New questions are being raised about last summer’s cyber attacks into JPMorgan Chase customer data files. Names, telephone numbers and email addresses for about 76 million households and 8 million small businesses were compromised in what amounted to the largest U.S. data breach on record. JP Morgan has warned its customers to be on the lookout for official looking emails requesting additional account information, but now some cyber security experts are questioning whether the ultimate aim may have been to disrupt Wall Street. Please join us to talk about the new concerns about recent cyber attacks.

Guests

  • Lisa Madigan Illinois Attorney General
  • Edmund Mierzwinski Director, U.S. PIRG Consumer Program
  • Greg Garcia Executive director, Financial Services Sector Coordinating Council
  • Alan Paller Director of research, SANS Institute.
  • Danielle Douglas-Gabriel Reporter, Washington Post

Transcript

  • 10:06:53

    MS. DIANE REHMThanks for joining us. I'm Diane Rehm. There are new concerns about the cyber attacks on JP Morgan Chase last summer. Many suspect the aim of the breach was intended to do more than collect personal data. Joining me to talk about what happened, questions still unanswered and lessons to be learned, Edmund Mierzwinski of U.S. PIRG, Greg Garcia of the Financial Services Sector Coordinating Council, Alan Paller of the SANS Institute and Danielle Douglas-Gabriel from The Washington Post.

  • 10:07:34

    MS. DIANE REHMDo join us, 800-433-8850. If your information was compromised, I'm especially interested in hearing what you have to say about that experience and you can join us by email, drshow@wamu.org or follow us on Facebook or Twitter. But first, joining us by phone from Chicago is Lisa Madigan. She's attorney general for the state of Illinois. And I wonder, Lisa, you've opened in investigation into the JP Morgan Chase response to last summer's cyber attack.

  • 10:08:17

    MS. DIANE REHMYou call it one of the most troubling breaches ever. Tell us why.

  • 10:08:23

    MS. LISA MADIGANWell, Diane, I think it's clear that it's one of the most troubling breaches in large part not just because of the scope in terms of, you know, the number of people's information that has been breached, but also because of the fact that it's a bank and for many years, we've been told that, you know, banks certainly have among the best security systems in the world.

  • 10:08:45

    MS. LISA MADIGANAnd, obviously, when people's financial information as well as their personal identifying information is potentially compromised, it is reason for great concern because it really calls into question, is there any of our information that is out there that is safe. And we've really got to redouble our efforts and I think certainly makes this one of the highest priorities of our country.

  • 10:09:08

    REHMDo think that Americans now assume that none of their personal information is actually safe?

  • 10:09:20

    MADIGANI think, at this point, they should, unfortunately. And so they've got to not just recognize that there may be nowhere that their information is safe, but they also then need to recognize that they have some responsibility in trying to monitor their accounts, monitor their credit because it can have a terrible impact on your financial situation if somebody does obtain enough information to steal your identity and to do damage to your accounts.

  • 10:09:50

    MADIGANSo I think people, at this point, unfortunately, are recognizing that their information is not safe and that they are going to have to step up their own security.

  • 10:09:59

    REHMAnd now, turning to the question of how many questions there remain, what are some of the key questions you would like to have answers to?

  • 10:10:14

    MADIGANWell, we always want to know exactly what information has been compromised when we look at these breaches and the information that Chase put out in their 8K is a little vague so there's some, you know, specific information, but it's unclear what user contact information and internal information relating to users really is. So one, exactly what information was compromised? We always want to find out as well about, you know, what systems do they have in place, what were they doing to make sure that that information was being protected.

  • 10:10:54

    MADIGANAnd then, once that information is released, we like to find out not only all of the information that's released, but make sure that people are notified so that, you know, they can be aware that they need to better monitor their accounts. They need to be on the lookout, certainly in this situation, for what we refer to as the fishing emails, where people will send you a fake email trying to obtain more of your personal information.

  • 10:11:16

    MADIGANAnd so we really need to find out all of these things as well as what was the timing of it because a lot of what we get concerned about is making sure to alert consumers so that they can start to monitor. If you're a victim of one of these breaches, the chances that you will be a victim of unauthorized charges or debits or a full-blown identify theft greatly increases and that's one of the main reasons that we need to actually inform people of this when it happens.

  • 10:11:43

    REHMSo the question becomes how much, by law, is JP Morgan responsible and obliged to expose at this point?

  • 10:11:57

    MADIGANWell, they should be telling, I would say, just in terms of customer relations, they should be willing to tell people what information they held that was compromised. And certainly if they've become aware that more information has been compromised, they need to disclose that as well. Again, you know, this is people's personal financial information, personal identifying information and until the full extent is fully explained, people are going to have questions.

  • 10:12:25

    MADIGANAnd I can certainly tell you that I have seen a significantly greater response to the Chase breach than really any other breach. I think, in large part, because people, again, recognize it's a bank and for, you know, millions, tens of millions of American, it's their bank, you know, the organization that we trusted to hold our money and therefore trusted with a lot of personal information and so people are much more concerned about this than they are when, for instance, it's been a restaurant chain.

