Bad Customer Service vs. Data Breaches: Competing for "Best Way to Lose Customers" Award

So which is worse: bad customer service or a data breach? Well, when it comes to brand reputation and customer loss rate, they may be equivalent.

Customer service has always been a sticking point for brands. After all, a bad in-store or phone experience with a company can send customers heading for the door, never to be heard from again. Environmental disasters also still rank high on the list of reasons customers may consider discontinuing their loyalty to a brand or company (think Exxon Mobile or BP). Yet, according to a recent study by the Ponemon Institute, customers now rate data breaches right along with customer service and environmental disasters as a major reason to ditch a company and run into the loving arms of its competitors.

It was really bound to happen, if you think about it. With the increase of very highly publicized data breaches in recent years (think Target a few months ago and eBay getting headlines today), customers are beginning to sit up and take notice. After all, the threat of identity theft promises much worse consequences than a bad experience with a rude customer service rep, and it hits much closer to home than an oil spill hundreds of miles away.

The average American consumer understands the long-lasting and potentially devastating effects of a breach of their personal information. According to the study, “prior to having their personal information lost or stolen, 24 percent of respondents (customers) said they were extremely or very concerned about becoming a victim of identity theft. Following the data breach, this concern increased to 45 percent, Ponemon says. Almost half of respondents feel their identity is at risk for years or forever.”

Are Buzzfeed Quizzes Lowering our Defenses?

So I’ve been toying with shutting down my Facebook account again—mainly because it gets on my nerves. The simple act of scrolling through the posts each morning has reached a ratio of 20% pleasurable and 80% grind. One reason? Buzzfeed quizzes.

Oh, Buzzfeed quizzes. Zimbio quizzes. Shudder.

To be fair, I’ve taken my share. The nerd gene in me just has to know what character I most identify with in every Joss Whedon universe. And while I rarely share my results (because that’s pretty annoying), I have started to wonder about some inherent dangers in the culture of quiz taking.

So, I spent a little time on “Internet research” yesterday (read: surfing the web). I wanted to see if I could get any hard, fast evidence that the data in Buzzfeed quizzes were dangerous. Do they harbor malware? Are they used for phishing purposes? Are there records of any data breaches that stemmed from a Buzzfeed quiz?

Not really. Although it would be a pretty clever ruse for social engineers, it appears that the quizzes are fairly harmless. The danger, it seems, lies more in the attitude and culture behind these personality tests. So many of my “friends” (ok, friended acquaintances) rant regularly about the dangers of Facebook privacy settings. They have a real “Big Brother is watching” or “Everyone is out to get my personal information” complex. But these folks may be very the same ones who will readily answer personal question after personal question in a Buzzfeed quiz and then share the answers with anyone who scrolls past their profile.

Jordan Shapiro hit the nail on the head for me in an article this past January.

“Why is it that when it comes to novelty quizzes, we enjoy being analyzed by simple algorithms that divide and reduce us into a limited number of determinate categories, but when it comes to Google and the NSA we’re terrified of the same thing?”

Personal information is personal information, whether is stolen from us by a social engineer, secretly gathered by the NSA, or voluntarily offered through an online personality quiz.

We seem to have developed an almost desperate need to share our opinions or facts about ourselves in an effort to identify with a larger group of like-minded people. Go ahead and admit it. You feel good when your poll answer is the most popular. The appeal of belonging has made many of us irresponsible—and irresponsible Internet users can be easily lured out of their comfort zones and into a trap.

While the danger may not come directly from an online quiz, click-happy Internet users are bound to slip up in other areas. And the more comfortable we become with oversharing, the more likely we are to find ourselves victims of social engineering scams or identity theft.

“Well, but…what difference does it make?” you say. “It’s not like they’re asking for my social security number. The results are all made up.” OK, that’s true. There is no proven rubric designed to accurately determine which superpower you should have, or whether or not you would in fact die of dysentery on the Oregon Trail. Yet, that does not mean the questions have no value to someone.

“We brush them off as ‘merely entertainment,’ forgetting that by participating–through the act clicking–we’ve once again provided Google with a plethora of personality data that is forever stored in our file,” says Shapiro.

In fact, some limited evidence suggests that quiz and Internet poll builders may be inserting more probing questions into harmless entertainment quizzes to get an idea of who you are, how you behave, or even what you might choose to buy. Lee Munson at BH Consulting gave his take on it in this week's Security Watch blog on oversharing. 

