From Target to Home Depot to JPMorgan, this year was a bad one for massive security breaches. Expect more of the same next year.
Let's face it, 2014 was a terrible year for computer security, leaving everyone feeling a little more vulnerable.
Hackers stole 56 million credit card numbers and 53 million email addresses from Home Depot between April and September. They took contact information for 76 million households and 7 million small businesses from JPMorgan's vaults. And Target started the year on the wrong foot, coughing up 40 million credit and debit cards, and personal information on 110 million people.
"It'd be hard to find anybody in the US who hasn't had a credit card affected," said H.D. Moore, chief research officer at security firm Rapid7. "People are just numb to the fact."
Will 2015 be the year we learn to care about who to trust with our personal data? Experts have some dour thoughts on what's coming, even as US stores begin to support credit cards with more secure computer chips. There's going to be heightened risks from old threats like email phishing attacks, and new threats posed by the Internet of Things, the idea of having appliances, objects, and electronic devices all connected to each other and the Internet. Here's what to expect next year.
Smarter credit cards
Credit cards containing a computer chip and requiring a separate personal identification number are commonplace in many other developed countries, but have been held back in the US in large part because of the costs. Financial institutions have to pay more to make the new cards, and it's expensive for retailers to upgrade their payment terminals to accepted chipped cards. But they are expected to decrease some types of credit card fraud, a problem with current swipe-and-signature cards, because the chips are harder to counterfeit, according to a report from the financial research firm Aite Group. The equipment required to clone a chipped card the way counterfeiters currently fake magnetic stripe cards can cost around $1 million, according to mobile payment company Square.
It's this level of protection that prompted Apple to move forward with its mobile-payments service, Apple Pay, which runs on the same security model as a chip and pin credit card. Next year, retailers will have to accept chipped cards or bear the legal burden of future credit card breaches. The retailers, however, don't have any legal obligation to accept Apple Pay, even as Apple has lined up an impressive group of partners.
The shift in credit card fraud responsibility and tougher security measures will force criminals to refocus their attacks on smaller companies as bigger companies invest their capital in preventing embarrassing, costly breaches, said Andy Daudelin, the vice president of security solutions at AT&T. "Small and medium businesses are going to need to step up in their [physical] place of business and online to protect consumers, and to protect themselves from lawsuits," he said.
Phishing goes mobile
Another risk that could get worse next year are phishing attacks, or malicious emails that try to trick you into clicking on a link, according to Steve Durbin, managing director of the Information Security Forum. "I had a number of [faked] emails allegedly from Amazon on Black Friday and Cyber Monday that said that I had a problem with my Prime account," he said
Had he clicked on the links in the email, Durbin could've been struck by automatically downloading malware, or conned into turning over account credentials. It's not hard to get from there to financial fraud. Emails are a valuable resource for cybercriminals because they're an easy gateway for far greater access. While avoiding emails from strangers may seem like common sense, some phishing sites are effective as often as 45 percent of the time, according to a recent Google study.
Moore also cautioned against trusting anything with an Internet connection, a challenge as connectivity explodes across every kind of device from door locks to thermostats. 2015 will see a rise in connected appliances such as refrigerators, and a broader push for smart home products.
"If you can't update it, it's not going to be secure," Moore said. Free-to-use, free-to-modify software was found this year to suffer from catastrophic flaws like Heartbleed and Shellshock, which could lead to malicious device takeovers -- not something you want in a security camera. They'd be unfixable without a way to update the software.
As an example, he pointed to the 2013 FTC investigation of TrendNet's hacked cameras as a good sign, but said people must research connected devices they want to buy on their own to ensure they're safe. Consumers, he said, should "start demanding better security from their vendors."
That could be said for all areas of tech.