  • 10:12:57

    REHMYou know, it's so interesting. We've heard about numerous cyber attacks in the last few months and including Home Depot and Target, Neiman Marcus. But as yet, we still haven't heard exactly how much damage has been done. How come?

  • 10:13:20

    MADIGANWell, I think we end up, you know, seeing these situations pop up and so it's sometimes hard to quantify. Now there are, and you'll be talking to them later, some of the organizations that do the math and can show you that at this point, you know, these breaches and identity theft are costing billions of dollars and it's having a substantial impact on businesses, a substantial impact on the economy.

  • 10:13:44

    MADIGANAnd I can tell you because we've run an identity theft unit since 2006 out of the attorney general's office that we've had to help over 35,000 people here in Illinois remove over $26 million in fraudulent charges from their credit. So that's just a snapshot of the problem and the magnitude of it and how it financially impacts people, but it has a much greater impact overall on the economy.

  • 10:14:06

    REHMLisa Madigan, she's attorney general for the state of Illinois. Thanks for joining us.

  • 10:14:14

    MADIGANDiane, my pleasure.

  • 10:14:15

    REHMThanks. And turning to you, Danielle, in your piece in The Washington Post this morning, you said there are growing concerns about both the intent and the scope of the attacks. Give us a sense of that.

  • 10:14:33

    MS. DANIELLE DOUGLAS-GABRIELI think based on the level of time that the hackers spent within the system, so from what JP Morgan can tell, they were first rummaging around in June and returned to the system maybe about at least five times until August, which is when the bank learned of exactly what was going on, has raised a lot of questions as to whether their intent was to perhaps cause a little bit more damage, get more information about the infrastructure of the bank, what other information that they held -- they hold related to some of the banks that they do business with or any other financial firms.

  • 10:15:06

    MS. DANIELLE DOUGLAS-GABRIELSo it's apparent to a number of people that this isn't just about being able to grab as much consumer data as possible because typically, from what I've heard from cyber security experts, when these kinds of attacks happen, the hackers go in quickly. They get as much as they can and they try to use the information immediately. They usually don't linger around in a system for months at a time.

  • 10:15:26

    REHMSo are you saying that between June and September/October when JP Morgan Chase did finally acknowledge that this was going on, did they know that these hacks were taking place and simply did not make it public?

  • 10:15:51

    DOUGLAS-GABRIELThe bank is saying that they first learned of it in early August, perhaps late July and at that time, of course, the, I think, FBI and the Secret Service got involved. Now, when federal law enforcement gets involved, there's only about so much institutions can disclose to the public while this investigations are ongoing and before they receive clearance from law enforcement to alert the public to exactly what's going on.

  • 10:16:13

    DOUGLAS-GABRIELAnd around August, that is when JP Morgan did start to offer some information to their customers on their website, saying that they have experienced some level of breach, but they did not give a full explanation and, you know, it is debatable whether they still have given a full explanation as to what has happened and the full extent of what information has been breached. And I think a part of that's because an investigation's ongoing and they're still trying to determine how much information was compromised at this point.

  • 10:16:43

    REHMAnd turning to you, Greg Garcia, one of the especially troubling things seems to be this attack could be so successful against one of the nation's biggest and presumably most well-protected institution. How could this happen?

  • 10:17:06

    MR. GREG GARCIAWell, let me tell you. That's a very good question and it's something we grapple with every day. The Financial Services Sector Coordinating Council or FSSCC is a collection of 65 companies and trade associations that are organized around critical infrastructure protection for the financial sector so we're constantly thinking about how do we do this better, both for cyber security and physical security, how do we protect ourselves better, partnering with our government agencies, partnering with other financial institutions across the sector and with other sectors like telecommunications and information technology.

  • 10:17:41

    MR. GREG GARCIAAnd so there's a whole ecosystem that sort of contributes to our level of security or insecurity. And, you know, the way we look at it, at a strategic level, is that cyber security is something that is with us. It's a hackneyed phrase. It's the new normal and what we try to look at is, first, intent. Who are the threat actors?

  • 10:18:03

    REHMBut if you say it's the new normal, I mean, here we're talking about banks. We're not just talking about individual accounts and that's the difference here.

  • 10:18:16

    GARCIAYes. And banks are certainly one of the biggest targets for sure. And even with some of the strongest fortifications, hackers who are determined can find the wormhole.

  • 10:18:28

    REHMGreg Garcia, he's executive director of Financial Service Sector Coordinating Council. Short break here. We'll be right back.

  • 10:20:00

    REHMAnd welcome back as we talk about the JP Morgan Chase breach, how it happened, why it happened and why, Alan Paller, it took so long for JP Morgan Chase to know about what was happening. How come?

  • 10:20:22

    MR. ALAN PALLERHow come they took two months to know? How come power companies take 15 months to know? It turns out that the most critical shortage in cyber security is a set of staff members who have the skills to be able to find the attacks quickly and get them out. We can't stop them all. There's just -- banks are wonderful defenses but their employees can be fooled into opening attachments, they get infected, things get in. It's how quickly you get them out.

