In 2013, we’ll have to make a choice: Either we acknowledge we’re at war and push back hard, or we keep pretending nothing’s wrong⎯and get snuffed.

In the coming weeks, as we’ve seen every year for the past six, there will be endless reports detailing the digital dangers and identity threats lurking in every corner of our highly networked universe. But allow me to ask a heretical question: To what end?

Despite grandiose pronouncements, identity theft, cyber warfare, and the death of privacy at the hands of hackers and hyper-marketers are barely on the public radar. Everyone gives lip service to their oh-so-serious concern⎯but except for industry players, technocrats, and a handful of politicians and consumer advocates, nobody really understands the dynamics of the situation. And few seemed moved to action.

Frankly, this situation is insane. Practically every day, someone flags risks and makes dire predictions⎯all deadly accurate, by the way⎯but unless there’s a class action suit pending, or an entire grid in darkness, no one gives a damn. Check your credit report? Only one out of five really do. Encrypt your database?  “Encryption is hard.” Friends, the barbarians are no longer at the gate, they’re in our homes eating off our best china⎯yet we can’t be inconvenienced with dealing with them. The signs of things to come are everywhere⎯but like a man crossing a highway blindfolded, we refuse to see what’s coming.

This year the situation must change. For the next few minutes, I invite you to take off the blindfold and look reality right in the eye.

A domestic war is being waged both here and abroad against our people, our economy, our institutions, indeed, our way of life. But until we take that seriously and respond strategically, we’re in for a serious can of whoop-ass.  Even a fool can see where the enemy is headed, but for some reason the cavalry doesn’t seem up to the task of heading them off. As with all things in Washington and corporate America, folks are talking the talk, but few are walking the walk.

Here are a number of battlegrounds where the fighting will be fiercest in 2013:

Mobile devices. That smartphone in your pocket is one mother of a data storage device, and it has a bull’s-eye on its back. We use them to communicate our most intimate (and sometimes highly inappropriate) thoughts, figure out where we are, telegraph our next move, as well as check bank balances, deposit checks, even file taxes. There’s a gold mine behind that touch screen. Users may not realize how exposed their data is (I dare say most don’t use password-protection or remote data-wiping in case of loss), but criminals know the weak spots, and they’re making mobile exploits a high priority.

One scenario to watch for: a malicious programmer sneaks a malware-bearing app past iPhone gatekeepers (malware champ Android already has more bad apps than you can shake a stick at), and millions of Apple users realize the honeymoon is over.

Note that Europe already suffered the first large-scale attack on financial accounts via mobile phones: Eurograbber, a mobile SMS keylogger scam that pumped 36 million euros out of 30,000 European bank accounts. Make no mistake, we’re next.

The insider threat.  These come in two flavors: duplicitous and duped. Either way, they’re sleeping with the enemy. Compromising or turning an insider is a big win for criminals, providing a precious pipeline to account info, network passwords, or a company’s deepest secrets. Infecting an outside (or inside) device used at work⎯mobile phone, tablet, laptop⎯by means of something as simple as an email can get keyloggers and other malware inside the firewall to infect other computers. The FBI warns of criminals targeting bank and credit union employees⎯and why wouldn’t they? They’ve gone after folks at the most secure companies in the world already with spectacular results⎯just ask RSA and Lockheed.

Medical identity theft.  Our push to digitize medical records and associated data ⎯ including identity, insurance, and financial information ⎯ has spawned system design flaws, sloppy data handling, and everything in between. The logistics of conversion has exposed risks and led to countless breaches⎯including data theft and/or loss by third-party contractors. No wonder electronic health records are a magnet for identity thieves⎯with potentially deadly consequences for victims, since medical identity theft can mean co-mingled medical records, magically changed blood types, disappearing allergies and looted insurance policies.

Malware, Malware, Everywhere. These days any would-be cyber-mercenary can play “infect your way to riches.” Be prepared for more sophisticated, undetectable, and untraceable malware available for low-cost purchase, rental, or lease from the underground purveyors of havoc. Now that botnets (like jet skis) can be rented by the hour, we’ll also see more customer-facing networks crippled by denial-of-service attacks in 2013, as hackers distract and exhaust security teams to cover their own tracks.

Nonprofits and foundations. What’s more delicious than an unencrypted database overflowing with wealthy donor data? Doubtless, several foundation or charities will face big breaches in 2013. Just don’t expect them to be so forthcoming with the details.

Debt collectors. After breaches of several debt collector databases expose records for hundreds of thousands of debtors (many who shouldn’t be in those files in the first place), public pressure will build for controls on collection agencies’ handling of clients’ data ⎯ including a requirement that breach response programs be in place before they can be bonded or licensed.

