One frosty morning in December, my business partner stopped to put gas in the company van, and he ran into an unexpected snag. His credit card was refused at the pump, and no amount of re-tries could convince the pump that it should stop being obstinate and just take his word for it that the card was OK. Checking the card info later on the interwebs revealed that his card no longer existed. Just like an unpleasant magic act, his card number had gone *poof* and vanished.
A follow-up call to the card company revealed that the cause of the problem was that one of our vendors (they refused to say which one) had suffered a data breach, our card info was compromised, and to protect us (Yay for being protected!) they had killed his card and mailed him a new one, which would arrive in seven to 10 days (Boo for being without a company card for a week or more!)
We were not actually without a card, because we have multiple company cards, so we just moved one of the other cards into his use until the other one arrives, like a knight in shining plastic, to restore our vendor buying power. Of course, there’s still a lot on inconvenience on our end. The temporary moment of no-card freakout aside, we also have that card on file with some vendors, so now we’ll place orders, and then have to see which orders get a return call for a new number, and those orders will be delayed until the new info gets into place.
Any way you slice it, it’s a hassle. No vendor has given us a courtesy call so far to let us know how serious the breach was, or if it impacted us, so we may never know who interrupted our pre-Christmas sales flow with this unwelcome event.
All of our in-store efforts at data security don’t protect us from breaches in other locations. Vendors, and anyone else to whom we give our card number, can suffer a breach that negatively influences us. Despite data security being a hot topic with high-level management, and despite assurances from information technology departments that the networks and servers are secure, the reality is that things may not be as secure as we are being led to believe.
One of my best friends worked as a white-hat hacker for several years. Yes, this job exists, and it’s even legal. A white-hat hacking company is employed by a business to test the integrity of its data security. A hacker gets paid by the customer (i.e., Target) to try and break into the company servers, and if successful, they leave a calling card, a small file that basically says the modern equivalent of “Kilroy Was Here.” This proves to the customer that the hacker got in. The hacker then writes a report that outlines for the customer how they got in, and the steps the IT guys need to take to keep him (and others) out.
I asked my friend how often they were successful in getting in. Without pause, he said, “100 percent of the time.” He then explained that part of his contract required him to penetrate the same servers three months after delivering the report, and almost all of those penetrations were successful.
It seems some IT departments may not be fixing the known vulnerabilities that are exposed in the hacker’s report. While we could spend the rest of our week speculating as to the whys of these puzzling failures to implement corrective action, it would serve no practical purpose, so instead let’s look at what we can do to keep ourselves safe from the laxity of others.
Have multiple credit cards. They can even be on the same account with the same card company, since my card still works fine even after my partner’s card died an early death. You don’t have to pass those extra cards out to your manager or someone else, but make sure they are activated and held somewhere safe. If your card goes *poof* unexpectedly, you can switch to another card and carry on with only minor inconveniences.
Never use a personal card for business reasons, if you can avoid it. Your personal card probably has your social security number tied to it somewhere, and if it gets compromised, your personal identity risk could soar. Your business card probably has only your business employer ID number (EIN) tied to it, and that’s much safer to have out there than a card with your personal data attached.
A little closer to home, make it as difficult as possible for a hacker to use a password from one compromised site to access other sites that haven’t been compromised. The simplest way to do that is to never re-use a password. Yes, that sounds inconvenient, but there’s a way to do it that makes it a lot easier than it sounds. It’s pretty easy to use a new password for each online account. Remembering that password is the hard part, so don’t try to remember it.
Instead, record that password in a file of some sort (i.e., Excel, Open Office, etc.), and encrypt the file. Use a tremendously long password to encrypt the file. I’d define “tremendously long” as 20 characters or more, with a mix of letters and numbers.
Instead of writing down that password, just remember it. It will be the only password you have to remember. (I can hear you, so stop it. You’re muttering “Stupid dunderhead, I’ll never remember a 20-plus character password, so stop spouting off about bogus stuff nobody can do.” OK, maybe you used some word other than “dunderhead,” but I figure the sentiment is the same).
There’s an easy way to remember a 20-character password, and here it is: Use an acronym of some song or poem you have memorized. For example, let’s say you know the “Star Spangled Banner” by heart. You can now make your encryption password this: OSCYSBTDELWSPWHATTLG. That’s the acronym of the first 20 words of that song. To add a seemingly random number let’s use the year the song was written, 1814. Now the password is 18OSCYSBTDELWSPWHATTLG14. If you want more security, add some random ascii characters or punctuation.
The chance of anyone (or any machine) coming up with that easy-to-remember combination through random attempts is probably close to zilch. But, because you know one date and can sing that in your head, you can always open your encrypted file and easily retrieve or change a password. I wouldn’t use that exact password now that it’s in print, but there are hundreds of songs and poems you know by heart. “Charge of the Light Brigade,” “Happy Birthday To You” and “Don’t Eat the Yellow Snow” spring to mind. Come up with one you can remember, add some easy numbers and you’re ready for better peace of mind.
Honestly, if someone wants your data badly enough, they’ll probably get it, but the harder you make it to get, the more likely it is they’ll give up and try to hack someone else. Happy trails…
(Disclaimer: I am not a data security expert. The ideas and methods described above are from my personal experience, and I make no warranty on anything I said here. These things have worked for me, but if you plan to adopt some of these ideas, run them by your own data security professional in advance.)
To read more “In the Trenches” columns by Allen McBroom, click here.