Thursday, January 19, 2012

Zappos Managed To Zap Us

The recent security breach at Zappos was yet another fairly loud wake up call. Personal information from millions of customers snatched from their electronic files. A lot of articles are being published with the steps a company should take to prevent this type of incident, the state of readiness they must be in to react if the unthinkable does occur, and advice on how it should be handled when the inevitable brown stuff hits the cooling device.

Articles, blogs and comments are being posted everywhere, taking Zappos to task, resurrecting the old debate on the relative strengths of Linux and Windows servers and reminding people how dangerous it is to trust the internet with your personal information. Called in to question is the level of compliance with standards like PCI DSS and the effectiveness of encrypting data such as passwords. No doubt the legislators will be burning the midnight oil dreaming up additional regulations to propose subjecting businesses to even more audits and reports.

And the customers? They have been advised per the law that their information may have been compromised so they should take extra care, change their passwords and keep an eye out for phishing schemes in the coming months.Standard response 101.

None of us want to stop shopping on-line, nor do we want our personal data compromised. So what are we to do? Well, I have a couple off suggestions you might follow.

One approach is have a credit card which is dedicated for use in on-line purchases. Mine sits on a shelf near the computer and is probably stored in countless data bases maintained by all the many and varied on-line merchants we use.  The credit cards in my wallet including the ones associated to my savings and investment account are never used anywhere but in person. The most important ones never leave my sight.

Having a few different credit cards for different situations is a strategy I call "compartmentalizing exposure," and it allows me to better manage my finances and to mitigate risk. Plenty of credit cards are available with rewards programs and no annual fees. Carry a few to keep your business expenses separate from personal spending. Use a separate one for shops and restaurants, places where the staff take your card and disappear with it to process your payment. Keep credit limits low on all except on you might have for major purchases.

If I am ever advised by Zappos or any other on-line service that my personal  information has been compromised I can kill the appropriate credit card and quickly replace it with another. All of my other cards would continue to be safe.

As for the likelihood of a phishing attempt, my view is we run that risk every day of the week. Whether anyone has alerted me or not, I am always very skeptical of responding to people by phone and never include sensitive information in an email or other electronic form of inquiry.

Never click the links in the email but rather go to the site of the organization allegedly making the request. Write to them or phone them. Fake phone inquiries are usually stymied by my practice of never answering the home phone when the caller id shows blocked or unlisted. When it comes through, I prefer to call back to a publicly listed number for the organization so I am sure I know who is at the other end of the line.

Captain Joe

Follow me on Twitter @JPuglisiLLC

2 comments:

  1. I came into work on Tuesday to hear that several people in my orginization had their personal e-mail address hacked. I saw two women talking in the hallway puzzelled by how their e-mail was compromised. Then a light bulb went on in my head. I stopped and said to the two of them:

    Me - Any chance the two of you order shoes from Zappos??
    Both Women - Ohh yeah!!! All the time!!!!!
    Me - Let me guess... Your password for Zappos is the SAME password you use for your e-mail???
    Both Women - *A pregnant pause happens while they both look at each other with a weird look on their faces* "How did you know"
    Me - STOP using the same password for every site you visit!
    Both Women - How did you know we did that??

    The lesson here... Take a few minutes to go to http://www.LastPass.com and create SECURE and DIFFERENT passwords for EVERY site you use! Even if you dont want to use LastPass, there are others out there to use. LastPass is just the one I recommend.

    ReplyDelete
  2. (As for the likelihood of a phishing attempt, my view is we run that risk every day of the week. Whether anyone has alerted me or not, I am always very skeptical of responding to people by phone and never include sensitive information in an email or other electronic form of inquiry.) LIke!

    ReplyDelete