Infrastructure threat. Some facet of our critical infrastructure ⎯ perhaps the electrical grid, public transportation, air traffic control, banking, medical facilities, or some large bridge or tunnel ⎯ will suffer one or a series of cyber attacks, highlighting the ever evolving, highly dangerous cyber-war threat and the shared goals of enemy agents, cybercriminals and identity thieves.

Mega breaches of government data. South Carolina’s “encryption is hard” data debacle showed how myopic and negligent a government can be. But don’t assume politicians learned anything from it ⎯ though it brought the number of improperly accessed files in government custody to nearly 100 million. If anyone learned a lesson, it was the criminals, who will be emboldened in 2013 to revisit that poorly guarded well again and again.

Identity theft is big business, and the bad guys want to make this their most profitable year ever. So expect repeated, persistent attacks on government databases ⎯ followed by rage from a frustrated citizenry demanding (but not getting) action. Expect an increasing tidal wave of fraudulent business and individual tax returns and refunds filed by criminals in the names of legitimate taxpayers. And remember, criminals file early!

Data breach fallout. To confront the inevitable surge in attacks, 2013 should be the year of mandatory encryption, stringent security, and tough legislation holding negligent data stewards accountable; and “accountable,” dear friends, means doing hard time, not mouthing lukewarm mea culpas. I would prefer to say “will be” ⎯ but given the inability of Congress to agree on even the mundane, like the hour of the day ⎯ action seems unlikely. At this rate, we may be forced to rely on the ultimate regulators of our economic system ⎯ class-action attorneys.

Strategic realignment.  When we are truly focused on this issue, a depressingly rare occurrence indeed, we are playing by an arcane set of rules in the face of a highly sophisticated, totally committed, stealthy, deadly, hydra-headed opponent who knows no rules of engagement.

To properly address this threat, nothing short of a Manhattan Project, or a renewed commitment to the kind of national effort that put a man on the moon will suffice. Complete cooperation, collaboration and communication among all levels of government, law enforcement, the business community, consumer advocates, individuals and the media must be achieved.

Taking the fight to the criminals is exactly what we must do ⎯ along with shoring up our corporate and individual defenses and demanding that our lawmakers take this fight seriously. This is war ⎯ and whether the attacks come from hackers in Latvia, agents in Beijing, a botnet stretched across the globe, or the quiet employee in the next office, the adversary is the same, as is the M.O. These guys have one more thing in common: They play for keeps. So should we. Perhaps 2013 will be the year we start to get it right.

Chairman and cofounder of Credit.com and IDentity Theft 911. Adam’s experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit. Have a question for our experts? Get the answer in the Credit.com Forum.

2 Responses

  1. Hi Adam:

    There’s so many articles out there on this very topic. However, I wanted to take a minute and “thank you” for such an in-depth look at just how vulnerable we all are. “Sitting ducks” if you will.

    It seems that where ever I go, I’m asked for personal information (eg: email address, phone number, zip code, etc.). All this for coupons and specials. Quite honestly, I’d rather pay full price than share this information.

    Thanks again for the great insight.
    Janie

  2. Max Dilley says:

    Dear idt911blog,

    5ish questions. Also, if question 1 has an answer that is annoyingly time consuming, then skip it, by all means.

    You mention in “Your Data is a Minefield” that “Encryption is Hard.”

    1. How so?
    2. Do you think a person with minimal computer literacy would be able to encrypt her database on her own?

    Mobile devices.

    1. How intricate do you feel the mobile devices password should be?
    2. Any recommendations for a remote data wiping tool, and please feel free to advise any other protective agents that you feel are cutting edge enough for the task at hand within the home/business as well as away from it.

    I come to you folks by way of a breach that occured at Bellacore, one of your online retailers who did the right thing. I have had credit monitoring since atleast 2001, and have had accounts with possibly all of the major playes in the part of your field, that I, as an individual, am qualified to engage with. Unfortunately not one of them have impressed me even remotely as much as Identiy 911 has from the very start, despite my online expierence with my account being about as basic as basic gets :) That’s really very impressive. So as I asked your very helpful and engaging customer service support representative, I will ask who ever is reading this, “Why not start a credit monitoring division for us little people?” :)

    Thank you very much,
    Max Dilley

    p.s. I am numb with bewilderment as to the seemingly hypnotized state that Governmental, Corporate, Financial, Silicone Vallians, Operatic SoothSayer, Utility Providers … at large, are in inrelation to not circling the wagons … It’s actually eerie.

Leave a Reply