Tuesday, January 27, 2015

Top 10 Personal Data Security Tips from a Hacker, # 10 - Cash

A Quick Disclaimer

Okay I'm really an unhacker, a subtle but important distinction we can cover later. For now, interpret it as meaning I have much of the insight of the hackers you love to fear - but am on your side.

I will also articulate further what I mean by "Personal Data Security", a concept I hope you take to heart: That the conveniences of digital life come with serious risks, which warrant the same rigorous caution you grant a 3,000 pound vehicle, or table saw.

And that this responsibility, of keeping your digital fingers free of the blade, as it were - is yours alone. Criminals are to blame, to be certain - and layers of corporate bureaucracies are, ultimately, the guilty parties.

But these are still your fingers.

So lets kick this off with a bang, and probably start arguments right away by strongly recommending that you...

Tip #10: Use Cash

What?! Gary want's us all to be robbed in the streets, he's mad!

No, I am not suggesting you waltz-around toting gangsta wads of cash - rather that you limit your risk, appropriately. Here, the risk is that your credit card or other financial account information could be captured. We'll leave the means of this "capture" unspecified, but will later explore in great technical detail how such things are accomplished.

Chances are extremely high that you do not live in an area where traditional muggings are common. If you do, you know better than I how much cash you can safely carry. But for most of you, the number of times daily that you are exposed to a "digital mugging" is much higher than for the real-world version.

So let's look at those exposures: When are they occurring? And are the risks being taken appropriate to what is being gained? This is how Corporate Information Security thinks, and it is time you start thinking the same way about your own Personal Data Security.

If you look at transactions for which you use your digital credentials (credit cards, debit cards) you will probably find that most are for fairly small-ticket items: A cappuccino and croissant, $6. A hot-dog at lunch, $5. A beer and chips after work, $8. Would it really be a significant risk to carry $20 or $40 in your pocket?

Learning to Think About Risk Exposure

And here's the important bit that has not been made widely known outside of the Information Security industry: Each of these transactions is exposing your credentials to potentially serious risk of capture. 

How much risk? Each time you hand your card to a vendor, data necessary to place transactions against the account is processed by their systems. What does that mean, "their systems"? Well, it could mean a tightly-secured network, closely monitored 24/7 by security experts. Or it could mean a rusty Windows95 PC in the back office, poorly administered by the store owner, infected with colonies of malware.

So which is which? It can be tough to be sure, but we can draw solid conclusions from simple, empirical observations. The size of the vendor, for instance: It is unlikely that Joe's Hot Dogs can afford a team of specialists to secure their systems: Joe does it himself.

And how about Joe? Does he seem the computer-savvy sort who would know how to safely handle your transaction data? Maybe not.

This might be a good time to just buy your hot-dog with cash.

In It Together: Your Risk and Theirs

Another factor you should consider is the level of exposure to risk shared by the vendor. How motivated are they to secure your transaction data? It is not unusual for vendors to keep transaction details for days, months or forever. Your data will be at risk during the transaction, and possibly long afterward.

Is Joe's exposure to this risk as high as yours? I'm sorry to tell you that it is not.

We're all familiar with the public announcements of compromises at big name vendors (HomeDepot, Target) - but what compromises occur with smaller vendors? We don't know, and there's a reason for that: Companies of a certain size are required by law (or other constraints) to disclose these incidents. That is not necessarily so with Joe's Hot Dogs.

With these factors in mind, it should be clear that each digital transaction - online or offline - is a new instance of risk exposure for your data. It should also be obvious that it is wise to limit the number of these instances, and one of the easiest ways is to replace low-ticket digital transactions with good old-fashioned cash.

You may also have drawn conclusions about which vendors you should trust with your data, and it should have something to do with the level of risk you and the vendor both share. This is smart, and is an aspect we will explore at length, later in this series.

About Personal Data Security

Okay so what is this "Personal Data Security" I keep going on about?

Quite simply, I'm suggesting that you need to start thinking about your own personal data assets in the same way as corporations have for decades thought of theirs.

Modern businesses must expose themselves to serious security risks, in order to do business. They cannot circumvent the issue as easily as you and I. Risk is accepted as part of doing business.

But they make sure they understand what the risks are, what can be done about them, and - most importantly - the potential for financial loss in each case. This, by the way, is what unhackers do during the day.

From this, businesses make informed decisions about which risks are worth taking, and which are not. Using this "loss expectancy" insight, they determine how much effort should be invested in securing against a risk, and at what point a risk outweighs the potential benefits.

In your Personal Data Security too, risk cannot be completely avoided. But understanding this dynamic will tell you that the convenience of paying for a hot dog with a card is not sufficient to expose your account data to risks which could lead to serious losses.

Welcome to the Jungle

For the moment, digital commerce is a jungle: Until it is as secure as its real-world counterparts, modern consumers (that's you!) must learn to be aware of the risks involved, and make logical, informed decisions about when those risks are appropriate.

Up Next in this Series...

Coming up (in no order): Devil You Know, Lose Your Stuff, Hedge Your Bets, Fancy Gadgets, Your Friend 7-11, Going Schizo, Uninstall It, and Fake Everything. Yes those are all real article titles.

Sunday, January 25, 2015

New Tricks for an Old Blog?

I've been wanting to write on a few new topics, so this now ancient and disused blog will be taking a dramatic turn.

Stay tuned for new articles on . . .
  • Unhacking: That is to say, not getting hacked.
  • Information Security: In general, that is.
  • Making: This will be a nice place to write about works-in-progress, before they become articles on my main site
  • Genetic Algorithms: A topic in which I'm increasingly active.
  • Android: And Java and Perl and Linux, and other code stuffs.
And probably a new title.

You can probably ignore the ancient archive content, unless you're interested in what the Virtual Worlds industry looked like in 2009.

Next up: "Top 10 Personal Data Security Tips from a Hacker"