Worldwide stock markets recently took a dive, some losing as much as 8 percent of their value overnight. Experts mostly blame the drop on loss of investor confidence rather than any underlying long-term problem. Confidence plays such a huge role in business and, indeed, in the whole global economy. That’s understandable, given that we’re still living in the shadow of specters such as Enron, WorldCom and a host of other companies that were perched on a house of cards. People are still jittery when a problem comes to light.
This topic came to mind recently as I talked with an IT security expert. We discussed the vulnerability of sensitive information, IT systems and transactions over the Internet. In recent years, there have been a few high-profile incidents of security breaches that have rattled people’s nerves. This expert believes, however, that it’s only a matter of time before a major IT security incident completely undermines the confidence of consumers, business users and ultimately investors.
If there is a poster child for security breaches, it’s ChoicePoint, the broker that obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers and credit histories. In 2004, ChoicePoint revealed that it had inadvertently sold data on 163,000 consumers to entities that had provided false credentials — a red flag for any business. As a result of this incident, more than 800 cases of identity theft were reported. In a matter of weeks, ChoicePoint’s stock lost 22 percent of its value. Not just investors but the public in general was stunned by such a huge blunder by a company whose primary asset was extremely sensitive data.
The ChoicePoint situation was not a failure of information technology, but of processes and procedures meant to safeguard the data in the company’s possession. To the public, however, the perception is that the private data was not properly protected by IT. It is, in effect, a persecution of information systems — a loss of confidence, to the point where consumers now believe their digital data is inherently unsafe, no matter where it resides and who is caring for it.
The criminals who obtained the ChoicePoint data used fairly mundane methods to collect their prize; they simply lied about who they were. But evidence is mounting that cybercriminals are becoming increasingly sophisticated in the way they exploit weaknesses in IT security to obtain useful data illicitly. What’s worse, we may never know it is happening until too late.
One common scheme to intercept data is called man-in-the-middle, where a thief collects information in transit from one entity to another, say between a consumer and his online bank. Criminals can buy an inexpensive toolkit to set up sophisticated man-in-the-middle phishing attacks with little effort. In fact, there is evidence that organized criminals are using the toolkit to siphon money from online transactions. This certainly makes me nervous about paying bills or making a purchase over the Internet, and I’m not alone. A March 2007 study conducted by Javelin Strategy & Research on behalf of security vendor TriCipher concluded that 88 million people would be likely to decrease their use of online banking or switch banks if it came to light that their own bank had been involved in a serious data breach. Count me among them. According to Symantec, organized cybercrime groups now control millions of compromised bot PCs and servers. These devices could be used surreptitiously to execute man-in-the-middle schemes on millions of accounts worldwide. Could this be the big breach my security-expert friend fears? We may not know until it happens — if it ever does. Like the nervous investors who suddenly pulled out of the stock markets, we could see consumers pull back from all of the many Web applications that have been built in the last decade if they even think danger lurks online. As for me, I think I’ll order some paper checks and buy stamps just in case.