September 15, 2019
Fatigue: weakness caused by repeated forces, conditions or exerted efforts over time. Gradually, strength, alertness or resolve to resist diminishes. The results of fatigue are mechanical failure, capitulation, or indifference. Think of repeatedly bending a paperclip back and forth until it breaks, the way an ill-prepared sprinter physically falls apart during the last 75 meters of a 400-meter dash, or Mr. Gru’s mom when he showed her his “real rocket based upon his macaroni prototype”. Her response, “Meh.” However, what about “Breach Fatigue”? What is it and how do we defend against, prepare for, and respond to breach fatigue?
Breach fatigue is basically complacency about, apathy toward and reduced response to repeated breaches in trusted, restricted access data systems. It affects individuals and organizations. Breach fatigue has set in when massive breaches in systems that gather sensitive personal, financial, medical or proprietary information are accessed by unauthorized “bad actors”, and the public is no longer shocked by the cyber-crime. The breaches become a part of the mundane costs and conditions of doing business. As a result, cyber security efforts are not as robust as they could be, and the response is “meh” or maybe “thank goodness it wasn’t me.”
The U. S. House Committee of Financial Services’ Task Force on Artificial Intelligence held a hearing entitled “The Future of Identity in Financial Services: Threats, Challenges, and Opportunities” on September 12, 2019. You can watch the hearing in its entirety here. A variety of breach fatigue related challenges in the financial marketplace were discussed by a panel of seasoned financial and cyber security professionals. The panel included input from the chief identity officer of SecureKey Technologies, a Canadian security authentication technologies and services company that enables the use of contactless cards and mobile phones to implement strong online authentication. SecureKey serves governments, banks, and businesses around the world. In his remarks, the Chair of the Task Force, Congressman Bill Foster (D-IL), stated $15 billion is estimated to have been stolen from U. S. consumers on-line. The quoted estimate does not include costs associated with recovering a stolen identity and correcting the damage inflicted by criminals that misappropriate financial data.
Consumers in the financial marketplace are fatigued by malware, ransomware, and fishing. Cyber criminals use artificial intelligence (AI) voice synthesizers to generate fake instructions–I am always suspicious of those “robo” calls that have no one on the other end of the line. Increasingly, AI is being used to gather and generate synthetic identities…identities that are a combination of fake and real, stolen identification information. Think of Randall Stevens collecting hundreds of thousands of dollars at the end of The Shawshank Redemption. With synthetic identity crimes, a completely separate and distinct “person” is created. “Data scraping” is using a computer program to extract data from a source that is meant to be used by an end user, i.e., read by a person. Data is extracted from a human readable source used in an alternative program. Communication is not in the form of “zeros and ones” to steal data, but by using an alternative program to mine information from documents that we read. With respect to the security of Europay, Mastercard and Visa or “EMV cards” (credit and debit cards with computer chips), Visa reported a 76% decrease in “card present” counterfeit payment fraud between 2015 and March 2019. Unfortunately, “card not present” fraud continues to increase, and cyber security experts recognize a need to increase efforts to thwart this type of digital payment fraud. “Unbanked” consumers are particularly vulnerable because while they may not have extensive, long term banking relationships and professionally managed financial assets, they do have cell phones. Cell phones are used to conduct financial transactions and processes must be developed to ensure that customer privacy is maintained as the customer validates himself or herself to get access to transactions. This can prove challenging in a digital economy without established financial business relationships to authenticate users and get authorization to perform transactions.
As clients and financial planners, we cannot afford to become complacent, apathetic or unresponsive. Twenty-five percent of all malware attacks target financial services industry organizations. Eighty-one percent of cyber-attacks are the result of taking advantage of weak or stolen passwords. The following is a list of 12 ways to defend against, prepare for and respond to breach fatigue while in pursuit of your financial life planning goals.
- Invest in quality anti-virus software for your computers and your cell phones. Take into account factors such as real time virus, malware, spyware, ransome ware and firewall protection. Additional factors to consider are cost and on-line support services.
