It is one thing to be out on the street and randomly mugged, but quite another to have someone follow you home, trick you into letting them into your house, and then being robbed in your own living room.
Equally it is one thing to be phished frequently but quite another to be spearphished just as often.
We all know phishing is an email message sent by some miscreant that appears to be from an entity you recognize. The goal is to persuade you to reveal personal details such as an account login or your Social Security number. Spearphishing is much the same except the miscreant has some knowledge about you and your relationship with the entity the message claims to be from, which improves the chances you will believe the ploy.
While phishing is quite common — the [U.S. Computer Emergency Readiness Team (US-CERT) estimates that 53% of all security incidents in 2010 involved phishing or spearphishing — spearphishing is less so.
That was until now. In the near future you can expect spearphishing to become very commonplace thanks to a company you probably never heard of until this week: Epsilon, a division of another company most of you will know nothing about, Alliance Data.
According to Wikipedia, Epsilon provides “database marketing, direct mail, email marketing, Web development, loyalty programs, analytics, data services, and strategic consulting” for over 2,500 clients, including 1-800-Flowers, Best Buy, Capital One, Citi, JCrew, Target, TD Waterhouse, TiVo, Verizon, Victoria’s Secret and Walgreens.
Until March 30 this year, Epsilon was highly respected in its industry with Ad Age ranking the company among the top marketing services firms and direct marketing agencies in 2006, 2007, 2008, 2009 and 2010.
That respect is now history because, as if to jump the gun on a particularly unfunny April Fool’s Day joke, Epsilon suffered a data security breach of biblical proportions: More than 50 companies are now known to have had their customer email lists swiped by hackers and the final total of customer records involved will be in the upper tens of millions.
IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.
The company noted that the “subset” was “approximately 2% of total clients and are a subset of clients for which Epsilon provides email services.”
It is amusing to note that Epsilon’s tag line is, ironically, “Marketing as usual. Not a chance.” Indeed.
What’s interesting is to watch the ripples since the announcement. Every day since the breach one or two new companies announce that their customers are vulnerable. So far it appears to be true that all that was stolen are lists of customer names and email addresses, but losing that huge amount of data is extremely serious.
For some companies, there’s a real risk that gullible staff will receive bogus emails that they will believe and act upon without much thought. For example, while not related to this Epsilon fiasco, consider how the publishing house Conde Nast was tricked into paying nearly $8 million to a scammer because of what was, in effect, a successful spearphishing attempt.
While the corporate impact could be significant, the biggest risk, is to consumers. Once the relationship between a brand and a consumer is established, the consumer’s guard is down and even sophisticated Internet users can click on what seems to be a valid, safe link in a message from their bank or their favorite retailer and be exposed to malware or land on a bogus Web page that attempts to glean their personal details.
In short, this is a security problem on a scale that I think exceeds the Comodo hack I discussed last week because it is far more diffuse and far more pernicious. It also, potentially, has far greater total financial consequences.
So now we come to the big question: What can you do? In your organization, you need to circulate a memo, ideally from the CEO, warning users to be critical and discerning about messages they receive from any organization and how they should act on them. And when it comes to your family and friends, take the time to explain the issues simply and in detail.
You might point both groups to the Network World article “Five tips to avoid getting phished“, but you’ll probably have to explain the details as there’s a lot to understand.
The bigger issue is what are companies who use Internet email marketing going to do? We, their customers, can no longer trust their messages because the effort it takes to ensure that each email link is valid will be enormous.
Imagine a hacker with Citi’s email database sending out, say, 1,000,000 messages that confirm a fake password reset or a fake financial transactions and just 0.1% of the recipients get “taken”. That’s 1,000 accounts that could be compromised.
Say, half of those are successful for an average of $5,000 per account, that’s $2.5 million! Do you think that’s worthwhile effort for a hacker to send out a few emails? How about half of that? Or even a quarter? A thousand here, a thousand there and soon you’re talking real money.
I have no idea what the answer to this enormous problem might be but I know that it is a problem on scale we’ve never seen before and until it is solved, we’re going to see the cost of fraud escalate dramatically. And who will wind up footing the bill? You guessed it: Consumers.
So until there’s a viable, globally applicable, and effective solution, brace yourself because the SNAFU at Epsilon will be repeated over and over and it will be like being followed home and being robbed over and over again in your own living room.
Worse still, not only will you be robbed by the bad guys, you’ll pay for it through increased bank fees. That will be like getting robbed twice.
Gibbs is hunkered down in Ventura, Calif. Outline your defenses to firstname.lastname@example.org.