Don't be fooled by these 6 data breach myths
Another day, another data breach. Amid a steady stream of headlines about data thefts at large retailers and banks, exasperated Americans are starting to tune out the latest data breach news even if it involves millions of credit and debit cards.
That's exactly what criminals are counting on. Consumers who let down their guards render themselves more vulnerable than those who regularly check their account statements line by line, says Michael Bachmann, associate professor of criminal justice at Texas Christian University.
It helps to filter out misconceptions surrounding data attacks so you can focus on protecting your personal and financial information more effectively.
1. MYTH: Hackers only target large retailers
Sure, breaches at Fortune 500 companies get more publicity, but small businesses are not immune. A 2013 Ponemon Insitute survey found that 55 percent of U.S. small businesses had experienced a data breach. Yet only 33 percent notified the people whose records were exposed -- despite laws in 46 states that require such notifications.
Small merchants generally have fewer resources and much less security expertise than large corporations. Those constraints make smaller businesses more vulnerable to data attacks -- even though the payoff for criminals is less lucrative, according to John Breyault, vice president of public policy, telecommunications and fraud at the National Consumers League.
2. MYTH: Retail breaches pose the greatest risks
The retail industry doesn't have a monopoly on breaches. Based on the Identity Theft Resource Center Data Breach Reports, as of Nov. 18, 42 percent of the 679 U.S. breaches so far in 2014 were attacks on medical and health care systems. That's substantially higher than the 32 percent for all business-category breaches.
Business attacks accounted for nearly 80 percent of the records affected, but medical breaches still affected nearly 7.8 million records. Breyault says data piracy involving patient medical records can expose even more sensitive information than card payment data, potentially causing a greater impact on affected consumers.
3. MYTH: Security fixes eliminate repeat attacks
While a large organization may spend tens of millions of dollars to fix a specific vulnerability that allowed a breach, there is never only a single bug in a large complex system. Many other security holes inevitably remain after the most urgent repairs are made.
Bachmann notes that after the JPMorgan Chase leak involving data on more than 76 million households, America's largest bank said it will double its $250 million annual security budget over the next five years. Yet doubled expenses do not equate to twice the level of security.
Organizations can approach the 90-percent secure level with reasonably low systems spending. "The remaining 10 percent is increasingly and disproportionately expensive such that a 100 percent 'safe' data security solution is unachievable," says Bachmann.
4. MYTH: Breaches result in big-dollar fraud only
While it may seem counterintuitive, consumers should pay extra attention to tiny, seemingly inconspicuous transactions on their statements. That's because large fraud amounts are harder to miss.
Perry Kramer, vice president at Boston Retail Partners and co-author of the white paper Best Practices and Tools to Thwart Hackers and Protect Customer Payment Data, says the trend with cyber thieves is to use stolen credit card data for "micro purchases." These refer to ongoing small transactions of $20 or less that crooks hope cardholders will overlook for longer periods of time.
5. MYTH: Credit or identity monitoring is the
Organizations frequently offer free credit monitoring or identity monitoring services to breach victims for a limited time, but they aren't a panacea. Gail Cunningham, spokeswoman for the National Foundation for Credit Counseling, points out that monitoring services only notify a person about suspicious activity after the fact and thus don't prevent identity theft or block other types of fraud.
Most credit monitoring services track reports from only one of the three main credit bureaus (Equifax, Experian and TransUnion), so a fraudster applying at a lender that consults a different reporting agency may not trigger an alert. Breyault says another deficiency is that credit monitoring doesn't detect when breached identity information is used to open wireless phone or other noncredit accounts.
ID monitoring services go further, accessing criminal databases, DMV records and other resources to search for suspicious activity. But they still have limits. "Consumers utilizing credit monitoring and similar products should not be lulled into a false sense of security, but instead adopt a heightened sense of awareness as to how vulnerable they are," advises Cunningham.
6. MYTH: Smart-chip cards will save us
EMV smart-chip cards now being rolled out across the U.S. can significantly boost security for card payments at in-store terminals. Unlike traditional magnetic stripes that store sensitive data in a static setting, EMV chips create a unique one-time code every time you make a transaction. That means even if a thief gets information from the chip, he can't use it to make purchases or to create counterfeit cards.
That's great, but point-of-sale terminals represent only one of a myriad systems vulnerabilities that hackers can exploit. "Even the best card technology cannot protect against breaches of merchant-side databases storing the card information," explains Bachmann.
If a fraudster gets hold of your name and email address, he can use them to create phishing attacks -- fake emails that try to trick you into revealing more sensitive personal and financial details. According to cybercrime expert Brian Krebs, author of "Spam Nation," spam is the single biggest driver of big breaches today. Kramer predicts phishing scammers will target some of the 53 million email addresses stolen in the Home Depot breach.
Aaron Kline, eCommerce director at consumer risk management firm ID Analytics, adds that introducing smart-chip technologies all but guarantees that online businesses will see an increase in card-not-present fraud. "As in the United Kingdom, Canada and many other countries, online fraud typically doubles or triples following smart-chip card deployment," he says.See related: Online fraud may surge after EMV chip card rollout, Poll: Nearly half of cardholders likely to avoid stores hit by data breaches, Data breach protection: 10 tips
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...