  • 10:20:53

    MR. ALAN PALLERAnd when they stay in a long time they have a chance to put in Trojan horses, to put in tools that can be used when they come back to actually disrupt the financial system. And that's my concern about this attack. It's -- yes, the data's bad but they were in a long time. They probably built a whole infrastructure inside, unless they're unsophisticated, that is there when people come back. And it's very hard to find. It's one of the most difficult things in the world to find.

  • 10:21:19

    REHMEd Mierzwinski, have consumers become a little more complacent about not only their own credit cards but opening these kinds of attachments that may, you know, give them all kinds of long term problems?

  • 10:21:39

    MR. EDMUND MIERZWINSKIWell again, it's not only the consumers, Diane, who are opening the attachments. It's the bank employees who are opening them. And so there's a problem in both sectors, both inside the bank and both with customers. But I agree. Unfortunately there have been so many breaches, so many stories, Target, Home Depot, Michaels, Neiman's, et cetera that now that we've just got one more, consumers are worried but they're not worried enough.

  • 10:22:05

    REHMNow here's an email from Julie who says, "So far in the past year I've been affected by the Target, Home Depot and JP Morgan Chase breaches. I'm on my third debit card. Because of them I have two monitoring services working on my behalf courtesy of Target and Home Depot. My credit union was the most proactive issuing me new debit cards and pins, contacting me immediately when someone in another state used my information. I'm thinking I may go back to using cash for my purchases." What do you think of that, Daniel?

  • 10:22:57

    DOUGLAS-GABRIELI'm not sure if that's the safest way because certainly thieves could certainly steal that cash as well. I think what's interesting is that her credit union, the response that they've given is, well, as a lot of the financial institutions have been fairly proactive on replacing cards, on alerting their members to potential fraud and being more alert to that fraud. But there's kind of a fatigue right now for folks like your -- the person who emailed in who has gone through several of these breaches, that they're just like, I'm not sure what else I can do. I'll still be the victim of this sort of attack.

  • 10:23:34

    REHMAnd Alan, what about the potential damages from the JP Morgan breach?

  • 10:23:41

    PALLERSo there are two misconceptions about this breach. One is that, Diane, most people think that credit cards are much worse than this other information. And in general, as an individual, I'm not really liable for anything when my credit card is used. But when this particular data is stolen from a place where you know these are rich people -- and do you remember the -- JP Morgan mentioned that you knew something about their accounts as well as their names and their wives names. You got both names on there.

  • 10:24:11

    REHMRight.

  • 10:24:11

    PALLERYou've got so much information you can do what's called whaling. If you're fishing...

  • 10:24:16

    REHMNot phishing, but whaling.

  • 10:24:17

    PALLERWhaling is for the rich people. And we've had one big example of that in the past with the SalesForce.com attack that went after all their customers as whales. If you've got a lot of money in JP Morgan and you can tell from the account ID, you're a target who's worth creating emails that are so clearly special to you. It's got your wife's name and it's got your phone number and it's got all these things that who could possibly know that that could persuade you to go to a phone number that you shouldn't call or go to an email that you do a -- go to a website or open an attachment.

  • 10:24:54

    PALLERSo the key is for any -- and this is not just JP Morgan -- don't go -- don't click on URLs inside emails. If you want to go somewhere, go somewhere by typing the URL in. Don't -- just stop clicking on these URLs because that's how you get infected.

  • 10:25:14

    REHMSo explain, Ed, if you would, why debit cards are so risky.

  • 10:25:22

    MIERZWINSKIWell, when you're using a credit card, as Alan said, the law protects you. But when you use a debit card, the law is weaker. But even worse, it's your own money coming from your own account. And you've got to wait until the bank puts it back. Most of the time the bank will put it back but it takes them time to do a reinvestigation. Meanwhile, if you're living from paycheck to paycheck, you don't have any money.

  • 10:25:44

    MIERZWINSKIIf I could add one quick thing, Diane. On the complacency question, consumer groups are very concerned that when your credit card or your debit card information is taken, you can only become a victim of existing account fraud. But the companies are all providing you with this SOP, they're providing you with credit monitoring, as if that's going to help you.

  • 10:26:07

    MIERZWINSKICredit monitoring only deals with your credit report. It will help you to identify that you've been a victim of identity theft where somebody created a new account in your name. But I think people are partly complacent because the companies say not to worry, there's nothing to see here. We gave you credit monitoring.

  • 10:26:26

    REHMGreg, what do you think?

  • 10:26:27

    GARCIAYeah, and, you know, Ed is right that credit monitoring alone is not going to protect consumers. And that's why a lot of the financial institutions put a lot of resources into customer training. We -- for every website that you go to in a bank there is a security page that gives you some basic tips about how to protect yourself. Cyber security is a shared responsibility. And, in fact, this happens to be National Cyber Security Awareness Month. It's good timing for you to have this show here. The entire month of October is spent educating particularly consumers and small businesses about what they can do to protect themselves, and that this is a shared responsibility.

