April 15, 2015

Greetings:

Welcome to Kiplinger's Tech Alerts -- a digital heads-up on coming trends and breaking developments in technology. The alerts are free through June 16. This issue focuses on new targets for hackers, the push for businesses to share information to combat cybertheft, biometrics and more.

Where Will Hackers Strike Next?

With stealing credit card information now more trouble than it's worth, hackers are finding new, more data-rich targets while bolstering their technical sophistication. Over the next three to five years, hackers will increasingly target personally identifiable information, including Social Security numbers, names, dates of birth, home addresses, telephone numbers, e-mail addresses and more. Criminals get this information by hacking into company databases that store such customer data. It's especially easy to do if information is not encrypted, as, surprisingly, is often the case.

Hacking credit cards is getting tougher because new credit cards come with safeguards that give the data they contain a short shelf life. Credit cards using embedded computer chips fend off fraud by generating a one-time code for each transaction. Cards can be canceled quickly and banks have fraud monitoring policies in place. Moreover, consumer protection laws that make banks, not consumers, liable for fraud also help to protect consumers. The emergence of Apple Pay and other digital wallets adds another layer of security by preventing retailers from seeing any payment card details whatsoever.

However, Social Security and other personal information stored in corporate databases and elsewhere makes for a richer trove for criminals because it can be sold many times over on the black market. It's broken into categories, so that stolen data of the wealthiest customers at banks, for instance, is worth more. Criminals use Big Data analytics (computer programs that find clues and patterns in a variety of data) to sift through huge data sets to figure out which hacking methods are most likely to work.

Stepped-up hacker attacks spell more business for credit and identity protection firms. "The Anthem data breach was a watershed event," says Tim Rohrbaugh, chief experience officer at Identity Guard. Children's information was breached, including Social Security numbers and names, heightening fears of large breaches. Now, more firms are preemptively signing identity monitoring contracts before a breach occurs, rather than waiting until the frantic time after a hack. Besides Identity Guard, identity monitoring companies include LifeLock, AllClear ID, Equifax, Experian and TransUnion.

Among industries facing the biggest threat from hackers: Health care, banking and retail, because they possess large databases of customer information. Also increasingly vulnerable: schools and universities, which have a vast trove of students' personal information and less money to spend on security. Small firms with valuable information are targets, too, including CPAs, lawyers, doctors and the like.

Sharing Company Data to Thwart Hackers

To combat cyberthreats, the government wants businesses to give it internal company data about hacks, software bugs and potential threats to their enterprises. President Obama recently issued an executive order in the hopes of prodding more voluntary sharing with Uncle Sam. Legislation on voluntary sharing is also pending on Capitol Hill, though odds are slim that any of it will pass this year.

Companies fear that sharing too much information could tip off the competition to valuable proprietary information and hurt business, even though some large firms do so now, albeit on the down low. Firms also worry about breaching any terms in customer contracts that would leave them open to lawsuits.

Still, look for more companies to disclose threats, whether they want to or not. Pressure is building as technology companies threaten to out other firms that don't move quickly to patch dangerous vulnerabilities. Google's security research team, for instance, has upped the ante by publicly disclosing software vulnerabilities of other companies within 90 days if the firms fail to fix them (with limited exceptions).

Note a boom in bounty programs aimed at discovering computer bugs. Companies are increasingly paying "bug bounties" to white-hat hackers as they become more comfortable working with them. Online platforms such as HackerOne and Bugcrowd are trying to overcome the dearth of security researchers by promoting payments, up to $20,000 in some cases, to ferret out software vulnerabilities that pose security threats. Drumming up interest for plugging security holes is good news for any business that uses software.

A Larger Role for Biometrics

People with today's smartphones have many useful tools at their disposal, including state-of-the-art cameras, microphones, fingerprint scanners, touch screens and secure wireless technology. Such tools are speeding the adoption of biometrics -- the identification of individuals by personal characteristics -- for security purposes in many different situations, including in the workplace.

Apple is responsible for much of the shift to biometrics. Since 2013, new iPhones have come with a fingerprint reader. A large portion of American smartphone users now carry a fingerprint reader in their pocket. (Apple comprises 42% of all smartphones in use in the U.S.).

Smart watches and fitness bracelets will play a larger role, too, helping their wearers log onto computers, open doors and more.

The acceptance of the Apple phones has lifted a stigma of creepiness that once came with fingerprint scanners, benefiting biometrics makers as a whole, including big sellers such as NEC, Hitachi, Nuance and Suprema. Apple has also paved the way for more high-quality fingerprint scanners on mobile devices over the next few years. Qualcomm, for instance, has fingerprint technology that will be used by major phone manufacturers this year. Other chip makers, such as ARM and Intel, are also working on biometric security.

Fending Off Insider Threats

Even the toughest security and encryption won't stop damage done by an insider. After all, employees who have the proper credentials, like an ID card and password, are free to log onto the network. In fact, many breaches are at the hands of insiders; contractor Edward Snowden had authorized access to National Security Agency information he made public.

Look for more companies to turn to Big Data analytics to uncover odd behavior by an employee, such as plugging in a personal USB drive or logging onto company computers during off hours. Firms figure that where there's smoke, there could be fire. Those early signals could help detect an insider threat to the company. Large firms, such as Lockheed Martin, have already found success in trying out expansive behavioral monitoring of employees. Fears of falsely accusing workers of bad behavior can be mitigated with solid oversight. Security firms offering real-time security monitoring include FireEye, Fortscale Security and Symantec.

Even the simplest tasks can be monitored. Stemming from a 2012 Defense Advanced Research Projects Agency project, technology to track keystrokes has moved quickly to commercial-ready form. Novetta, for example, has a working demo of keyboard tracking software that it plans to start selling this year. The software works in the background so workers don't notice. "Continuous authentication is a key trend of the future," says Debbie Waung, director of the Identity Intelligence Division at Novetta.

In addition to keystrokes, the new security software will be able to monitor mouse movements, heartbeats, facial features, gait and more.

Military and intelligence agencies will be the first adopters. But large companies will soon follow. Though privacy concerns are sure to heat up, businesses will keep pushing to protect networks and valuable intellectual property. Note, too, that Windows 10 will have built-in support of some biometric techniques. So it won't be long before operating systems have advanced monitoring available to all types of companies.

Tech Tidbits

• Adding protection

Set up two-step verification for a quick way to protect your own accounts. The method is a bit of a hassle, but it's a powerful tool to prevent accounts from being infiltrated. It combines a password with a one-time code that can usually be texted quickly to a smartphone. Entering the password activates the code.

Online accounts that provide the added security include Google, Apple, Yahoo, Microsoft, Facebook, Dropbox and Evernote. (Here's a fuller list.) For more information about what to do if a personal account is impacted by a data breach, check out Kiplinger's Personal Finance magazine's February story, "Data Breaches: When to Worry."

Prefacing hyperlinks with "https" -- a Web protocol that protects user privacy -- is also getting more attention. Note that websites that don't use such a preface will start ranking lower in Google search rankings as Google follows through on plans to rank sites with "https" above others.

• Internet overseas

Traveling abroad and worried about coming home to a steep international phone bill? Don't be. Consider a mobile hot spot that works with any Wi-Fi-enabled device. With the hot spot device, you can connect your tablets, smartphones and laptops to broadband via 3G or 4G networks. Some such hot spots will work with as many as 10 users at a time. Take a look at options from Xcom Global, Telestial and MTX Connect, which sells unlimited mobile data in Europe for $11 per day.