The news for Target is just getting worse and worse for Target and their customers. Over the weekend it was announced (original announcement from Target is here) that Target has joined an elite club, specifically called the 100 Million club. This club is a club that no company ever wants to be a part of because it means that people have stolen data on more than 100 million people from the company.
In the case of the target breach the first information which was known to be stolen was information for around 70 million credit and debit cards which were used in Target stores (which included one of my cards, which I’ve since canceled). In this new finding (which to be clear was part of the same data theft, but was just found) another 70 million customers information has been taken. But the data which was taken this time is very different from the credit card data. This time it was what is called Personally Identifiable Information such as names, addresses, phone numbers, etc. The exact information which someone would need to attempt to open credit cards in another persons name.
As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
This information is invaluable to data thieves as they can now begin matching this data up against other credit card data which they have in order to build a better profile about the specific credit cards to make it easier to use the stolen card numbers as well as sign up for more credit card accounts.
The breach notification from Target doesn’t give a whole lot of technical information about the breach or if the data which was taken was encrypted or not, but based on the fact that Target announced the breach this tells me that the data wasn’t encrypted which means that Target did not to a proper job securing the data. This leads me directly to what I wrote in Chapter 1 of “Basics of Digital Privacy” where I talk specifically about knowing how the companies which we trust with our data actually secure that data so that we know for sure that the information which we trust them with is fully secured.
For the companies out there, they need to be reading books on data security from both the IT Professional side (such as my book “Securing SQL Server“) as well as from the consumer side (such as my book “Basics of Digital Privacy“) so that these sorts of things can be stopped before they happen.
I ran across an older blog post that I think is very relevant given the Target breach as so any people will be setting up new ATM pin numbers to secure their ATM cards.
The most popular password is 1234 with nearly 11% of the 3.4 million passwords are 1234 !!!
I knew that 1234 would be popular but 11% is just a really high percentage of people using this PIN number. When taking the top 20 most popular PIN numbers in this sample set a little over 25% of the populations PIN numbers are used. That’s the top 20 most popular PIN numbers out of the total possible 10,000 PIN numbers which are available when using a 4 digit PIN which is what basically all banks use.
The blog post is a little geeky on the math and statistics side of things, but it makes for some interesting reading.
I’m pleased to report that “Basics of Digital Privacy” is now shipping from Amazon and Barnes & Noble. The price is the same from either one, currently at $25.15 but at Amazon it is eligible for Amazon Prime so there’s free shipping if you’ve got Prime (which if you don’t I highly recommend if you order from Amazon more than a couple of times a year).
The Kindle version isn’t available just yet, but hopefully soon. So if you are interested in a dead tree version, now’s the time to order.
So apparently there’s something which I should have included in the book but didn’t because I figured it was so obvious that it didn’t require actually saying. Do NOT take pictures of your credit cards and post them online. I mean really, why on earth would you think that it’s a good idea to post all the information that people need to steal your identity? Below is a screenshot of just a couple of pictures that people have posted on Twitter about their new credit cards that they just got.
Apparently this problem is so common that someone has actually made a twitter account that retweets these peoples pictures. The bio for this twitter account simply reads “Please quit posting pictures of your debit cards, people”. The sad thing is that most of the pictures that this account has retweeted are still out there on twitter. My favorite is the one in the picture that actually includes the security code from the back of the card (which is conveniently his (Fred’s) birthday). Give that he’s in his early 20’s that narrows down the year of his birth to just a few options in the mid 1990s so he’s just given out basically everything needed to take over his PayPal account and card.
I’m guessing that when there’s fraud on these cards the people that post these pictures are shocked that all their money has been stolen.
So apparently rule #1 of data privacy, don’t take a picture of your credit cards and post them online has to actually be written down.
Hopefully these people will quickly figure out that this is a bad plan and remove the pictures and never do something so stupid again. Based on their pictures on twitter they all appear to be younger folks in their early 20’s. Now I remember back to my early 20’s and I was pretty stupid but I can’t imagine that I would have ever freely given my credit card number to what amounts to basically every person on the planet. Those 16 little numbers are magic in that they give someone your money. Keep them to yourselves.
P.S. Yes I realize that I haven’t blocked out the card numbers in the screenshot. I’m working under the assumption that the cards are already canceled as the accounts have been drained by now.
We must be getting close to getting the book published. I saw on Amazon today that the book is available for preorder both as a paperback and as a Kindle e-book. The paperback version shows a release date from Amazon on December 29th, 2013 while the Kindle version shows that it’ll be delivered to your device on January 26th, 2014. I was hoping that we would be able to get the book done before the holidays, but apparently we just missed our goal.
If you order now you’ll be able to get your copy delivered just as quickly as Amazon (or your favorite book retailer) have it available.
If you’d like to take a free sneak peek at the book, it looks like Google Books already has part of it available for viewing online.
Well I’m pleased to report that my final part of the book process is done. I’ve gone through the PDF’s of the book and put in a few changes. The publisher will now go back and do some more magic to make the changes which are needed. Then the book is off to the printer and then to your local Amazon distribution center.
Writing a new book is a complex multi-step process, only part of which is done by the actual author. There are three basic steps where the author has stuff do to. The first two are the writing of the first draft and then reviewing the copy which has been tech edited to make revisions based on the notes from the tech editor.
This part of the process is now done for The Basics of Digital Privacy
Now a bunch of magic happens and the word docs get converted into some PDFs which are basically what the actual book will be printed from. I’ll get those back in probably a few weeks so review them to make sure that nothing got screwed up, that the images are correct, etc.
Then a few more weeks of magic and a physical book appears on my doorstep.
Hopefully the magic elves over at the publisher will get their part done for a holiday release as scheduled.
I’m pleased to announce that the Basics of Digital Privacy is almost done. While this isn’t my first book into the information security space, this is my first book which is written not for the Information Technology worker, but instead for the general public. This book is being written to explain what the risks are and how to solve those problems in plain English so that people who don’t spend their entire lives working with computers can begin taking control of their digital information with the eventual goal of keeping others from watching what they are doing online.
While the book hasn’t been published yet, the hope is to have it available for purchase by the holiday season. You won’t find it on Amazon or any of the other book sales websites, yet. It will make it’s way there slowly as the project gets closer to completion. There is however a teaser on the publishers website.
For now that is all I’ve got. Hopefully you get a chance to take a look at the book.