- Develop a habit pattern of double checking the internet address of any website or link you visit. Be sure you see the “pad lock” next to any website that requires the exchange of any sensitive or personal information. Assume that if you are using a public WiFi connection that your information is available for others to see.
- Implement a financial statement and online account review routine. How often do you review your financial statements? Once a week? Once per month? Set aside time to be proactively involved as a partner with your financial planner. Review the security and reimbursement policies for each of your financial institutions and develop an account review routine that works for you and your family.
- Minimize the number of credit cards you must use and track. Consider the perks each card offers, such as flight miles, cash back, and interest rates. Count the “cost” of ownership in time and money; in the financial planning world, time is money!
- Monitor cyber asset accounts. Digital assets are documents and other audio-visual content that are stored on computers, phones, websites, storage devices like hard drives, email servers, social media accounts. Cryptocurrencies are digital assets. Your files stored in “the cloud” are digital assets. So are web domains.
- Invest in/use a high-quality cross-cut shredder.
- Delete extra emails and monitor your email spam folder. Digital communication is mainstream; it is a preferred method of correspondence, reduces clutter and saves trees. Much of our communication is protected by security systems and software. Declutter your digital mailboxes. Don’t let sensitive information “marinate”. Some hackers try to gather information by telling you they already have your passwords and those messages may go to the spam folder.
- Safeguard your passwords…use a safe or an online service. Be careful creating and storing documents that contain passwords on your computer!
- Take-action on letters you receive about security breaches. Take advantage of opportunities for free credit monitoring. See item 1 above.
- Authenticate callers. This item is especially important as we and our loved ones get older. Telephone companies re-use phone numbers. In addition, all it takes is one or two legitimate pieces of identifying information to create a synthetic identity. Ask your own questions of any callers you do not recognize. Name? Company? Office location? Call-back number? Reason for calling? Make an unknown caller prove who they are, then make use of the information to preemptively confirm the conversation is or will be legitimate. After all, they called you, right? Be wary of inheritances from unknown relatives, lottery prizes for contests you did not enter that require immediate responses, and surprise warrants for your arrest because of tax fraud.
- Closely monitor your residential mailbox for any evidence of tampering, especially on suburban or rural roads. If your mailbox cannot be easily monitored (electronic, video, or otherwise), consider using a post office box. If you notice signs of forced entry, or if you notice it is opened and closed intermittently by someone other than you, notify the local police department and the US Postal Service.
- Check minor credit reports! Over a million children had their identities stolen last year! Minor social security numbers are prime targets for synthetic identities. If a minor starts to receive offers for pre-approved credit lines, or they start to get calls from collection agencies, a parent or guardian may complete the appropriate credit report application process for one of the credit reporting agencies (Equifax, Experian, and TransUnion). Carefully review the minor’s report. Report fraudulent activity to the credit agencies and police, and place a credit freeze on the accounts.
Consumers must be able to control “how, where, and when” personal information of ALL kinds is used by “what and who”. Consumers now exist in economic and social environments governed by technology that is rapidly moving toward a password-less era. The apparent consensus of the panel of experts at “The Future of Identity in Financial Services: Threats, Challenges, and Opportunities” hearing was that: 1) company executives believe that cyber-crime is the chief threat to the financial system and 2) the U.S. government must get involved to help protect the consumers and the world’s financial systems from these threats because the financial industry cannot solve this problem alone. Biometric, blockchain technology and coordination between legitimate agencies in the business of authenticating identity hold promise for security efforts that protect consumer identity, privacy, assets and transactions from cyber criminals.
Breach fatigue is insidious. “Waypoints” are objectives that lead to goals – specific intermediate and final destinations on your financial planning journey. Breach fatigue is drift created by waves, winds and complacency. Integrate an identity protection regimen into your financial plan. Resolve to stay on course; indifference is not an option.