How consumers must respond to the security threat inside nearly every computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

Computer chip defects force consumers to choose between speed and security

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.

NCL #DataInsecurity Project – National Consumers League

databreach.jpgNCL recently debuted the first issue of The #DataInsecurity Digest, a twice monthly publication curated by NCL’s own, John Breyault, to deliver important consumer-focused data security news, policy and news analysis, and information about upcoming events directly to your inbox. Click here to subscribe.

In 2013, there were 614 data breaches that led to more than 550 million identities compromised. New data breaches means more identity theft and other fraud, and more consumers facing financial loss, great inconvenience, and a loss of trust in the marketplace. That is why NCL is working on the #DataInsecurity Project — to raise awareness about the need for reforms aimed at better protecting consumer data.https://www.youtube.com/watch?v=z6GD9UNbgAs&list=UUXfyCJGEBaMOTcf5l7W_GTg

Data breaches impact consumers, credit unions, banks, and retailers. Last December, the retail giant Target suffered a massive data breach that made national headlines. In the breach, as many as 110 million identities were compromised.

Take a look at the impact of just this single incident:

  • $200 million: the cost to credit unions and community banks for reissuing 21.8 million credit and debit cards
  • 1-3 million: the estimated number of cards stolen in the Target breach that were sold on the black market and successfully used to commit fraud
  • $18-35.70: the price per card stolen from Target and resold on the black market in the months after the breach

Shocking as these numbers are, they represent the fallout from just a single data breach. Data breaches are happening with frightening regularity.

Malicious hackers are going to continue to exploit existing weaknesses, and many businesses lack the incentive or ability to adequately protect their customer data against evolving threats. That is why NCL believes that consumers need to be proactive about protecting their own data and calling on policymakers for improvements.

The current landscape of protection for consumer data is woefully inadequate.

datasecurity.jpg

NCL’s #DataInsecurity Project is calling for reforms such as:

  • Creating a national data breach notification standard, modeled on strong state protections such as California’s;
  • Requiring businesses that maintain consumers’ personal data to protect that information via specific data security requirements;
  • Giving the Federal Trade Commission and state Attorneys General civil penalty authority to enforce violations of data security requirements;
  • Increasing civil and criminal penalties for malicious hacking;
  • Increasing efforts to enhance cooperation with international partners to bring overseas hackers to justice; and
  • Requiring retailers and banks to implement the highest level of security available to protect consumers’ payment data.

To promote these goals, NCL is taking its #DataInsecurity Project on the road to four states across the country, to meet with policymakers, industry experts, consumer advocates, law enforcement officials, and members of the academic and business community. The tour is designed to raise awareness about the frequency of data breaches and to encourage the adoption of comprehensive reforms so that consumers can be better protected.

As a part of the #DataInsecurity Project, NCL has also unveiled important new research by Javelin Strategy & Research investigating the impact of data breaches on consumer trust, on who consumers feel should be responsible for their data, and on current responses to data breaches. Check out NCL’s survey report.

You can get involved!

Help us send the message that the time for reform is now! Sign our petition to the White House calling on policymakers to step up and protect consumers’ data.

datasecurityheader.png

How many straws until the camel’s back is broken on data breaches? – National Consumers League

John BreyaultAnother day, another data breach. The data breach roulette wheel this times landed on health insurer CareFirst. Who loses? The 1.1 million consumers whose names, birth dates, email addresses and CareFirst subscriber ID numbers are now in the hands of cyber crooks.

First things, first, what’s the risk to consumers? The mostly likely effect is that consumer affected by the breach may be on the receiving end of convincing-looking phishing emails. These attacks are designed to trick consumers into clicking on links or attachments that install malware or send users to phishing websites. The phishing emails (and possible telephone calls) are likely to reference CareFirst in some way, and may even masquerade as notifications about the breach itself.

Bottom line: If you are a CareFirst customer, the first place you should be going to get reliable information about the breach and what CareFirst is doing about it is www.carefirstanswers.com. The website has been set up by CareFirst to give affected customers up-to-date information about the breach and what steps they can take to mitigate their risk, including taking advantage of free credit monitoring and identity theft protection CareFirst is offering via Experian.

With that out of the way, there are a number of key questions that regulators, legislators and advocates should be asking in the coming days and weeks.

First, why are health insurers being targeted? CareFirst is the third major health insurer to disclose a breach in the past six months. There are troubling signs that the breaches at Anthem in February, Premera in March and now CareFirst are part of a coordinated attack on U.S. health insurers, possibly by state-sponsored hackers. Regardless of the origin of the hack, it’s clear that medical information is especially lucrative for thieves. According to cybersecurity experts, stolen medical info is worth 10-20 times more than stolen credit or debit card data goes on the cyber black market. With 2.3 million Americans falling victim to medical identity theft in 2014, it’s not hard to see why medical information presents such an attractive target to cybercriminals

Second, why did it take 10 months to notify consumers? According to CareFirst, the intrusion into their network was first detected in June 2014 and “immediate action” was taken to contain the threat. However, it was not until April 2015 that the company discovered that the crooks had exfiltrated their systems with stolen data. With nearly 10 months lead time, cybercrooks had ample time to create mischief with the stolen data before CareFirst notified consumers. Why did it take so long to find out that data was actually lost?