“…in a few instances the polls can pose some more serious questions…sometimes some of the sneakier sites on the web will even make completion of the poll mandatory in order to proceed onto your ultimate aim of, say, reading a particular news story. Such polls may not demand your name and address but they do drift roughly into areas of personally identifiable information.”

 He also offered a bit of sound advice.

“If you share information you need to be alert. Even if you are divulging personal information within an environment in which you feel safe, you need to be certain that the audience is the one you expect. I myself have a few friends who have completed polls on Facebook only to later discover that they actually handed all that info to a third party unawares.”

It may be time to find new ways to entertain ourselves rather than buying in to a culture of irresponsible clicking and mindless answering. While I may never know which Twin Peaks character I am or how well I know the movie ‘Clueless,” at least no one else will either.

More about Information Security

More Hooks in the Water: Spearphishing Up 91%

This just in from Symantec: spearphishing increased 91% in 2013.

Here’s why: it still works. Even though security awareness training and a constant stream of worrisome new stories may be improving the average employee’s click-through rate in run-of-the-mill phishing emails, social engineers still know just how to pinpoint the areas that will lower even a seasoned email user’s defenses. That’s just what spearphishing is: targeted attacks that are hand-crafted to startle or scare an employee into making a bad decision—usually clicking an embedded link that routes to a fraudulent website prepared to collect personal information.

According to Symantec, two of the most common words in last year’s string of emails were “order” and “payment.” In our experience, words like “benefits,” “payroll,” “cancelled,” and “dropped” also do the trick.

Why April Fool's Day is NOT the Most Dangerous Day on the Internet

Ah, April Fool’s Day. A day of too-good-to-be true deals, too awful-to-be-true news stories, and more fake pregnancies in my social media stream than I care to shake a stick at.

It’s the one day of the year that I avoid Facebook like the plague.

It’s not that I don’t appreciate a good joke. I mean, I love a good food-that-looks-like-another-food joke (mashed potato cupcakes, anyone?). But on the Internet, April Fool’s feels different. To me, it’s symptomatic of a bigger problem: folks are still not skeptical enough—and every April Fool’s Day reminds me of this fact.

Watching people “fall for it” over and over again—reposting “Baby Born with Three Heads!” or signing up for any website that promises a free iPad—upsets me. And not just because it makes them look dumb.

Of course, as Caitlin Dewey mentions in this Washington Post article, most of the stuff on Facebook or Twitter that people compulsively repost or retweet is harmless. No, Denzel Washington did not die from a heart attack. And no, they have still not found that Malaysian airplane.

Sigh.

But, here’s the kicker: “On the Internet, every day is April Fool’s Day,” and everything out there is not harmless. Our need for a wary eye should not be limited to one day a year, and every web user needs to develop a habit of checking before we click suspicious links or view suspicious pages.

For example, “a number of Web sites that propagate fake stories — including Mediamass or the dubious News-Hound.org profit from display ads when their frauds go viral. Others redirect to phishing sites that attempt to draw out the gullible clicker’s e-mail address and personal information,” says Dewey.

Also, according to this recent list of the seven security trends that may affect your business, 1) phishing is only going to get worse and 2) social media spreads malware very effectively.

So please, on this day of fake engagement posts and “I won the lottery!” jokes, let me make an appeal. Treat every day on the Internet like April Fool’s Day. Ignore strange requests or commands for action or promises of reward on social media sites. Be skeptical of all emails—especially those with embedded links. Slow down, take a deep breath, and think about what you are doing before you mindlessly click, forward, repost, retweet, or otherwise spread potential malware.

Oh, and an added bonus? Your friends will thank you.

More About Social Media

Phone Fraud Flavor of the Month: 2014's IRS Scam

I spent a little time this morning reading about that new IRS scam that’s running rampant during the 2014 tax season. You know the one—you can read all about it here, It’s the one where social engineers claiming to be IRS officials bully people into offering sensitive information through threatening phone calls.

Actually, that doesn’t sound so new, does it?

That’s because it’s not. It’s the same pretexting technique that scammers have been using for years. Even though each year (or each tax season or election or Olympic Games or world relief effort) brings a new wrinkle to the scam, there is nothing new here, folks. It’s just another example of how thieves try to steal sensitive information from regular people. Every. Single. Day.

