Cyberprotection requires vigilance

U.S. Bancorp's head of cybersecurity, Jason Witty, uses the internet for pretty much everything. He even described in a recent conversation how he bought a utility shed for his backyard and arranged to have it installed using only his iPhone.

Of course, if the head of information security for the nation's fifth-largest bank appeared skittish about using the internet to handle money, then it would be a good idea for the rest of us to panic.

Witty exuded nothing but confidence in the ability of the financial services industry to hold its line of defense against the bad guys, but he also volunteered that the internet "has gotten to be a really, really bad neighborhood in the last two or three years."

In addition to the various hacks and data vulnerability issues emerging from Yahoo and a host of other organizations, the global financial industry has been rocked by some stunning cyber breaches in the last year. Recall that thieves were able to siphon more than $80 million out of the Bangladesh Bank's account at the Federal Reserve Bank of New York (although some of that money was later recovered).

That kind of a financial hit makes the loss of debit card information at a Target store look like a trivial matter. Not that those failures in recent years at Home Depot, Target and other store operators weren't annoying. In a matter of months, enough retailers fumbled away my own credit card information that the last time I called to get a replacement card I didn't need to look up the telephone number.

It has certainly been a busy time for anyone involved in data security, Witty said. He described how the classic schemes to steal from people on the internet, like phishing for personal information through legitimate-sounding e-mails, haven't really fallen out of use. On top of those tactics, the hackers and crooks keep coming up with new ways to try to steal.

And since they have already stolen so much money, Witty said, "it's kind of a big deal that the bad guys are funded in the billions of dollars." The response by financial services companies includes trying to speed up how information on new threats is shared, just one of the ways industry players cooperate to try to keep the whole system safer.

One of the relatively recent innovations of the bad guys is called ransomware, a form of software that is sneaked onto a computer to take over some or all of the computer's data. The thieves then can lock it up using military-grade encryption that no civilian is going to quickly hack back into, effectively holding the data hostage and returning it only if the victims pay up.

That has been a nasty problem for hospitals and clinics in particular, with one health care trade publication earlier this year suggesting that three-quarters of hospital systems responding to a poll may have been hit in the previous 12 months. In one well-known case from Kansas, the hospital paid up but the hackers turned out to be liars, too, by refusing to then release the data.

Businesses of almost any size need to be on their toes, Witty said, as it's only a question of when an attack like this is coming. But ransomware crooks have been going after consumers, too.

An automatic and secure backup of data is a must, so if the crooks grab and encrypt the digital photographs and other computer files, the family has a complete set handy and won't need to give into their demands. Witty also advises always making sure the home computer software is up to date.

Another thing to do to keep data safer, he said, is "choose the best authentication schemes you can," maybe by using a fingerprint system, if available, instead of a password.

His single most important bit of advice, he said, is to remove your own administrator rights when using your home computer. In other words, instead of acting as the administrator with the ability to easily make any change to the computer, log in at home as a lowly user, just like at work.

This isn't something a lot of people bother doing. That kind of laziness is exactly what the bad guys are counting on. A home computer left running in the hands of its administrator is far more vulnerable to threats like what is called a remote code execution exploit. That means if the bad guys can find their way in to load their own software to your machine, they could soon end up in control of it.

The bank followed up this conversation with Witty by providing a blog post of his filled with more security advice, but it didn't list adoption of a new payment system like Apple Pay. Yet it is hard not to see a lesson in the personal habits he described.

This is one that sounds counterintuitive, as carrying around a wristwatch to pay for things just doesn't sound like it could be more secure than a credit card. One of the things that makes a new service like Apple Pay a secure option, however, is that the Apple payment system uses an approach known as tokenization.

This sounds about as buzzy as anything gets in technology, but all it apparently means is that instead of the credit card number, the system pays with a computer-generated number called a token, a number that means nothing if stolen. As best I understand it, it is that token that gets sent through the electronic payment system, not a customer's credit card info, with a token only linking up to the actual credit card account down the line and only while in the computer equivalent of an underground vault.

Maybe it is not important to know precisely how this all works. What is important to understand is that the head of cybersecurity for a big bank, at a time of more cyber threats than ever, has enough confidence in the electronic payments system to no longer even carry a wallet.

lee.schafer@startribune.com • 612-673-4302