-=PCTechTalk=- Re: PSA
- From: <recklessmaverick@xxxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Sun, 10 Apr 2011 17:45:47 -0400
Suggestions
1. Never reply to or click a link in a message from your bank, credit card
or any business that will involve any type of financial data input from you.
Legitimate emails will never ask for that type data. See #4 below.
2. When shopping or banking online always type the address into the
browser, never follow a link.
3. Do not hesitate to call or visit your local bank or store to confirm the
email is valid, but do not use phone numbers in the email.
4. Remember that no bank, credit card or business will ever solicit names,
account numbers, passwords or other personal data in an email. Typically
they will ask you to call, visit an office or log onto your account without
providing a phone number or a link.
5. ALWAYS be suspicious.
If you get shopping alerts from JC Penney, Walmart, Amazon, or similar it is
probably ok to click on and visit the ads they send you. However, log off
then type in the stores address and login to their secure server before you
start buying and providing private information.
Don
-----Original Message-----
From: pctechtalk-bounce@xxxxxxxxxxxxx
[mailto:pctechtalk-bounce@xxxxxxxxxxxxx] On Behalf Of Larry Southerland
Sent: Sunday, April 10, 2011 5:17 PM
To: the_bullhorn2@xxxxxxxxxxxxxxx; thebullhornsbest@xxxxxxxxxxxxxxx;
Puters_N_Such@xxxxxxxxxxxxxxx
Subject: -=PCTechTalk=- PSA
Epsilon Helps Mug You at Home
By Mark Gibbs <http://www.pcworld.com/author/Mark%20Gibbs> , NetworkWorld
<http://www.nwfusion.com/> Apr 8, 2011 5:15 pm
It is one thing to be out on the street and randomly mugged, but quite
another to have someone follow you home, trick you into letting them into
your house, and then being robbed in your own living room.
'We regret to inform you': The Epsilon breach letters you don't
<http://www.networkworld.com/news/2011/040511-epsilon-letters.html> want to
see
Equally it is one thing to be phished frequently but quite another to be
spearphished just as often.
We all know phishing is an email message sent by some miscreant that appears
to be from an entity you recognize. The goal is to persuade you to reveal
personal details such as an account login or your Social Security number.
Spearphishing is much the same except the miscreant has some knowledge about
you and your relationship with the entity the message claims to be from,
which improves the chances you will believe the ploy.
While phishing is quite common -- the [U.S. Computer Emergency Readiness
Team (US-CERT <http://www.us-cert.gov/> ) estimates that 53% of all security
incidents in 2010 involved phishing or spearphishing -- spearphishing is
less so.
That was until now. In the near future you can expect spearphishing to
become very commonplace thanks to a company you probably never heard of
until this week: Epsilon <http://www.epsilon.com/> , a division of another
company most of you will know nothing about, Alliance Data
<http://www.alliancedata.com/> .
According to Wikipedia, Epsilon provides "database marketing, direct mail,
email marketing, Web development, loyalty programs, analytics, data
services, and strategic consulting" for over 2,500 clients, including
1-800-Flowers, Best Buy, Capital One, Citi, JCrew, Target, TD Waterhouse,
TiVo, Verizon, Victoria's Secret and Walgreens.
Until March 30 this year, Epsilon was highly respected in its industry with
Ad Age <http://adage.com/> ranking the company among the top marketing
services firms and direct marketing agencies in 2006, 2007, 2008, 2009 and
2010.
That respect is now history because, as if to jump the gun on a particularly
unfunny April Fool's Day joke, Epsilon suffered a data security breach of
biblical proportions: More than 50 companies are now known to have had their
customer email lists swiped by hackers and the final total of customer
records involved will be in the upper tens of millions.
Epsilon's site somewhat explains the breach
<http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifi
es_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3> :
IRVING, TEXAS - April 1, 2011 - On March 30th, an incident was detected
where a subset of Epsilon clients' customer data were exposed by an
unauthorized entry into Epsilon's email system. The information that was
obtained was limited to email addresses and/or customer names only. A
rigorous assessment determined that no other personal identifiable
information associated with those names was at risk. A full investigation is
currently underway.
