Target: Deceive first, answer questions later

By Evan Schuman, Computerworld |  Security

Had Target simply said that the stolen PINs were fully encrypted so there's an excellent chance that they won't be accessible, that would be fine. It could have also truthfully added, "We currently have not seen proof that the bad guys have in fact deciphered these PINs. We've also not seen any evidence that they haven't."

It could have said, "We have used top-notch encryption, so your PIN is probably safe for the moment. But please change your PIN right away, so you'll be even safer." Better yet, banks could force the PINs to be changed when the card is used next. That would get new PINs to be in place quickly, without locking any customers out (in theory).

But by stating that the codes are perfectly safe, Target is demonstrating the perfect way to not restore trust. I have noticed this tendency with a lot of marketers. If their product can do something very well, they feel a need to exaggerate it.

This follows the biggest lie of all, which Target unleashed on Dec. 20: "Yesterday, we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated." The vagueness gives Target very little cover. What does it mean by "the issue"? In context, it's clearly meant to communicate that the method the attackers used "has been identified" and the security hole they took advantage of has been "eliminated."

A few days later, Target told state attorneys general that -- understandably -- it was still trying to determine the attackers' exact methods. That makes perfect sense, since data breach investigations take time and the initial indications often prove to be untrue. Target fully knew that and yet it immediately said it had identified the issue and then -- this is the killer -- had "eliminated" it. It was trying to convince people that the security risk was gone, when it knew that it was far too early to reliably say that.

Why would it say that, knowing it was false? The most likely -- albeit cynical -- interpretation is that it believed its intended audience (shoppers) would be trusting enough (and not technically astute enough) to not know it was false. In short, its customers would believe it and might not slow down their shopping at Target.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question