Penny Wise and Pound Foolish

by George Pasley, iMazuma

Let me tell you, getting mobile alerts that inform you that $800 was withdrawn from your account when you haven’t spent anything is unnerving.  A few weeks ago I awoke to my phone beeping and letting me know that someone in Maryland had withdrawn money from my account.  Considering that I was in Charleston, SC at the time, this was not good.

Fortunately, I alerted my bank and everything was taken care of.  The question was, how did this happen?  Apparently, my PIN was changed the previous night from my home phone number.  At the time of the change, I was using my cell phone to speak with my sister.  In order to change my PIN, someone had to know the last four of my social security number and call from my home phone.  My first thought was my bank or one of their partners had been hacked.  Turns out, I think my trouble was caused by the SC Department of Revenue being hacked.

Government officials made a lot of comments about the incident.  One of which was they used industry standards in storing personal information.  I’m not sure when it became an industry standard to not encrypt social security numbers.  From what the spokesperson said, even banks and credit unions don’t encrypt personal information like social security numbers.

While I don’t agree with the comment about industry standards, I do know that databases containing social security numbers aren’t always encrypted.  At one point, plenty of banks and credit unions required that customers and members use their social security number as their user ID for online banking.  Fortunately, that is no longer the case; online banking users are not allowed to use their SSN for a user ID.

However, there is still the issue of all those internal databases with sensitive information.  I am on the side that feels anything that is customer facing should be encrypted.  Internally however, I understand that it’s just not that feasible.  Coming from the IT side, I know about all the reports from different systems and internal applications hastily put together.  I also know about the numerous spreadsheets on servers that contain customer information.

The best solution that I see is to make sure all of your computer systems are properly updated.  This includes operating systems, software, and browsers.  Hackers look for any exploit they can find.  Making sure your systems are updated and properly secured is one way to protect yourself.  Sending your IT employees to training is also important.  South Carolina had to spend over $12 million dollars to learn the importance of securing their systems and training their staff.  Please don’t make the same mistake they did by being penny wise and pound foolish.

George Pasley

George Pasley

George Pasley is the founder of iMazuma, a web software company based in Charleston, SC. iMazuma specializes in back office automation software and recently launched FS Vendors, an online financial ... Web: Details