  • 10:27:06

    GARCIAAnd, you know, the consumer complacency issue is, yeah, we have -- sometimes we do want it both ways. We have social media where we put out a lot of private information about ourselves, yet we're not always as protective of the security of our information as we are about locking our car doors and our houses as well.

  • 10:27:23

    REHMAlan Paller, explain what the SANS Institute does.

  • 10:27:28

    PALLERSANS is a college. We're the one graduate school in the United States that actually gives graduate degrees in these advanced skills in cyber security. And we also train about 35,000 other people a year. But we also run the internet storm center, which is the early-warning system. We have a big reading room. It's a research and education organization. That's all we do. We don't have any services. We don't do any consulting.

  • 10:27:50

    REHMBut you teach people.

  • 10:27:52

    PALLERWe teach people how to find the bad guys -- how to stop the bad guys, how to find the bad guys, how to clean up the mess afterwards.

  • 10:28:00

    REHMBut if you teach them how to find the bad guys, isn't it possible that they themselves could become the bad guys?

  • 10:28:09

    PALLERYes. That's the oldest argument in cyber security. Should you tell people how the attacks work, because aren't you teaching the bad guys how to do something? The answer is, they already know. So you are basically taking away any defense if you don't teach people how to defend themselves.

  • 10:28:23

    REHMDo you agree with that, Ed?

  • 10:28:26

    MIERZWINSKII think he's right, absolutely. The bad guys, they learn in the prison, they learn online, they learn on the dark side of the internet. It's information that consumers need. The bad guys already have it.

  • 10:28:37

    REHMAnd Daniel, merchants and retailers have a lot on the line.

  • 10:28:44

    DOUGLAS-GABRIELOh, certainly. I mean, consumer confidence is one of the biggest threats I think that has befallen retailers in a lot of ways. The idea that none of your information is safe with the stores that you choose to shop with, it could be extremely damaging to their bottom line. Yet we've seen Home Depot's sales in the last quarter actually do fairly well. So you start to question whether consumers are seeing this as a major threat or are they just kind of seeing it as negligible?

  • 10:29:09

    PALLEROr they could be seeing it as, those guys got hit. They're going to be more careful than the other people who haven't been. Yet maybe I'm safer going back to the people who've actually been hit. We make strange decisions as consumers.

  • 10:29:22

    MIERZWINSKIIt's a tough one to answer but I really think that consumers need as many protections as they can get. And that's why we need a multilayered approach to this problem. We need the state attorneys general, we need better protection from the retailers and from the banks. We need new cards is the first thing we need. And we're starting to get them very slowly.

  • 10:29:40

    REHMWhat kinds of cards?

  • 10:29:42

    MIERZWINSKIWell, the -- there may be disagreement among different groups around the table, I don't know, but the merchants would prefer a chip and pin cards because the chip is the advanced technology that basically scrambles the account number each time so that it's not in the merchant's system. The pin is your password to make sure that you're not a bad guy. Some of the cards that are being rolled out are chip only, chip and signature. And some people would prefer that we go higher than that. And then you can even talk later about Apple Wallet which uses even more advanced technology.

  • 10:30:19

    MIERZWINSKISo I want to make...

  • 10:30:19

    REHMUses your phone as your credit card?

  • 10:30:21

    MIERZWINSKIRight. In the Apple pay system that they have rolled out in cooperation with the banks. It has additional protections in it. So I just want to make sure that from my perspective as an advocate congress doesn't simply say, let's do only chip. Let's make sure we look for best possible...

  • 10:30:41

    REHMWhy would they do only chip?

  • 10:30:44

    MIERZWINSKICongress is usually a dollar short and a day late and that's part of the problem.

  • 10:30:50

    REHMIs that how you see it, Alan?

  • 10:30:52

    PALLERI think it's not quite there. I think they're pressured by groups who would save a lot of money if you do chip and no pin. And those are the people who pay people to come see them. And those are the people that help them write the legislation. So it's the people with the most money to help them understand the problem that will help them answer it in the cheapest possible way to meet the requirement.

  • 10:31:15

    MIERZWINSKIWell, it's also important that congress not get too down into the weeds about legislating specific technologies. As we know, technology is innovating all the time. And indeed it's all those new technological innovations that not only create great things like Apple Pay, but it also creates new vulnerabilities. And with every new vulnerability there is a criminal that's ready to exploit it.

  • 10:31:39

    REHMSo with Apple Pay, for example, how safe might that be?

  • 10:31:46

    DOUGLAS-GABRIELThere are unique codes that Apple Pay sends across a certain network that allows -- that prevents the same level of breach and hacking as some of the other payment systems. So there's a lot of promise and hope as to whether that level of technology will kind of help to mitigate some of these breaches that we've seen.

  • 10:32:04

    DOUGLAS-GABRIELWhat's interesting at the same time, there are merchants developing their own payment system that would seek to limit the role of the banks and the credit card networks at the same time. Most of that is because of cost savings there...

  • 10:32:18

    REHMI would imagine.

  • 10:32:19

    DOUGLAS-GABRIEL...so they can reduce -- yes, the interchange fees that they have to pay to the banks.

