3

     
    UC Davis debate team wins national championship

    By Kathy Keatley Garvey | From Page: A3 | Gallery

    Covell Gardens hosts New Year’s Eve dance

    By Enterprise staff | From Page: A3

     
    Portuguese breakfast set for Jan. 25

    By Enterprise staff | From Page: A3

    At the Pond: It all started with kayaking on Putah Creek

    By Jean Jackman | From Page: A5 | Gallery

     
    Find the first cabbage white butterfly, and win a pitcher

    By Kathy Keatley Garvey | From Page: A6 | Gallery

    Does pre-eclampsia raise autism risk?

    By Phyllis Brown | From Page: A6

     
    Long will talk about value of hedgerows for adjacent farms

    By Special to The Enterprise | From Page: A6 | Gallery

     
    It’s a wonderful life — and a wonderful state

    By Special to The Enterprise | From Page: A8 | Gallery

    College sees benefits in loan guarantees

    By The Associated Press | From Page: A9

     
    Tickets for New Year’s Eve party going fast

    By Enterprise staff | From Page: A12

    .

    Forum

     
    It was a busy, black-eye year for disease control

    By The Associated Press | From Page: B4

     
    Say thanks to the caregivers

    By Creators Syndicate | From Page: B5

    Bombing is not the answer

    By Special to The Enterprise | From Page: A10

     
    Just Us in Davis: Despair and hope for the new year

    By Jonathan London | From Page: A10

    Commission’s list needs vetting

    By Letters to the Editor | From Page: A10

     
    Rifkin’s statement is offensive

    By Letters to the Editor | From Page: A10

    Writer’s arguments fall flat

    By Letters to the Editor | From Page: A11

     
    Cuba policy changes highlight a momentous opportunity

    By Special to The Enterprise | From Page: A11 | Gallery

    .

    Sports

    DHS boys get good film in tournament loss

    By Enterprise staff | From Page: B1

     
    Sacramento survives Knicks in OT

    By The Associated Press | From Page: B1 | Gallery

    Kings cruise past Sharks

    By The Associated Press | From Page: B1

     
    Lady Blue Devils top Tigers to reach Ram Jam title game

    By Spencer Ault | From Page: B1 | Gallery

    Sports briefs: Republic FC to host camp series

    By Enterprise staff | From Page: B2

     
    College bowl roundup: Sun Bowl goes to the Sun Devils

    By The Associated Press | From Page: B10 | Gallery

    .

    Features

    .

    Arts

    .

    Business

    Kaiser’s trauma center in Vacaville earns verification

    By Enterprise staff | From Page: A9

     
    Rob White: Davis tech community is growing

    By Rob White | From Page: A9

    Yolo County real estate sales

    By Zoe Juanitas | From Page: A9

     
    First Northern adds Peyret to agribusiness loan team

    By Enterprise staff | From Page: A9

    .

    Obituaries

    Ruth Allen Barr

    By Special to The Enterprise | From Page: A4

     
    Charles ‘Bud’ Meyer

    By Special to The Enterprise | From Page: A4

    .

    Comics

    Comics: Sunday, December 28, 2014

    By Creator | From Page: B8