In October, 2000, when Microsoft was presumably working on what would become XP, they were hacked. Somebody broke into their systems and managed to at least look at source code for Windows and Office. The folks in Redmond dutifully called in the FBI, examined their code and found it hadn’t been compromised. Or so they said.
“It is clear that hackers did see some of our source code,” Ballmer announced to a group of reporters and programmers at a seminar he was attending in Stockholm. “I can assure you that we know that there has been no compromise of the integrity of the source code, that it has not been modified or tampered with in any way.”
At the time, this was disturbing, more so than if it were it to happen today. It was also an eye opener.
The Internet was rapidly proving to be a dangerous place and it had become obvious to most that all online computers were at risk. The only surefire way to eradicate the risk was to not go online. Many were shocked that Microsoft would put their crown jewels in jeopardy by exposing them to a network that was open to the black hats. To the average computer user, it seemed logical to protect sensitive data by making sure it was unreachable from the world wide web.
We know better now.
Everything from Microsoft’s software under development, to controls for nuclear power plants to sensitive banking data faces the network. We’ve come to accept the consequences of this model, which basically means putting everything we own into the single egg basket of the Internet. We’ve taken all the gold in Ft. Knox–assuming there is still gold there–and hidden it carefully on the Internet where thieves can’t find it because they don’t know where to look.
All of our transactions happen with plastic cards and each transaction utilizes the web in one way or another. Our bank accounts get accessed every time we buy a tank of gas or make an online purchase. By necessity, a large percentage of our daily business takes place directly online–it’s how we pay our bills. We receive our “paychecks” electronically through the Internet.
We pay a price for this convenience. A very high price. Our bank accounts are about as secure as money stuffed into a mattress.
This is clearly illustrated by the latest hack at Target, which has affected 40 million customers but is only the second largest known online breach. Oddly, this breach didn’t affect online shoppers, traditionally thought to be the most vulnerable, but targeted information obtained from cards swiped within the presumed safety of the retailer’s bricks and mortar stores.
How serious is this breach? Yesterday, a Sunday, Chase bank opened over a third of their branches to help customers affected by the situation. According to NBC news, banks are taking other actions as well.
“The move comes after JPMorgan Chase, the largest bank in the United States, told customers Saturday that they would be limited to $100 in cash withdrawals and $300 in total purchases per day if they used Chase debit cards at Target during the recent security breach…
“Separately, a source familiar with the situation told CNBC that Citibank was also imposing limits on debit cards for affected customers if it sees suspicious activity, though the extent of those limits was not immediately clear.”
Credit card transactions at point of sale, where a card is swiped, transmit much more data than those punched-in online using merely card number, expiration date and security code. A swiped card transmits enough information to counterfeit physical credit cards.
This turns common knowledge on its head.
A week ago, most consumers would probably have thought that ordering from Target online was much more risky than swiping a card when making a purchase at a physical store. Now, with it appearing as if the bricks and mortar data was targeted specifically because of the wealth of data it would contain, consumers are starting to realize they are taking a risk whenever and wherever they use plastic.
We can’t undo what we’ve done. For better or worse, we’re stuck with our overreliance on Internet technology. We can’t go back and we can’t be certain that the network isn’t turning the world economy into a fragile card house that’s bound to eventually fall.
Still unknown is how much of the fraudulent charges Target will be forced to swallow and how much will be passed on to those who accepted the stolen card information. The major card companies’ policy is usually to charge-back fraudulent transactions directly to those who accept a bad card. Unfair? Yes. But that’s the cost of doing business in this post modern age.
Regardless, this will cost Target dearly. NPR has reported the incident has caused the chain’s business to drop 3 to 4 percent since being made known, in spite of Target’s efforts to mitigate damage by offering an almost across the board 10% discount on all in-store purchases.
Then there are the lawsuits.
This morning WCCO in Minneapolis is reporting that Target is already facing at least three lawsuits related to the incident.
“These lawsuits against the Minnesota-based company were filed in U.S District Court on Friday from three Target customers.
“According to reports, these shoppers are suing for all other people who might be affected and accused Target of negligence. They also claim that the retail giant did not notify customers as soon as it learned of the credit card theft.”
Security experts have been saying for years that the good guys are constantly playing catch-up with the bad guys when it comes to Internet security. Yet, in spite of this, we continue to put all of our eggs in the Internet basket.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
I am not sure your analogy of putting all eggs in one basket is correct.
It is more like sending a courier with a briefcase stuffed full of money from point A to point B on a public bus. If your want to assure that your money gets there intact, you might want to use a taxi or even an armored car, depending on your risk and budget.
All share the same infrastructure, the roads.
Sorry to say, but your headline is 100% false. It’s not that the internet is weak, or that this “basically means putting everything we own into the single egg basket of the Internet.” Especially the latter is utter nonsense. No technically skilled security person would allow (firewalled?) connections between SCADA systems and the internet, only unskilled morons permit physical connections between such systems.
“Target breach due to human failures” would be a correct headline.
— Marty
Either way you look at it?…there was a breach, target was involved,……as were millions of the people who shopped there, and there’s gonna be one heck of a legal battle, it’s gonna be the “Wrestlemania” of corporate vs. retail!