First, the hackers hit some 70 million credit and debit accounts issued by giant retailer Target to their customers. Now comes the news that 20 million South Koreans had their personal data stolen – about 40 percent of the country's population – in another attack on a number of banks and other credit card issuers in that country. Ironically enough, the culprit seems to be an employee (one hopes he or she is now a former employee) of the Korea Credit Bureau, an organization whose services include (ahem) fraud detection and prevention.
In a year that is supposed to mark the emergence of the Internet of Things – a networked world in which our machines and devices all communicate with each other and, oooh, we can control the lights and thermostats in our homes while we’re traveling – I confess I find this more than a little unnerving.
Sure, it’s cool that a friend of mine was able to tell her family she was thinking of them while she was away on business by remotely changing the color of the Philips hue lightbulbs in their home to red (for “heart,” of course) for ten minutes one evening. I may have read too many thrillers, though, since I also can’t help thinking about what might happen when a hacker is able to de-activate my smoke and carbon dioxide detectors, or reprogram someone’s medical records in an intensive care unit, or… well, the imagination knows no bounds.
In the wake of the card hacking misadventures, a lot of hype has focused on the relative slowness of U.S. banks and other card issuers to upgrade to so-called smart cards, which bypass many of the humans involved in processing a credit card transaction. Clearly, we have been slow to move to smart cards, as the Target case reminds us (even if those cards might not have prevented the hacking). The fact that we’ve been so slow to act has led to hackers concentrating more of their attention on U.S. cards, and hacking into U.S. data repositories.
Banks, retailers and the credit card industry shouldn’t waste their time squabbling over who is going to foot the bill for the cost of upgrading and converting the cards. It’s great that the credit card providers will hold merchants and banks responsible for fraudulent charges incurred as a result of their inability to upgrade by 2015, but I’d like to see a further step: making the institution responsible for undertaking any and all actions necessary to monitor and repair the credit consumers hit with a fraudulent charge as a result of their inaction.
Consumers – who are at the mercy of the institutions – shouldn’t face higher costs or a loss of their productive time. Moreover, it’s hard to understand why banks and other institutions don’t view this as a necessary investment to protect their brand names and market share.
The wave of headlines surrounding credit card hacking is just the tip of the iceberg, too. As we entrust more and more transactions of daily life to the Internet, from turning on the heat to paying our mortgages and shopping for birthday gifts, we’re offering up more and more hostages to fortune in the shape of personal information that can be used and abused.
Admittedly, part of the problem is the extent that businesses choose to rely on outdated technology. One of the single most unnerving articles that I have read so far this year spelled out just how vulnerable some legacy systems are to a hacker's attack. (Or even to simply wearing out due to old age.) Did you know, for instance, that 95 percent of ATM machines run on Windows XP? Even I gave up using Windows XP a few years ago, and I consider myself a Luddite.
What we can all do as individuals is demand that the institutions we do business with do better. We can seek out banks that offer “smart” credit cards, and reward them with our business. We can contact retailers and ask for details of what they are doing to prevent fraud. As investors in companies that have access to our sensitive information – Verizon, AT&T, cable companies, utilities, banks – we can demand detailed risk analyses on technological vulnerabilities and as thorough explanations of what is being done to close any gaps as is consistent with security.
We can also invest, if it fits our overall portfolio objectives, in funds or companies that are making Internet security a priority. There are a growing number of companies in this space, and while some of the most promising (or at least the most buzzed-about) are still private, we can monitor what is going on in this space and put our capital to work in helping them develop new technologies to combat the hacker-verse. Venture capitalists and technology firms are eager to provide funds to businesses focusing their efforts on making cyberspace a little less financially perilous a place for us to wander.
That can be a profitable approach to solving this problem, as well. Consider for a moment the relative gains of two IPOs that took place at roughly the same time last year. Twitter (NYSE: TWTR) was undoubtedly the highlight of the 2013 IPO calendar, in both size and the amount of hype it generated. But while its share price is doing very nicely, thank you – up nearly 40 percent since that IPO – shares of the much less well-known company Barracuda Networks (NYSE: CUDA) are trading 64 percent higher. Intriguingly enough, that gap has emerged and widened only since mid-December – at about the same time that the Target hacking became public knowledge. Barracuda’s business? Online security.
I’m not suggesting that either Barracuda or FireEye (NASDAQ: FEYE), a cloud computing security venture that went public last year and is up 74 percent so far, will make great long-term investments, especially since they're burning through cash so rapidly that they may need to come back to the markets for more capital sometimes soon. But one or two of the growing array of security companies will make further strides in this area, generating profits for investors. In the meantime, more headlines may well ensure that momentum keeps them going.
Top Reads from The Fiscal Times: