The currency of the Internet today is not BitCoin, it is not the dozens of “wallet” products used to buy products, and it is not even the “accounts” that have to be set up and loaded from a credit card to make purchases on the never-ending stream of “stores” such as those from Apple, Google, Microsoft, Samsung, et al.
No, the real currency of the Internet is your personal data. With your data file from any of dozens of sources, hackers are able to order products and services without your knowledge.
How much is this data worth? Over a year and half ago, Krebson Security noted (http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/) that “One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.”
The price has gone up since, and the FBI noted last September (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924) that the highest prices today are going for medical records, which can be used to purchase medical equipment and pharmaceuticals.
While most companies make at least a token effort to protect this data, a new scam has emerged to collect your personal data and place it outside of that security zone – the satisfaction survey. It s3eems that your can’t buy a product, visit a web site, ask for tech support or chat with an agent without being immediately be9ing asked to fill out a survey as to how satisfied you were with the transaction.
Are the surveys real? As John Wayne used to mutter in the movie Big Jake, “Not Hardly.”
Read the questions. The surveys are simple-minded, condescending and of l9ittle value to any real management or marketing department. Their intent is less to learn about the transaction experience than to gather personal data in a venue that is not protected by law or regulation.
Sadly, some unscrupulous companies make the process even easier by rolling up these data accounts into a package and selling them to hackers. A nice revenue boost for these companies, with only a minimal change of being caught – including the US Government (see http://spectator.org/blog/61562/healthcaregov-sells-your-personal-data-basically-everyone).
So how do we stop this continuing cycle of data theft or acquisition/identity theft/ruined lived? It’s easy, and take only three small steps:
- Make companies liable for the financial consequences of their poor or greedy data policies. If the company causes my house to be robbed of its value, or my retirement and bank accounts to be plundered, they should have to compensate that loss. That won’t ever happen, because Congress does not have the guts to propose, much less pass, such a law. But it would virtually stop identity theft overnight.
- Get rid of the magnetic strip on the back of all credit and debit cards. There are more secure ways of encapsulating that data that are already in use by the rest of the world. The US does not use these methods because they would have to pay for the overhaul of their security systems. Again, greed conquers consumer interests.
- Apply the death penalty to identity theft. Today, identity theft is not taken seriously – you’ll get a light or non-existent sentence. In my grandfather’s day, a person who ruined your life for their own financial gain would be hunted down and killed. In my mind, this is not a bad model. As they used to say, “We’ll give them a fair trial and then hang them.”
Because identity theft is still a relatively small problem, affecting at most less than 0.0001 percent of the population, we are still not taking it seriously.
After all, this is the currency of today’s Internet, and the problem is growing.