Brick-And-Mortar Shops: Safer Than Online Stores?
MICHELE NORRIS, Host:
Kevin, welcome to the program.
KEVIN POULSEN: Thanks for having me.
NORRIS: So is it time to abandon online commerce altogether and just stick to retailers who are a part of those brick-and-mortar operations?
(SOUNDBITE OF LAUGHTER)
POULSEN: You know, you might think so, but actually, it turns out a lot of the largest breaches have been - have targeted brick-and-mortar operations. Credit card numbers in particular have been stolen by the hundreds of millions from major retailers and online processors that deal with point-of-sale terminals. So the point-of-sale terminals that you encounter at a store or restaurant when you swipe your credit card to pay the bill, that's when the hackers will get your data.
NORRIS: Now, at this point, it feels like this is happening all the time, but in fact, how often do these types of massive data breaches take place?
POULSEN: They're coming up pretty frequently. And the reason is there's a thriving computer underground that buys and sells stolen information left and right. So credit card numbers in particular go for a lot of money but then so does information about consumers, like names and dates of birth, email addresses, Social Security numbers.
NORRIS: Is this kind of thing just inevitable, and are they one step ahead of the law?
POULSEN: But a lot of this activity is international. I mean, it's a vast network that reaches into every country, and it's particularly centered in Eastern Europe where the laws are not where they are in the West.
NORRIS: So is it inevitable the kind of thing that you know it's going to happen so what you do is just to try to shut down those cards quickly and get the information out there to the consumers who might be affected?
POULSEN: So they have your email address. They have your password. They'll just try it everywhere and see if they can expand their access, and they can do in a semi-automated way.
NORRIS: The intruders are working full time at this, and every time you log on some place, you're being asked for more and more personal information when you try to interact online with a business or with almost anyone. Is this just the cost of doing business, the opportunity cost of doing business?
POULSEN: The National Security Agency recently put out guidelines that suggests that you lie in the secret questions that you use when you set up an account somewhere. You know, they'll ask you to put your pet's name in as an alternative to a password. The NSA suggests that you lie about that information because it can be discovered by intruders and then used as an alternative to cracking your password.
NORRIS: Oh. I see. Spell Fido F-I-D-E-A-U-X or something like that.
POULSEN: Right. But even then, I mean, we've seen that that's one of the ways the hackers are getting at.
NORRIS: Kevin Poulsen, good to talk to you. Thank you very much.
POULSEN: Thanks for having me.
NORRIS: Kevin Poulsen is a senior editor at Wired.com. He's also the author of "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground."
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.