The possibility of daily threats demands constant vigilance—and you are raising your awareness just by reading this. But maybe it’s time for a little refresher on the best ways to handle any social engineer who comes calling.

It Could Happen to You: The Value of Small Biz to Attackers

Read this little article yesterday and thought it might make a nice follow-up to last week’s interview with Naoki Hiroshima. Quick update on that story: @N has been restored to its rightful owner.

Unfortunately, though, that was not an isolated incident. In fact, according to this recent article on The Verge, small and mid-range companies should be especially alert to these kinds of attacks.

”Stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection.”

Oh the Humanity: The Problem with Security Policy

Everybody talks about people using easy passwords. For example, using the same password forever and adding a 2. ‘Password.’ ‘12345.’ We all joke about it (even though it’s no laughing matter).

In the past decade, we’ve had the unique opportunity to see long lists of actual passwords through penetration tests for large companies. Now, initially, I didn’t know this was unique. I mean, everyone talks about what passwords people use, but honestly, nobody really knows. They are private, after all, and sometimes encrypted. Even though we all think we already know, it’s still eye opening to see what real people use for their passwords. And, as in the case of one particular job, those passwords are not always what you expect.

Avoid Tax Fraud and Identity Theft: Tips from a Professional

Once again, it’s about time to talk about tax fraud. Yes, I know. Every year around this time, just about every information security blog brings it up—you know, how it’s really fraud, how identity theft really happens, and how it could happen to you.

Well…it is, it does, and it could.

But I’ll eschew the scary tax fraud stories this time and just give everyone some practical tips they can use. Last year, a local tax accountant provided us with some really good, basic advice to provide to readers and clients on the subject. It was well received, so I’m going to post it again.

When Ego Gets in the Way: Infosec at the Top

So, I try to be pretty fair when it comes to information security issues. I mean, everyone’s human, right? Everyone makes mistakes. And often, for the average Joe in an office, mistakes are the result of poor security awareness training or a general lack of knowledge about the threats of social engineering, phishing, or the danger-of-the-week (you name it).

But then there are those folks that just let their egos get in the way of security. According to a recent study by Sroz Friedberg, senior managers may be the worst when it comes to protecting sensitive information.

Review these disturbing statistics:

• 9 in ten senior managers upload work files to personal accounts 
• 58% of the managers studied accidentally sent sensitive information to the wrong person. 
• 51% took files containing sensitive information with them after leaving a job. 

The study goes on to suggest that people in management positions are more likely to flout the rules regarding information security because they’re under pressure, because they’re super busy—and because some have a serious attitude problem.

Cyberwarfare, ID Theft, and Social Engineering: What's It All Mean?

Read an interesting article at CIO the other day: “Talk of Cyberwarfare Meaningless to Most Companies.” And it got me thinking…how much of what we do and say as security companies goes over the average company’s head (or better yet, in one ear and out the other)?

Think about “cyberwarfare” for a minute. Does it mean going to war with other nations using robots and computers? Is it when a terrorist brings down the Internet? Does it even matter to me? Or my business? Or my industry?

The reality is that cyberwarfare is a danger because bad people can use technical resources and systems to disrupt legitimate businesses and prevent them from performing their core work.

In a way, the term "cyberwarfare" falls into the same category as "identity theft.” It sounds really scary, but many regular people (even managers and business owners) don’t really know how it is executed, and with what tools and upon whom it is executed. Most people don't know what to do to protect themselves besides signing up for Lifelink.

Or how about “social engineering,” one of the most misunderstood terms in our security vocabulary. Internationally, it’s understood as a way to analyze and influence social systems. But in the security community, it describes con artists who use social situations (phone conversations, office visits, etc) to commit crimes. It’s real. It’s a major threat. But folks don’t understand it, so they don’t worry about it.

This lack of knowledge results in major complacency. Companies do not feel PERSONALLY threatened by identity theft or a social engineering attack—but they should. Executives need to educate themselves on the true impact to corporations and then educate their employees. 

Cyberwarfare, identity theft, social engineering—these are real threats with real every day impact on real people. They are not just international news headlines.

So security companies and IT professionals: it’s time to be louder. Time to be bolder. Maybe most importantly, it’s time to learn to speak the language of small and mid-range businesses with limited budgets and even more limited time. This is how we raise awareness.

We’ve got our work cut out for us.