  • 10:32:23

    REHMWhat are they paying at this point, 3 percent or more?

  • 10:32:27

    DOUGLAS-GABRIELI think roughly about that much, yeah.

  • 10:32:29

    REHMThree percent.

  • 10:32:29

    DOUGLAS-GABRIELYeah.

  • 10:32:30

    REHMEach time a card transaction takes place in a grocery store or clothing store, the bank gets 3 percent.

  • 10:32:42

    DOUGLAS-GABRIELThey're -- yes. These swipe fees have been a contentious issue for the industry.

  • 10:32:47

    REHMAnd you're listening to "The Diane Rehm Show." We have lots of callers. I'm going to open the phones, 800-433-8850. I'd like to hear from you, so give us a call. Chris in Tampa, Fla., you're on the air.

  • 10:33:12

    CHRISHi. I had comment more than anything...

  • 10:33:16

    REHMAll right.

  • 10:33:16

    CHRIS...is that JP Morgan Chase is responsible, in Florida at least, I don't know if it's nationwide, for running the temporary assistance to needy families and the food stamp program, their debit cards. So all of that information was also at JP Morgan.

  • 10:33:36

    REHMEd.

  • 10:33:37

    MIERZWINSKIThe caller raises a very good point. A number of government transfer programs are now on cards and the banks and actually some defense contractors have the contracts for these cards. So in this case those items could've been involved as well. And that's why we need the investigations that Attorney General Madigan called for.

  • 10:33:55

    REHMAll right. And let's go to Barbara in Louisville, Ky. You're on the air.

  • 10:34:02

    BARBARAGood morning, Diane.

  • 10:34:02

    REHMHi.

  • 10:34:03

    BARBARAA comment and I guess there's a question combined in this. Knowing all of the hazards that you all are addressing this morning about cyber information and personal security, and the questions and things that you have addressed in the past, why do we continue to allow that kind of information on the internet? You know, haven't -- even the CIA is concerned about that kind of information. Why do we allow that kind of information on the internet...

  • 10:34:43

    REHMAll right. Alan Paller.

  • 10:34:44

    PALLERWe allow it because the consumer wants the service that is provided by the organization asking for the information. And there's a simple contractual agreement that says if I want this, I'm going to give you the data. And consumers are more than willing to do that. They're willing to give up amazing amounts of data to get services.

  • 10:35:05

    REHMBut, I mean, it comes down to the use of the internet to make purchases of all kinds. It comes down to the convenience of doing your banking online.

  • 10:35:18

    PALLERRight. It's Christmas shopping online. The idea of spending your life in a store is going away for a lot of people. And it's so convenience to do that that you're willing to give up a lot to make it possible for you to buy what you need, to do your banking, to have a life that is convenient for you rather than so safe for you.

  • 10:35:38

    REHMSo might there be any changes in rules, regulations in terms of what these merchants request online in order to keep consumers more safe.

  • 10:35:55

    GARCIAI think you're exactly right that there could be changes in the rules. And banks, right now, and merchants have a relationship through the payment system. But everybody on the internet is trying to monetize consumer information. So they're not only collecting account numbers, they're collecting personal information. And some of it's on your Facebook page or your Twitter site or wherever but who knows? There may be limits going forward. We'll have to see.

  • 10:36:23

    REHMAnd it would also seem to me you've got to have banks, financial institutions, everybody working together with government to try to solve this problem.

  • 10:36:36

    MIERZWINSKIThat's exactly right. The banks are certainly one of the most heavily regulated industries in our economy. And we think regulation is absolutely necessary. But we don't need conflicting regulations.

  • 10:36:50

    REHMHow about more regulations, Alan?

  • 10:36:53

    PALLERI haven't seen the regulations having a positive effect. The state disclosure rules have had a positive effect. If you destroy those with a national rule that basically takes all the teeth out of the state ones than those will all be gone. But I haven't seen anything in cyber security being very effective in protecting people.

  • 10:37:09

    REHMAlan Paller. He is director of research for the SANS Institute. When we come back, more of your calls, your email. I look forward to speaking with you.

  • 10:39:58

    REHMAnd welcome back. Here's an email from Pauline, who says, "I'm beginning to think there should be penalties for these breaches. It's happening too often. Car manufacturers have to recall vehicles if there's a problem. Why not a fine in these circumstances?" Ed?

  • 10:40:23

    MIERZWINSKIWell, regulators have the authority to impose fines for any violation. And perhaps this will be the one that forces them to take a harder look and impose a penalty. I would absolutely support what the caller said.

  • 10:40:37

    REHMWhat do you think, Greg?

  • 10:40:38

    GARCIAActually, the Federal Trade Commission has levied a number of penalties on retailers in the past, BJ Wholesalers, DSW Shoes, a number of others.

  • 10:40:47

    REHMYeah, but how about a big institution like JPMorgan Chase?

  • 10:40:53

    GARCIAThe -- JPMorgan Chase is regulated by a number of government regulators. And put them through a lot of regulatory requirements. They're already paying an immense amount of money just to protect their systems.

