Monster.com to upgrade security

Data stolen from Monster can help online criminals.

ASSOCIATED PRESS

By now, the perils of securing online data with little more than user names and passwords should be well known. Monster.com learned that lesson late and the hard way, prompting this week’s announcement that the Web jobs board will spend millions of dollars to improve its security.

Monster Worldwide Inc. recently discovered that con artists had grabbed contact information from résumés for 1.3 million people — and likely many more, since Monster now says this was not an isolated incident.

Files were pilfered not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster.

The stolen information is not by itself ultra-sensitive, since résumés generally do not include Social Security numbers, financial data or account information.

But contact information alone can be lucrative for online criminals, who used what they got from Monster to craft “phishing” e-mails that go after such sensitive data.

The affair could serve as a warning to other businesses that operate online.

But if the past is any guide, many will shrug off this episode.

“You’re going to see this happen again and again and again,” said security analyst Bruce Schneier, chief technologist for BT Counterpane.

“I assure you, every other company didn’t say, ‘Wow, look what happened to Monster, we have to fix our problem.’”

Why this happened

Blame many factors. For one, upgrading security can be expensive, and many companies are reluctant to shell out for improvements until they’ve been viscerally reminded of the need for it.

“How do you justify a $10 million security budget when nothing happened last year?” said Mark Rasch, a former federal cybercrime investigator now with FTI Consulting Inc.

Another problem is that companies are hesitant to put up blockades that can annoy legitimate users.

“We’re all accustomed to a straightforward and easy experience,” said Dennis Maicon, executive vice president of Digital Resolve, a unit of Landmark Communications Inc. that sells automated fraud-detection systems.

“We want to do things quick, we don’t want to jump through all kinds of hoops to say, ‘Hey, it’s me,’ because a good portion of the time, it is you. A company like Monster has to maintain the customer experience.”

That balance can shift, of course, if regulations require more stringent security. Many financial institutions and insurance companies have adopted extra measures such as Digital Resolve’s authentication technology as a result.

It lets customers sign on in a straightforward way but scans for anomalies that might indicate an unauthorized person has stolen the password.

After the Monster breach was disclosed by researchers at Symantec Corp., Monster defended its policies by pointing out that its network security had not been broken.

No one hacked in, after all. Rather, the criminals obtained legitimate keys to the system.