Gullible?

We are in the midst of a series of critical repairs at the Cox home. The pandemic forced us to postpone many of them, but slowly they are starting back up.  This last week involved the removal and upgrade of our failing main electrical breaker box panel.  Of course, that meant an extended power outage and the hourly “When will power be back on?” questions from my girls.  I must say, we all gained a greater appreciation for our ancestors who navigated the 1800s with gas lights, candles and no air conditioning.

Speaking of appreciating our 21st century lifestyle, I love using Apple Pay!  With the team of contractors working hard in the heat to get our power back on, I decided to make a run to our local grocery store to pick up some bottled water, Gatorade and snacks for them.  As is my custom, I paid with my Apple watch.  The customer behind me was shocked and struck up a conversation.  

I grew up in the Midwest where you expected friendly conversations with random fellow human travelers all the time.  However, that’s typically not how we do things in California.  Here, everyone tends to be more focused on their own business, mostly without even making eye contact.  But I find I still revert to my Midwest roots on occasion, much to the embarrassment of my kids, especially when there happens to be a cute baby in line with us.  I just can’t help myself.  Babies are irresistible.  In any case, I happened to run into this concerned citizen in line with me at the grocery store who was seriously worried about my Apple watch.   The conversation was really quite fun.

“Hey, aren’t you worried someone is going to steal all your information with that thing?”  I responded, “Actually, it uses an encrypted token, not my info, to complete the transaction.”   

“Like whatever, encrypted nothing, they got you!  That’s dangerous!  Can’t someone just decrypt it?”  I really wanted to start drawing a diagram to explain how it worked, but I knew the rest of the customers in line were not interested in an extended lecture.  I still switched into professor mode, “Sure, but just keep in mind, this isn’t my information directly, it is just a token identifier.”  

“Man, you really are gullible.”   I wasn’t making any progress.  He shook his head but then proceeded to pull out his credit card in plain sight.  I was able to clearly read his name, card number and expiration date printed on the front.  No, I didn’t try to memorize it but was struck by the irony.  He swiped his card with his in-clear-text magnetic stripe, also showing the CVV.  Sigh.  Yes, I guess I’m gullible.

I appreciate my friend’s paranoia, despite his negligence in protecting his own identity.  No system is 100% secure.  We know that.  Several years ago, I had the privilege of teaching a cybersecurity class at USC where we explored the anatomy of an attack.  One particular study was the 2013 Target breach. We examined all the points of vulnerability that existed in the system at that time.  It began with a phishing scheme that equipped the attackers with a contractor’s credentials to log in to the energy management system for the stores.  That led the attackers to a vulnerable Windows PC that just so happened to bridge the HVAC network with the global store network. That network was home to all the point of sale systems for all their stores.  The card readers on those systems only accepted plain text magnetic stripe data. The hackers installed BlackPOS, a malware opensource package that intercepts track data.  It began reading all of that data, sending it off to a server hosted in Russia.  They managed to extract 40 million credit cards before they were discovered.  A year later, the nearly exact same attack occurred at Home Depot, but for 56 million credit cards.

Vigilance is needed.  Reliability engineering is not just about system performance or uptime, it is also about running secure systems.  As we help design, build and run systems, this is a great reminder that we can all help safeguard our customers’ and company’s data.  Have you found a vulnerability?  Are you concerned about some missing measures or designs that should be modernized or addressed?  If so, don’t wait, raise those issues.  Speak up and act.  You can make a difference.  Let’s continue to help make our systems more secure for the good of the kingdom, our guests, businesses and fellow employees.