  • 10:41:07

    REHMOh, come on. Come on. Really? Think about the profits that JPMorgan Chase makes. All of these records now compromised. You're telling me the banking regulation is going to make it realistic not to punish these banks for the breaches?

  • 10:41:33

    GARCIAI think the banks have done a lot of work to collaborate with one another across the sector, with information sharing, research and development, a number of different activities to try to strengthen the security of our infrastructure.

  • 10:41:46

    REHMOkay. But you're avoiding the question about fines. Alan Paller?

  • 10:41:51

    PALLERSo we have a very high economic price, a fine that comes from California -- thank you, attorney general of California -- because the disclosure is an immensely expensive fine. And they think of it as a fine. And they'll do almost anything to avoid the fine. So another fine isn't really what's missing. What's missing is follow through. And the FTC does a pretty good job at that, of making sure that people actually follow through. But there's -- I'm just saying, I don't think another fine will actually add very much to this problem because the disclosure cost is so big.

  • 10:42:28

    REHMDanielle?

  • 10:42:28

    DOUGLAS-GABRIELIt's not out of the question yet that any of the banking regulators won't take action against JPMorgan, depending on what the final investigation determines. Certainly the office of the comptroller of the currency regulates the bank. And they would look for any kind of safety or soundness violations. And can certainly put in a corrective measure and also hit the bank with a fine. It's difficult to say whether or not that'll much of an impact because a lot of these fines, after a while, it just becomes noise.

  • 10:42:56

    REHMPart of the business.

  • 10:42:56

    DOUGLAS-GABRIELYes. It's a business expense in a lot of ways. It's what that corrective measure might ask for, would be -- would potentially be where you'd see the most impact.

  • 10:43:06

    REHMOkay. So in Europe, Ed, you've got the chip and PIN. And what is the rate of violation there?

  • 10:43:19

    MIERZWINSKIWell, when European countries added PIN, the number of fraud occurrences declined substantially, as I understand it. But you think of it as a balloon. You squeeze one part of the balloon and the fraud moves. So some of the fraud moved to the United States when Europe protected their retail systems. And now the concern is that fraud is going to move even more to online and mobile transactions.

  • 10:43:45

    REHMIn Europe?

  • 10:43:46

    MIERZWINSKIIn America and in Europe. And that's because the chip and PIN is not good for card-not-present transactions. It's only good when you've got the card so that the chip can be enabled.

  • 10:44:01

    REHMOh, I see. So if you're doing business online, that chip doesn't show up. It's simply your number.

  • 10:44:09

    MIERZWINSKIRight. And there are a number of other solutions being developed online. And we need to encourage those. And that's…

  • 10:44:15

    REHMLike what?

  • 10:44:15

    MIERZWINSKIWell, I think tokenization is one. And perhaps Greg or Alan could it explain it in greater detail than I could, but that's probably the first line of defense -- or one of the lines of defense.

  • 10:44:25

    REHMTokenization?

  • 10:44:26

    GARCIATokenization is a way of adding an authentication device to your online experience. You've got a user ID, you've got a password, and you have a device that interacts with the website that actually gives you a unique number that says, yes, you are in possession of this device and it matches your user name and password.

  • 10:44:46

    REHMDoes that make sense?

  • 10:44:47

    GARCIAIt makes sense. And it's being used -- it's used -- being used all over our economy, on our online world and in corporate America.

  • 10:44:56

    REHMIs that…

  • 10:44:56

    PALLERYou might ask why we haven't done all these things more quickly if this a big problem. And one the untold stories is that the banks and the processors actually make money on every fraudulent transaction. They actually get paid their full cost. It's only the merchant that actually pays for these costs. So the banks are not out -- we think the credit card companies are protecting us, but it's actually the poor merchants who have to pay the lost goods, the regular transaction fees and then a charge-back fee, which can be 20 to 50 bucks.

  • 10:45:27

    DOUGLAS-GABRIELSo it's why you get into these fights between merchants and banks, because the merchants are paying it all. And the banks have some sort of overhead costs, but it's a huge amount of money that the banks are taking in -- hundreds of millions of dollars -- on fraudulent transactions. It sort of takes away the incentive. Greg, you can correct me.

  • 10:45:43

    GARCIAYeah, after the -- yeah, after some of the recent retail breaches, it was clear that the banking industry and the retail merchant sector needed to collaborate more closely and understand where the vulnerabilities are in our interactions and strengthen both sides and strengthen the transaction environment.

  • 10:46:06

    REHMAll right. Let's go to Deana, in Colorado Springs. Hi, you're on the air.

  • 10:46:15

    DEANAHi, Diane. Thanks for taking my call.

  • 10:46:16

    REHMSure.

  • 10:46:18

    DEANAWe do a couple of things with respect to our accounts. We receive text messages from our banks if there's any activity on our accounts that exceeds a certain dollar amount. And then we have credit freezes on our accounts that we can temporarily remove for some designated period of time if we decide we need to apply for credit. So my question is two-fold. One is how effective are those steps in protecting our information and/or preventing identity theft? And then secondly, is there anything more that we could or should be doing?

