Internet security expert downplays latest hacking incident

The US Bank building in St. Paul
The US Bank building in downtown St. Paul.
MPR Photo/Steve Mullis

A prominent information security expert said Tuesday that concerns about the recent Epsilon email hacking incident are misplaced. Bruce Schneier, author of the online Crypto-Gram newsletter, said there's little risk that the alleged theft of millions of email addresses will result in widespread fraud.

"It's why it seems implausible to me that this was an attack by actual criminals because it's not terribly useful stuff they stole, if indeed they stole anything," he said.

Schneier said credit card users need to be on the alert for unusual activity or emails, regardless of whether there's a reported security breach.

"If you know there's fraudulent transaction going on on your credit card, then you should definitely deal with it," he said. "Until then, it's all going to be panic and worry without cause."

MPR News spoke with Schneier on Tuesday. An edited transcript of that interview is below.

Tom Crann: Just yesterday I got an email myself from Best Buy. How concerned should people be if they've received an email like that from a company where they have an account or they do business, about this data breach?

Bruce Schneier: Not very. These data breaches happen all the time. These letters are going out because the law mandates that Epsilon inform its customers, even though they don't know if anything was stolen or what's going to happen, but I wouldn't worry at all.

Crann: You wouldn't worry at all about this. So if anyone is surprised that maybe their email's out there or wants to prevent this in the future by not giving their email as freely if they did, what would you say to them?

Schneier: This is a problem you can't solve. Whenever we deal with other companies, the phone company, the credit card company, merchants we deal with, we give them our information. We do that. There's no way around that except living in a cave in the woods.

Unfortunately, once we give that information out, we lose control of it. Unfortunately, we have to trust the people we do business with, and very often that trust is misplaced, and very often there are problems, but basically we do okay.

I would say that every one of your listeners has a credit card in their wallet that has at some point been stolen by a hacker and likely nothing will ever happen with that.

Crann: Why, because they just steal millions of numbers at a time and they don't have time to match them up?

Schneier: Well, that's the problem. If you're a criminal and you want a hundred credit card numbers, you can't steal a hundred. They come in blocks of a hundred thousand. So you get way more than you need, and you probably throw away the rest. I mean for all we know, the person who hacked into this site was looking for one person's information and he had access to millions and millions.

Crann: Is it good though that people who are regular customers of these big companies are on a little more alert so that if they do get one of these phishing, 'We need to update everything. Type all your information in here,' that they're less likely to do that?

Schneier: The people who do best on the net against these scams are the ones who are really good at sort of detecting what's right and what's wrong and what smells funny. So, yes, being on alert's important, and not just this week, last week, the week before, and next month, too.

The scammers are getting better. One of the things that saves us is they still can't spell, so we get these phishing emails and stuff is spelled wrong. Well, eventually, they're going to figure out to use a spell checker and we won't be able to use that metric anymore.

You just have to pay attention. When you get something that doesn't smell right, don't click on the link, go to the website. If you're told to call, don't call the number on the email. Call the number on the back of your credit card. Do the things that you know are going to be right, rather than believe something you received in email.

Crann: Double check it.

Schneier: Double check it, and don't trust a 'from' address.

Crann: Put it in perspective for us. What sorts of things are happening out there that we're not informed about because they don't involve big name companies?

Schneier: Well, data breaches. Hackers break in and steal information. I mean they're looking for things like credit card numbers. So if you think about it, if you buy something from an internet retailer or even mail order and by the phone, your credit card information is probably stored on the merchant computers. And pretty regularly, the bad guys break in and steal that database.

That's a much more valuable database than a database of email addresses. I mean email addresses are kind of public. If you think of it as the internet phone book, somebody stole the phone book. So what? But with credit card numbers or passwords or financial data, the bad guys can do a lot better at targeting fraud. It's why it seems implausible to me that this was an attack by actual criminals because it's not terribly useful stuff they stole, if indeed they stole anything.

Crann: You say that information gets hacked all the time, so when actually should customers start worrying about a hack or a data breach?

Schneier: You know, I'd think approximately never because really there's nothing you can do about it. If you know there's fraudulent transaction going on on your credit card, then you should definitely deal with it. Until then, it's all going to be panic and worry without cause.

(Interview edited and transcribed by MPR reporter Madeleine Baran)