Finally, would more stringent data security standards or data breach notification laws have reduced the risk of this breach? There is no way to make a system 100% safe from hacking. However, far too many companies only invest significant resources in protecting their customers’ data after a hack, not before. This leaves millions of consumers at risk of breach-fueled fraud as companies elect to invest elsewhere while they wait for a hack to force them to spend on data security. What kind of incentives and/or penalties should Congress and Executive Branch consider to shift the cost/benefit equation for companies towards spending on data protection before a breach? NCL’s 2015 Data Security Agenda is a good roadmap for policymakers looking for consumer-friendly answers to these important questions.

The CareFirst breach is yet another straw on the pile of reasons why consumers can’t wait on businesses to take care of the data security problem on their own. It’s time for leaders in Washington to step up and pass real data security reform before the next straw breaks the camel’s — and our — backs. In the meantime, here are tips consumers can use to reduce the risk of identity theft.

Bravo! FTC’s “Start With Security” initiative announces seminar on data security – National Consumers League

Federal Trade Commission Chairwoman Edith Ramirez this morning announced the next step in the FTC’s efforts to craft data security guidelines for businesses. As part of its “Start with Security” program, originally unveiled in March, the Commission will hold an initiative at the University of California on September 9. This follows on the heels of the February 13 Summit on Cybersecurity and Consumer Protection at Stanford University.NCL has long advocated for the FTC to take a leadership role in the federal government on data security and is very pleased about this announcement. We applaud the FTC for taking this step to improve data security and help businesses protect consumers.

While details of the September meeting aren’t yet fully known, we do know a few things about the Commission’s “Start with Security” program. At the IAPP summit in March, FTC Bureau of Consumer Protection Director said that the program’s goal is to provide businesses with resources, education and guidance on data security. Chairwoman Ramirez (who NCL will be honoring in October, incidentally) elaborated on this theme, stating that the initiative will be aimed at bringing together experts on data security to share best practices, particularly for small and medium-sized businesses.

The focus on data security at small-to-medium sized businesses is a logical choice for the agency. Its ongoing legal tussle with Atlanta-based LabMD illustrates challenges the Commission faces as it seeks to enforce data security obligations on small businesses. Such entities are often ill-equipped to adequately protect the growing amounts of sensitive personal information they are collecting.  This is an incredibly important issue. As NCL’s #DataInsecurity Report found, nearly 6 in 10 data breach victims indicated that their trust in retailers decreased following a breach. For a small business struggling to stay afloat, losing the confidence of customers due to a data breach can mean the difference between keeping the lights on and a “closed” sign on the front door.

So what can the Commission hope to accomplish at its September meeting? In the interests of promoting consumer data security, we propose that the meeting agenda cover some basic data security policy topics, such as:

  • Is there a sufficient flow of information and best practices on breach trends, emerging threats from hackers, etc. being shared by the FTC with business that are entrusted to store consumer data? If not, how can this improve?
  • The Online Trust Alliance estimated that 90% of data breaches in 2014 could have been prevented if basic security measures had been taken. With this in mind, how can businesses be incentivized to make sure they are taking the basic steps to protect their data?
  • Small and medium-sized businesses often lack the budget and/or expertise to craft robust data security protections, yet they are increasingly collecting large amounts of sensitive data about their customers. What requirements should be placed on a pizza parlor, for example, when it comes to data security?
  • We often hear that it’s not “if,” it’s “when” when it comes to data breaches at businesses. However, it seems that businesses, particularly small-to-medium sized businesses, aren’t prepared to protest against the data breach threat. Is this accurate? If so, what can the FTC do to change that mindset?
  • Government data security mandates can only do so much to create a climate where data security is taken seriously by business. What flexible, market-based incentives exist to promote data security? Is cyber-insurance the answer?
  • There is no shortage of cybersecurity firms offering high-priced solutions to small-to-medium sized businesses. Are there free or low-cost solutions that businesses can take today that will measurably reduce their data security risks (e.g. enable multi-factor authentication, create stronger passwords, encrypt sensitive data)?

The “Start With Security” initiative is a good opportunity for the FTC to promote solutions that businesses can take to reduce their data security risk. However, absent reforms in Congress to tackle tough issues like data breach notification and a comprehensive data security standard, education can only do so much. We hope that the Commission will use the September 9 forum to highlight the impact that breaches continue to have on consumers and businesses and to push Congress to pass real data security reforms.