The Endless Data Security Saga Continues
Home Depot is the latest retailer to experience a serious data breach. Consumers and retailers alike are no doubt asking, “Will it never end? ” The short answer is, “Probably not. ”
I don’t need to give you a list of all the retailers that have been breached this year. It’s a long list, and depressing, especially given the money that has been spent on PCI-DSS. It’s somewhat cold comfort for US retailers that the impending adoption of EMV (Chip and Pin) will likely do a lot to stop store-based data theft, but will do nothing for the world of digital commerce. According to Greg Buzek over at IHL, In Europe, where Chip and Pin has been the standard for a decade, store-based fraud reduced by 67% after implementation. In Canada, where Chip and Pin was introduced in 2008, it has dropped by 58%. Unfortunately, “card not present ” fraud has spiked and is expected to surpass total store fraud.
After I wrote a blog about the Home Depot data breach for Forbes, I received a letter from the Communications Director for Holland and Knight, attorneys for the PCI Security Standards Council. Nothing warms my heart like getting a letter from a lawyer! A little voice in my head starts to say “Danger, Will Robinson! “
The letter included a statement from the PCI SSC about the recent data breaches and essentially exhorted retailers to take advantage of all the wisdom to be gleaned from the PCI standard and gave a heads up that EMV is not the cure-all it has been painted as. Here’s an excerpt:
“Although details of the latest breaches are still unfolding, the Council urges retailers and others to reference the PCI SSC Bulletin on Malware Related to Recent Breach Incidents for further recommendations to ensure they have the proper layers of defense in place for detecting, preventing and defending against malware and other attacks on their systems. EMV chip based systems offer a significant security advantage in face-to-face retail environments as the technology rolls out in the USA. But EMV chip technology does not solve all payment security challenges.
“Although details of the latest breaches are still unfolding, the Council urges retailers and others to reference the PCI SSC Bulletin on Malware Related to Recent Breach Incidents for further recommendations to ensure they have the proper layers of defense in place for detecting, preventing and defending against malware and other attacks on their systems. EMV chip based systems offer a significant security advantage in face-to-face retail environments as the technology rolls out in the USA. But EMV chip technology does not solve all payment security challenges.
Businesses must approach security as a round-the-clock, 365 day-a-year necessity. Attacks can come from any corner of the globe, but the defense starts with the layers of security provided by PCI Standards. However, this defense must be supported by adequate law enforcement resources and international agreements that allow for the apprehension of international cybercriminals. Bringing the perpetrators of these attacks to justice needs to have the highest priority. ”
Oddly, I can’t find this bulletin on the PCI SSC’s web site, but I did find a different update dated September 10, outlining best practices for avoiding data skimming on pin pad devices.
Just about every retailer that has been breached in a post-TJX world was, to my knowledge, PCI compliant. However the piece raises a very good point. The very same software used to grab POS data from Target’s system was apparently used in the Home Depot breach, by the very same criminals. That’s just not good. Where is international law enforcement in all this? It’s not okay that we have to be notified by Brian Krebs (security expert) that he’s finding credit cards for sale on clandestine web sites.
Retailers are not alone feeling pressure from cyber-criminals. According to Bloomberg News, JP Morgan Chase and four other banks were also targeted in a coordinated attack. Celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and others found their intimate personal photos posted on web sites. While it seemed that the one thing these celebrities had in common was the use of Apple’s iCloud storage, Apple vehemently denied its iCloud was directly breached. However it happened, the data was stolen.
It remains to be seen whether security threats will dampen consumer enthusiasm for Apple Pay. There are some technical reasons why Apple Pay is more secure. It uses tokenization and encrypted credit card numbers to help keep data safe. Acquiring banks are hopping on board daily. Until now, mobile payments have felt like a solution looking for a problem. We’ll likely find out now if consumers were just waiting for Apple to make its move, or if, as data from many sources keep saying, they just aren’t interested. I’m not making a prediction here. I’m still smarting from my predictions that the iPad would be a non-starter, and Ron Johnson would be JC Penney’s savior.
Let’s be clear about one thing. The retail industry has not been standing pat in the face of these continued assaults. For starters, both major retail trade associations, the National Retail Federation (NRF, And Retail Industry Leaders Association (RILA) have announced the formation of Internet Sharing and Analysis Centers (ISACs). While we might quibble at the need for two separate groups, it’s a huge step forward for the industry to work together to secure the data of its customers. Until now, the industry has done so with Loss Prevention, but avoided direct conversations about data security. The Target data breach changed that irrevocably.
Assuming that we can successfully secure payment transactions, other personal information will be no better protected. Security experts have taken the position that with cyber-crooks becoming ever more sophisticated, and data access becoming more distributed outside the four walls of the enterprise, it’s going to be essentially impossible to avoid a breach of some sort. Cyber-crooks range from clever high school students who do it “because they can, ” to more sinister groups hoping to make citizens and institutions suffer.
Taking a long view, most experts recommend that retailers and others operate under the presumption that their firewalls WILL be breached, and that they put in systems and procedures to trick the crooks into identifying themselves. The best technique identified so far is called the “honeypot. ” This technique has been around for at least a decade, yet surprisingly few are using it. The earliest description I was able to find was here dated 2000. Basically, the enterprise sets up a server that looks like it contains sensitive data, but solely exists to draw traffic from the bad guys.
I can only say now what I said as I watched the industry spend a fortune to become PCI compliant. No static standard can keep us safe in a rapidly changing world. While standards continue to evolve, criminals evolve more quickly. I am most encouraged by the formation of these ISAACs and hope they get up and running fast.