  • 10:46:59

    MIERZWINSKIWell, I'll start out, Diane. And the security freeze is something that the consumer groups push for around the country. And it's now available anywhere in the country, including the District. And the way the security freeze works is you tell the credit bureaus not to allow anyone to access your credit report. No legitimate creditor will issue credit to anyone unless they can look at the credit report. The downside is that a consumer who is active in the credit market, looking to buy a car, looking to buy a house or refinance, has to temporarily unfreeze their account…

  • 10:47:35

    REHMI see.

  • 10:47:36

    MIERZWINSKI…but in the meantime, your credit report is locked in a safe and a bad guy can't get access. I strongly support the banks that have provided the type of text messaging the caller referred to -- tell you when your bill is due so you don't pay overdraft charges or late fees. And they tell you when all of a sudden you're maxed out, when you haven't used your card.

  • 10:47:58

    REHMAlan?

  • 10:47:59

    PALLERThe notification, the text is wonderful. It's part of the solutions that Danielle wrote about and what you should do about monitoring your accounts, making sure...

  • 10:48:08

    REHMAbsolutely.

  • 10:48:08

    PALLERBut there's one other thing that we recommend if you're doing online banking. And that is buy yourself -- they're very cheap -- buy yourself a separate computer that you use for absolutely nothing else. They're -- you've already got wireless in the house. You don't put Windows on it, I mean you don't put Word on it, you don't put anything on it. You just run your banking on it. And that avoids the biggest problem for bank accounts, which is your kids or you go visiting websites, you get infected, they read your ID.

  • 10:48:38

    PALLERThat's how most of the attacks actually work. And if you want to stop that, one computer that's your banking computer. It's not used for anything else. You don't go there when your husband is doing something else or your wife's doing something else on the other machine and do web stuff. You just use it for banking.

  • 10:48:51

    REHMDanielle?

  • 10:48:51

    DOUGLAS-GABRIELI think it's important to understand the importance of monitoring all of the activity on all of your accounts and on a frequent basis. Not relying on those sorts of credit monitoring or identity protection programs or products that a lot of banks actually do sell because they are reactive, not proactive. They will alert you after the fact of somebody trying to steal your identity. So it's up to the consumer to be vigilant in making sure that no one is doing any fraudulent charges on their cards.

  • 10:49:24

    DOUGLAS-GABRIELThere are a lot of banks that will tell you what's happening. And there are a lot of credit unions who are also very quick to alert you if there's any suspicious activity. If there -- if you live in D.C. and they're seeing Colorado, they'll let you know, but you need to pay attention.

  • 10:49:37

    REHMHere's an email from Lauren, in Massachusetts, on that very point. She says, "My bank offered free for a year, a monitoring service called InfoArmor. How much can I rely on this to alert me to any fraud?"

  • 10:49:58

    DOUGLAS-GABRIELI mean, it's nice to have those free programs, but I'd always read the fine print because some of them are no longer free after that year and they start charging your account. We've seen about eight banks at this point get into trouble with the Consumer Financial Protection Bureau for some of those identity theft and credit monitoring programs. I'd be very leery of them. It's almost important not to just rely on those kinds of services in order to protect your account, but to also pay attention to it yourself.

  • 10:50:25

    REHMAll right. To Jack, in Birmingham, Mich. You're on the air.

  • 10:50:30

    JACKHi. I just -- this parenthetically texting -- it doesn't work if you don't text. But I'm curious about this issue of the information with regard to people who have Chase mortgages because they collect a lot of information in connection with that application. And I don't even understand how that would even want to be into a setting where it could be obtained by other sources. And secondly, the -- Chase also has wealth management for people who are leaving their estates and managed by the Chase.

  • 10:51:04

    JACKAnd I'm curious -- I mean, how much information goes on -- into a form which can be obtained? I can't imagine why any of that should even be in the marketplace of information, beyond the actual offices of which they are retained.

  • 10:51:21

    REHMEd?

  • 10:51:22

    MIERZWINSKIWell, I think the caller's exactly right. The -- first of all, there is a lot of information. And Alan referred to whaling, where you get a lot of information about rich people. But people with mortgages…

  • 10:51:33

    REHMMortgages.

  • 10:51:34

    MIERZWINSKI…are people that are at risk as well because the mortgage application has detailed background info in it. And there are real questions. And that's why we are relying on Attorney General Madigan to demand investigations to find out what did they know, when did they know it, and what did they take.

  • 10:51:50

    REHMOkay. So if mortgage information is hacked, stolen, what happens to it?

  • 10:52:00

    MIERZWINSKIWell, that could form the basis of identity theft. Again, there are two kinds of fraud, Diane. The first kind is fraud on your existing accounts. If they get your account number they can steal from your bank account if it's your debit card or they can steal from the bank if it's your credit card. I use my credit card online so that they don't steal from my bank account.

  • 10:52:21

    MIERZWINSKIBut if they get additional information, your social security number is the key that unlocks your credit report and allows somebody else to open new accounts in your name. That's the big thing that they're looking for.

