Brick-And-Mortar Shops: Safer Than Online Stores?
MICHELE NORRIS, Host:
Sony is not the only major company to have faced a massive data breach recently. Just three weeks ago, a marketing service was hacked. Dozens of well-known retailers and banks were affected, including Citibank and Target, and that means millions of people were potentially affected. In fact, it seems as though just about everyone has received that letter or email with a daunting warning that your personal information may be in some criminal's hands.
For more on why this keeps happening and what it tells us about the digital age we're living in, we're joined by Kevin Poulsen. He's a senior editor at Wired.com.
Kevin, welcome to the program.
KEVIN POULSEN: Thanks for having me.
NORRIS: So is it time to abandon online commerce altogether and just stick to retailers who are a part of those brick-and-mortar operations?
(SOUNDBITE OF LAUGHTER)
POULSEN: You know, you might think so, but actually, it turns out a lot of the largest breaches have been - have targeted brick-and-mortar operations. Credit card numbers in particular have been stolen by the hundreds of millions from major retailers and online processors that deal with point-of-sale terminals. So the point-of-sale terminals that you encounter at a store or restaurant when you swipe your credit card to pay the bill, that's when the hackers will get your data.
NORRIS: Now, at this point, it feels like this is happening all the time, but in fact, how often do these types of massive data breaches take place?
POULSEN: They're coming up pretty frequently. And the reason is there's a thriving computer underground that buys and sells stolen information left and right. So credit card numbers in particular go for a lot of money but then so does information about consumers, like names and dates of birth, email addresses, Social Security numbers.
NORRIS: Is this kind of thing just inevitable, and are they one step ahead of the law?
POULSEN: You know, it's kind of a cliche to say this, but the companies have to get security right every time, and the hackers only have to succeed once. So the government has had some success finding and prosecuting people for breaches and, in particular, for making the use of this kind of information.
But a lot of this activity is international. I mean, it's a vast network that reaches into every country, and it's particularly centered in Eastern Europe where the laws are not where they are in the West.
NORRIS: So is it inevitable the kind of thing that you know it's going to happen so what you do is just to try to shut down those cards quickly and get the information out there to the consumers who might be affected?
POULSEN: Well, the good news for consumers is, at least in the U.S., they're not actually liable for fraudulent charges on their cards. So what's more troubling in breaches like the Sony breach is you have to worry about identity theft or if your password was stolen, as apparently they all were, and you use that password anywhere else, then you're at risk of intruders capitalizing on that.
So they have your email address. They have your password. They'll just try it everywhere and see if they can expand their access, and they can do in a semi-automated way.
NORRIS: The intruders are working full time at this, and every time you log on some place, you're being asked for more and more personal information when you try to interact online with a business or with almost anyone. Is this just the cost of doing business, the opportunity cost of doing business?
POULSEN: You could seek out alternatives. You could let privacy be a differentiator in how you decide what website or what service to go with. Most people don't care that much the truth is, and we're kind of trained by social networking sites like Facebook to want to share our information. So I think that's a factor.
The National Security Agency recently put out guidelines that suggests that you lie in the secret questions that you use when you set up an account somewhere. You know, they'll ask you to put your pet's name in as an alternative to a password. The NSA suggests that you lie about that information because it can be discovered by intruders and then used as an alternative to cracking your password.
NORRIS: Oh. I see. Spell Fido F-I-D-E-A-U-X or something like that.
POULSEN: Right. But even then, I mean, we've seen that that's one of the ways the hackers are getting at.
NORRIS: Kevin Poulsen, good to talk to you. Thank you very much.
POULSEN: Thanks for having me.
NORRIS: Kevin Poulsen is a senior editor at Wired.com. He's also the author of "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground."
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.