Consumers Should Be Vigilant in Wake of Zappos Cyberattack

As an estimated 24 million Zappos.com customers begin receiving notifications that some of their personal data have been compromised in a massive cyberattack, an Indiana University cybersecurity expert is warning those affected to be on the lookout for targeted fraud attempts.

Sunday's announcement by Zappos that customer accounts had been compromised by an unknown attacker poses serious risks for consumers, according to Maurer School of Law Distinguished Professor Fred H. Cate.

Efforts by Zappos CEO Tony Hsieh to reassure affected customers of his online shopping site that "customers' critical credit card and other payment data was not affected," run the risk of misfocusing the public attention and understating the risk, Cate said.

"Credit cards are covered by a federal law that limits consumer liability in the case of fraud up to $50, and card issuers universally waive even that small amount," Cate said. "Compromised credit card data is not the major area for concern."

Instead, according to Cate, who also serves as director of the IU Center for Applied Cybersecurity Research, the data that were reportedly accessed in the Zappos breach -- customer names, addresses, phone numbers, email addresses and encrypted passwords, in addition to the last four digits of customer credit card numbers -- pose the greatest risk to affected individuals. That risk falls into three categories.

First, this information is precisely that used by fraud perpetrators to send fraudulent phishing emails purporting to come from legitimate businesses to individuals. "Think about it," Cate said. "If you get an email from a company that includes your correct name and contact information and refers to the last four digits of your credit card number, wouldn't you think it is real?

"In fact," Cate continued, "it is not at all clear how customers will be able to distinguish real messages from fraudulent emails claiming to come from Zappos itself."

Second, this is exactly the information necessary to locate other data about individuals in public and commercial records.

"If I have your name, address and phone number, in many states I can get your property tax records, marriage license and other publicly available information," Cate said. "With that additional information a criminal is in an even better position to commit frauds in your name or to access password-protected sites by using the extra information to answer password-reset questions."

Third, since the information included emails and encrypted passwords, this poses a serious risk to other online accounts held by affected customers of Zappos.

"Almost all consumers reuse passwords, and email addresses often serve as default account names for online sites, so depending upon the quality of encryption being used by Zappos, it is entirely possible that the perpetrators will have access to a wide range of online accounts," Cate said.

Fortunately, most major breaches do not result in extensive fraud. In addition, there are practical steps consumers can take to protect themselves, including:

  • Changing passwords on all accounts that used the same passwords compromised on the Zappos site.
  • Using unique passwords on all online sites.
  • Monitoring account, credit card and bank statements carefully.
  • Paying special attention to emails received, especially those claiming to be from businesses for which the consumer may have used the same credentials.

Featured

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3