  • 10:52:34

    REHMHere's another email, this from Thomas, in Dallas. He says, "I got an email purportedly from Chase asking me to update information on my account. I sent the email to my spam folder. Is there an email address I should forward the bogus email to in order to help the investigation?" Greg?

  • 10:53:04

    GARCIAYeah, I think most banks have that. Again, if you go to their security page, usually it will have name of bank, at -- or fraud@nameofbank.com. He is exactly right to be suspicious. You're not going to get an email -- an unsolicited email from any bank asking you to update your information. Don't do it.

  • 10:53:24

    REHMAnd you're listening to "The Diane Rehm Show." You're saying no bank would ever ask you to update your information online?

  • 10:53:36

    GARCIAThat's correct. I get emails from my bank that says, "Your statement is now available online."

  • 10:53:42

    REHMRight.

  • 10:53:42

    GARCIAGo to your bank and check out your statement, make sure everything is okay.

  • 10:53:48

    DOUGLAS-GABRIELYeah, don't click off that link.

  • 10:53:49

    REHMDon't click on that link.

  • 10:53:52

    GARCIADon't click on the link and don't give any information to anyone that calls you on the telephone.

  • 10:53:55

    REHMAbsolutely.

  • 10:53:56

    GARCIAHang up the phone and call the number on your card. Don't click on the link. Just go to chase.com.

  • 10:54:04

    REHMAll right. Let's go now to David, in Destin, Fla. Hi, you're on the air.

  • 10:54:11

    DAVIDHi, Diane. How are you?

  • 10:54:12

    REHMGood, thanks.

  • 10:54:14

    DAVIDGood. I run an informative advocacy site on cyber security crime, identity theft and privacy, called MyStolenID.org. And I was listening to the program and oftentimes corporate PR and news reports focus on credit cards, but that is a very small portion of the overall picture of identity theft, data breach and acquiring people's personal information. Some have talked about that on your show.

  • 10:54:51

    REHMAll right. Alan, do you want to comment?

  • 10:54:54

    PALLERWell, he's exactly right. And Ed was talking about that, the other kinds of errors. I wanted -- we've been really bashing JPMorgan Chase and the banks in this one a little bit. I wanted to bring up one last thing about…

  • 10:55:04

    REHMSure.

  • 10:55:04

    PALLER…them. As I mentioned, the worst problem we have in our field is that we don't have people that can find the bad guys quickly and get them out. JPMorgan Chase and about 18 other companies got together. It's going to be announced in November on a program for veterans coming back with an intensive training program to make them -- the ones who already have IT knowledge, called "That's success," I think. And it's open to other people around America, but focused on veterans.

  • 10:55:27

    PALLERSo it -- what I'm saying is, yeah, they've got a problem. All the banks have a problem like that. They're the ones who got it publicly, but they actually are doing some really wonderful things to improve security.

  • 10:55:36

    REHMOkay. I want to read one last email to you, from Allen, in McLean, Va. He says, "One concern, given the duration of this breach, are we concerned about the possibility of inserting a Trojan horse to be activated at some future date as part of a larger, multi-institution, coordinated effect to paralyze the nation's financial system?" Danielle?

  • 10:56:08

    DOUGLAS-GABRIELIndeed. I think that's why we're still seeing the FBI and the Secret Service trying to figure out exact -- the full extent of this. And federal officials asking other institutions whether or not they saw any activity similar to what was happening at JPMorgan. Thus far, no one has seen anything on this scale. However, the threat of any kind of future…

  • 10:56:27

    REHMPotential is there.

  • 10:56:28

    DOUGLAS-GABRIEL…potential future attack is still there.

  • 10:56:31

    REHMDo you all agree?

  • 10:56:31

    MIERZWINSKIAbsolutely. Danielle is right and the caller is right. We worry that they weren't just looking for cash. They were looking to commit mayhem on the financial situation.

  • 10:56:41

    REHMAnd could they have, might they have, did they affect the stock market?

  • 10:56:49

    DOUGLAS-GABRIELIt's, I mean, it's certainly a potential that could have happened. At this point, from what the bank is saying publicly, they believe that they have contained the problem. I don't think we'll fully know that until this investigation is completed.

  • 10:57:02

    REHMDanielle Douglas-Gabriel of the Washington Post, Alan Paller of the SANS Institute, Greg Garcia of Financial Services Sector Coordinating Council and Edmund Mierzwinski, director of U.S. PIRG Consumer Program. Thank you all.

  • 10:57:25

    DOUGLAS-GABRIELThank you.

  • 10:57:26

    PALLERThank you, Diane.

  • 10:57:27

    MIERZWINSKIThank you.

  • 10:57:27

    GARCIAThank you.

  • 10:57:27

    REHMAnd thanks for listening. I'm Diane Rehm.

Topics + Tags

Comments

comments powered by Disqus
Most Recent Shows

The Trial Of Derek Chauvin

Friday, Apr 02 2021Diane talks with Paul Butler, law professor at Georgetown University Law Center and author of “Chokehold: Policing Black Men," about the first week in the trial of Derek Chauvin, the former police officer accused of killing of George Floyd.