The company noted that the "subset" was "approximately 2% of total clients
and are a subset of clients for which Epsilon provides email services."
It is amusing to note that Epsilon's tag line is, ironically, "Marketing as
usual. Not a chance." Indeed.
What's interesting is to watch the ripples since the announcement. Every day
since the breach one or two new companies announce that their customers are
vulnerable. So far it appears to be true that all that was stolen are lists
of customer names and email addresses, but losing that huge amount of data
is extremely serious.
For some companies, there's a real risk that gullible staff will receive
bogus emails that they will believe and act upon without much thought. For
example, while not related to this Epsilon fiasco, consider how the
publishing house Conde Nast was tricked into paying nearly $8 million
<http://consumerist.com/2011/04/conde-nast-sends-8-million-to-e-mail-scammer
s-instead-of-printing-company.html> to a scammer because of what was, in
effect, a successful spearphishing attempt.
While the corporate impact could be significant, the biggest risk, is to
consumers. Once the relationship between a brand and a consumer is
established, the consumer's guard is down and even sophisticated Internet
users can click on what seems to be a valid, safe link in a message from
their bank or their favorite retailer and be exposed to malware or land on a
bogus Web page that attempts to glean their personal details.
In short, this is a security problem on a scale that I think exceeds the
Comodo hack I discussed last week
<http://www.networkworld.com/columnists/2011/040411-backspin.html> because
it is far more diffuse and far more pernicious. It also, potentially, has
far greater total financial consequences.
So now we come to the big question: What can you do? In your organization,
you need to circulate a memo, ideally from the CEO, warning users to be
critical and discerning about messages they receive from any organization
and how they should act on them. And when it comes to your family and
friends, take the time to explain the issues simply and in detail.
You might point both groups to the Network World article "Five tips to avoid
getting phished
<http://www.networkworld.com/news/2011/040711-five-tips-to-avoid-getting.htm
l?hpg1=bn> ", but you'll probably have to explain the details as there's a
lot to understand.
The bigger issue is what are companies who use Internet email marketing
going to do? We, their customers, can no longer trust their messages because
the effort it takes to ensure that each email link is valid will be
enormous.
Imagine a hacker with Citi's email database sending out, say, 1,000,000
messages that confirm a fake password reset or a fake financial transactions
and just 0.1% of the recipients get "taken". That's 1,000 accounts that
could be compromised.
Say, half of those are successful for an average of $5,000 per account,
that's $2.5 million! Do you think that's worthwhile effort for a hacker to
send out a few emails? How about half of that? Or even a quarter? A thousand
here, a thousand there and soon you're talking real money.
I have no idea what the answer to this enormous problem might be but I know
that it is a problem on scale we've never seen before and until it is
solved, we're going to see the cost of fraud escalate dramatically. And who
will wind up footing the bill? You guessed it: Consumers.
So until there's a viable, globally applicable, and effective solution,
brace yourself because the SNAFU at Epsilon will be repeated over and over
and it will be like being followed home and being robbed over and over again
in your own living room.
Worse still, not only will you be robbed by the bad guys, you'll pay for it
through increased bank fees. That will be like getting robbed twice.
Gibbs is hunkered down in Ventura, Calif. Outline your defenses to
backspin@xxxxxxxxxx
Read more <http://www.networkworld.com/topics/wan.html> about wide area
network in Network World's Wide Area Network section.
For more information about enterprise networking, go to NetworkWorld
<http://www.networkworld.com/> . Story copyright 2011 Network World Inc. All
rights reserved.
* See more like this:
* e-mail
<http://www.pcworld.com/search.html?qt=e-mail+security&s=d#tk.srch_art_tag>
security,
* e-mail
<http://www.pcworld.com/search.html?qt=e-mail&s=d#tk.srch_art_tag>
Your friend,
Larry
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
OR
To subscribe to the mailing list, send an email to
pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To
unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe"
in the Subject.
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join our separate PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
- » -=PCTechTalk=- Re: PSA - recklessmaverick
