We’re having an identity crisis. What will it take for companies to take this as seriously as they should?
Officials have found small devices in European point of sale card swipe machines that send selected transaction information to Pakistan. These are the card machines you use at the grocery store — totally plain vanilla. The devices appear to be untraceable and are inserted in some made-in-China MasterCard boxes. The best way to find out if a store has been infected is to literally weigh their card swipe machines. Bad machines weigh four ounces more than good ones.
This is affecting large chain stores, including a British unit of Wal-Mart and Tesco. It is not isolated or off the beaten path — and it really is diabolical. The machines can be set, evidently, to just send a few transactions, say every tenth Visa Platinum transaction, once a day. They can also get new instructions when they send their take — so their work is quite hidden. Add that up over time.
What happens to the information once it goes to Pakistan? It gets used, of course. Bank withdrawals are made, plane tickets and other merchandise get purchased. So far, the estimates are between $50 and $100 million. The motivation appears not to be a espionage, but plain old theft. Authorities are watching, though, in case there is a terrorism link, the destination being in Pakistan and all.
Meanwhile, just to ratchet up the Tom Clancy: The Chinese version of Skype evidently spies on users. This was discovered by a University of Toronto researcher in relatively simple fashion — by checking out what happened when he used the f-word in a message. (To be clear, this is a joint venture between Chinese phone provider TOM and Skype, it is not Skype itself.)
It turns out that not only are messages being filtered, and not only are they being logged, but it was being kept on a totally insecure server that was easily accessed through the cyber version of guessing that I keep my house key in the flowerpot.
Skype says they are very concerned about the fact that these messages were insecurely stored — which is sort of like an adulterer saying he’s sorry he got caught. As for the whole message-interception thing, they say that’s just the requirement of the Chinese government and they don’t have any say. And their past public statements about the issue have been contradictory.
This is not at all the first time there have been well-founded worries about what happens when U.S. companies bump up against China. Google has had to promise they won’t house personal info on Chinese soil. Yahoo’s CEO had to publicly apologize to the family of someone who was jailed as a result of their disclosures to the government.
The untold story of the last couple of years has been the rise in inadvertent data breaches. Many millions of records have been divulged, and it’s not just because government workers accidentally take home laptops: according to the Privacy Rights Clearinghouse, since January 2005 there have been more than 245,000,000 individual records divulged accidentally or as a result of malicious hacking.
Yes, 245 million.
All of this — the grocery pipeline to Pakistan, the Chinese eavesdropping – brings up the issue of what large (and trusted) organizations do about their partners.
I am not saying there ought to be a law — but I am saying that large companies need to get ahead of this issue. Yes it will cost money. It is money well spent.
What can companies do? That’s a tough question and it may be one of those things where the bad guys are always one step ahead of the good guys. But the good guys can get a little more serious about this. Yes, they will say they have security experts and yes, they will say that such piracy hurts them as much as it hurts, say, Joe The Plumber. “Security is our top priority,” they’ll tell you. But do you believe it?
Nevada has instituted new rules that companies must encrypt the information they keep. But this may not be enough. The whole data chain needs to be protected, just like the food chain.
Makes you want to go off the grid.