More About Corporate Security

Risk, Recrimination, and Reporting: Detecting and Handling Breaches

I read Ericka Chickowski’s article on empowering employees to detect outside attacks earlier this month and I made some notes that have finally found their way into a blog…three weeks later.

Well, better late than never—especially when it comes to the importance of teaching effective employee behaviors. There is always something good to say about it. Here’s my sum-up of this article: Chickowski is 100% right, and she has some particularly notable quotes here.

Picture Yourself Secure: Passwords, Phrases, and the Future

In 1492, Columbus sailed the ocean blue…

Every Good Boy Does Fine….

Thirty days hath September….

Ah yes…mnemonic devices. Those performance-enhancing tools used successfully by middle schoolers and beginner-level music students all over the country for…well, for forever, it seems.

Enter any 7th grade classroom on test day and you’ll see small, strained faces searching their memory banks for that rhyme or song that will bring to mind the order of taxonomy (“King Phillip Opens Five Green Snakes”) or the five Great Lakes (HOMES).

Depending on your college degree, you might have carried this technique into college. But most of us probably gave up these memory aids along with No-Doze and an actual Spring Break after tossing our grad cap in the air.

But why? The human brain loves association and repetition at any age and for any reason—and that’s why researchers at Carnegie Mellon think we should keep it up when it comes to security.

Oh, The Humanity: The Danger of Anonymity

And now for something a little different. Throughout our “Oh, the Humanity!” series, we want to demonstrate some of the most dangerous ways social engineers can infiltrate a company—and pretty often, that involves the phone or email. But every now and then, it’s a simple (and downright silly) move that gives a thief access to very sensitive information.

Security Breach: Signed, Sealed, Delivered

Here's the story. When we begin a project with any company, one of things we most want to demonstrate is how easily we can get access to their network as outsiders. While social engineers are frequently insiders, we often attempt to replicate that level of access from our “basement.”

In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.

Open Letter to IT Departments: People are Important to Your Security Plan.

Read a Dark Reading article this morning that I really enjoyed. First of all, any article on information security that can work in the zombie apocalypse is A-OK in my book. Nicely done, Glenn Phillips.

And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).

Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”

I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.

Oh, the Humanity! Train Employees to Say "No" to Social Engineers

Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.

After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.

When Identity Theft Hits Home

My office was quieter than usual when my cell phone buzzed. It was my mother. While it was no surprise for her to call, a mid-morning Thursday call was unusual.

"Hey, Mom. How's it going?"

"Well…" she said, voice cracking. "Not too good."

Oh, The Humanity! Another Pretexting Success Story.

And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...

A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.

Here were the ground rules:

Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.

Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.

Employees and Social Media: If You Can’t Beat ‘Em, Then Train ‘Em.

With the exception of few stodgy holdouts, pretty much everyone has a social media account or two—or maybe five. I mean, why share everything on Facebook? Why not open up the fascinating details of your suburban, middle-class life to a wider audience? There are life-changing food photos to post to Instagram, quippy thoughts to share on Twitter, and that hilarious meme you whipped up last week that’s begging to get posted on Reddit. More exposure! More, more, more!

An awful lot of us have this attitude now—and if your supervisors are aware of your tendency to tweet first and apologize later, then they may be freaking out. In fact, according to a Javelin Research report from earlier this year, 69% of companies are concerned about employees’ social media use. While a half hour here or there may not seem like much, even on the company clock, it can add up to a lot of lost revenue, thousands of security threats, and plenty of potential bad press if you can’t keep it in check.

Fortunately, according to CSIdentity, businesses have two good options to keep their employees’ social media usage from causing harm to the business: create clear policies and keep employees educated.

Cute-Girl Voice: A Social Engineer's Secret Weapon

This just in: a highly informal study of a teeny tiny group of people suggests that men may be more likely to give up sensitive information over the phone if they think they’re speaking with a cute girl.

Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.

Working Together: Technology and Education Necessary to Prevent Phishing

I've been in the education business for a long time. I was a public school teacher first, and spent a good deal of effort educating middle school and high school students. Then, years ago, I made a career shift into the information security business and made a career out of teaching employees how to avoid opening their businesses up to the threat of social engineering, phishing, and pretexting.

In both cases, education is necessary for success, and I'm always interested in the ongoing argument in the information security world: Tech or Teaching? Recently, Robert Lemos asked the same question on Dark Reading. Here are some takeaway points from that article.