For those who follow my writings on security-related matters, you know that when there is breaking news I usually am quick to jump. However, in the case of the Target credit card breach which is now nearing the one week mark, surprisingly there is still a lot we do not know. And, while speculation, lawsuits and reports about black market sales of stolen account information are making headlines it seems like a good time to take a deep breath and take stock of where we are and see where we are heading.
What we know
Quickly here is what we do know:
Here is what we do not know
The reason for waiting on writing about all of this is that until the dust clears a bit more there is a lot we do not know. The list is long. However, a few that stand out are contained below.
What is the actual nature of the attack? If for example all 40,000 POS terminals were compromised, how was it done? The speculation has been that it happened when account information was on the fly between the point-of-sale POS) terminals and the financial institutions involved in a given transaction, i.e., the card holders bank and the bank that actually pays the retailer. This is the most likely target (pardon the pun) because it is the easiest way to compromise so many accounts, but Target would be well advised to say exactly what happened.
How did how Target “identified and eliminated” the source of the breach? If Target is to restore trust it needs to come clean on this subject. Based on what security professionals are saying about vectors of vulnerability, e.g., the POS terminals and the lack of network security this is not a quick fix situation. It will take time and money, and the likelihood is the Target brand will remain tarnished until it really can assure customers their transactional data is secure.
The lack of security according to security professionals is appalling as well as symptomatic of a U.S.-centric issue. As the Associated Press (AP) reported in an extremely well-documented posting, the calculus for improving security still does not out-weigh the costs of being hit. As AP noted, “While global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.”
This leads to the further observation that a) it does not pay to improve security, and b) there is a huge disagreement between retailers and card issuers as to who should pay for an upgrade. This leaves open the question as to whether the latest breach is enough to stop business as usual.
Why was there seemly no encryption? While going toward an almost fail-safe security system may be expensive, the lack of encrypting communications between stores and financial institutions seems like a no-brainer and transactions are bi-directional seems like a cost that could be assumed in some measure by all parties. Why such a huge retailer as Target with so much literally and figuratively on the line did not at least implement itself and demand from credit and debit card issuers the ability to send and receive encrypted information is almost unfathomable.
The public relations handling of this situation has been a classic case of “what not to do.” Target is one of the biggest and best marketing organizations and to blow the pr on this hopefully means heads will roll. Public Relations 101 says, “Get ahead of the story.” Target appears to have known they had a problem starting back in late November. It was not until the problems became public that they reacted. One would have thought given how poorly all of the high profile data breaches have been handled this past year that Target would have learned a lesson. They did not enough said.
A word from the wise
As you can well imagine, my inbox has been flooded with advice from security experts (thank you all BTW) on what happened and what other merchants need to do to better protect themselves. And, while waiting for the credit card companies to reissue their cards with microchips (as is done in Europe and other parts of the world which acts as a huge deterrent) instead of the easily duplicated magnetic strips which make not just Target but almost all U.S. retailers open for exploitation, the one I liked a lot was from Mark Bower, vice president of product management at Voltage Security.
Bower gave a somewhat technical description of what to do which resonates because it has proven to be effective for thousands of retailers, and it addresses the cost issue.
“There are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link–usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider.
In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable.
The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker. Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enable business processes to still operate as before – even at Black Friday scale. No live data means no gold to steal.
“…And with EMV (Europay, MasterCard and Visa) on the horizon to make it much harder to counterfeit physical cards from stolen data, and with P2PE and Tokenization to protect the card data in the retail flow, merchants can turn the tables on data breaches in a major way. With the significant reduction in the cost of PCI compliance, there’s also an ROI to justify it in addition to avoiding the cost and complications of remediating 40 million breached cards as in this case.”
For those unfamiliar with EMV, it is a global standard for inter-operation of integrated circuit cards and IC card readers, POS as well as ATMs) for securely authenticating transactions. When implemented on a credit or debit card it has come to be known as the “Smart Card.” In addition, Visa and MasterCard have also developed standards for using EMV cards in devices to support card-not-present transactions over the telephone and Internet. As noted, EMV has been used for several years, particularly in Europe but has not been implemented in the U.S.
EMV is not totally “fail safe” since researchers have demonstrated the theoretical possibility of a man-in-the-middle attack. However, it does the one thing security professionals always advise, it makes it very hard and expensive for the bad guys which means they will look elsewhere for low hanging fruit.
In short, there are solutions to the problems the Target attack has exposed that make sense from a security perspective. When the economic damage done to the Target brand is totaled it is likely that the calculus for a lack of adequate prevention will show that there has been a significant miscalculation. This is not merely looking at direct fraud costs (the value of the transactions themselves) versus the cost of protection. It is about the value of the brand as well.
Target happened to be the target this time, but that is more a matter of timing and audaciousness than them being an isolated instance to be exploited. As industry observers have correctly noted, the U.S. retail market is a “target-rich” environment for such mischief. It is for this reason that this latest breach had better serve as an urgent wake-up call to the entire electronic payments ecosystem in the U.S. It is why we need to know as much as possible about what happened so at least some short-term preventive measures can be taken.
Trust is extremely difficult to earn, easy to lose and extraordinarily difficult to regain. Target has cast a pall over all retail transactions and not just on those in its stores or online. Its lack of responsiveness and transparency has only made matters worse for itself, and the ripple effect is to plant the notion in the minds of consumers as what other retailers may or may not be hiding when credit and debit cards are swiped.
It seems safe to say that a major trend in 2014 is going to be issues surrounding authentication, identity and privacy. The financial institutions and retailers need to get over the cost issue and get on with giving all of us peace of mind. To say there is a lot at stake here is a gross under-statement. Let’ hope Target comes clean and quickly and that the reaction is action and not complacency.
Fresh seafood can taste great, but if it is not handled properly, people can get sick, and that can lead to business closures and lost revenues. That'…
With less than two months until the General Data Protection Regulations (GDPR) deadline, many companies have already started making sure that their bu…
The growth of Fintech probably has not escaped your attention. Whether you're a customer making contactless payments or an investor weighing up CFD tr…
We are barreling toward a future of automation. A great proportion of the six million US manufacturing jobs that have disappeared over the last few de…
There is a corner of the internet that is cloaked from every day users. Beneath the typical search engines and web browsers, an illegal marketplace is…