South Korea and the U.S. Reacted Much Differently to a Credit Card Theft Scandal

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://news.yahoo.com/south-korea-u-reacted-much-differently-credit-card-214036383.html

Residents in both the U.S. and South Korea were recently hit with a major
security breach that let significant populations exposed to credit card
theft. The two discrete incidents offer an insight into how such disparate
nations react to similar crimes, and the cultural implications of each
response.

The Breach

In the U.S., Target's Point of Sales devices were infected with malware,
which captured shoppers' credit card information for a period surrounding
Black Friday, the largest shopping day of the year. At first, the retailer
reported that information was stolen from 40 million accounts. Later, the
company revised the number upwards to between 70 and 110 million accounts,
including some users who say they had not patronized Target in a decade. It
is assumed that each person only has one account, so the number of people
affected is the same as the accounts hacked, up to one-third of Americans.

U.S. officials have been investigating the hack but so far it seems private
security groups are leading the charge on moving the case forward. Security
expert Brian Krebs broke the story, and others (some working with the
government) learned that the malicious software originated in Russia and
suspected a couple of teenage hackers of writing the code. So far, only two
arrests have been made over the theft, and those were questionably related
to the case.

In South Korea, more than 100 million credit card details were stolen by a
contractor at the Korea Credit Bureau, which offers credit scores. The
contractor apparently had access to the credit card companies' databases
and removed them using a USB. South Koreans have an average of four credits
each, and the information -- including social security numbers -- of 20
million South Koreans, roughly forty percent of the population, is
estimated to have been stolen by the contractor. The contractor stole
information from over three major credit card companies from December 2012
and apparently sold the information to loan companies who used it for
marketing purposes. Though those affected have been assured that their
money is safe, roughly 500,000 have opted to cancel credit cards since the
breach was made public last week. At least two people, including the
contractor, have been arrested for the theft.

The Reaction

Interestingly, the criticism has been apportioned differently in each
nation. In the U.S., Target is shouldering the bulk of the blame. The
retailer is facing a lawsuit from a bank seeking damages from Target
because, it argues, the company's delayed announcement of the breach cost
the bank money in terms of account closures, credit card reissues, and
other related events. Target is facing nearly two dozen lawsuits from
custom upset that Target did not protect their personal information.

It is reasonable, of course, for Target customers to be angry at the
retailer, but it has been argued that Target is also a victim of the U.S.'s
weak credit card protections. As the Associated Press, explains:

"The U.S. is the juiciest target for hackers hunting credit card
information. And experts say incidents like the recent data theft at
Target's stores will get worse before they get better. That's in part
because U.S. credit and debit cards rely on an easy-to-copy magnetic strip
on the back of the card, which stores account information using the same
technology as cassette tapes. "We are using 20th century cards against 21st
century hackers," says Mallory Duncan, general counsel at the National
Retail Federation. "The thieves have moved on but the cards have not."

In most countries, credit cards use digital strips that create unique codes
for each use to store account information, deterring thieves from
attempting to obtain card information. If easy to hack credit cards are the
problem, outrage at a retailer could be misplaced.

In South Korea, on the other hand, outrage was directed at the credit card
companies — even though the culprit worked for a credit agency:

"The first class action lawsuit was filed against the three credit card
companies late on Monday, a day after the FSS revealed the full scale of
the theft, according to the law firm representing them. The victims are
each claiming 110 million won ($103,400) in compensation. Lawyers said they
expected more lawsuits to come, as internet chatrooms and social media
seethed with complaints about the security failure."

In response to the incident, the chief executives of each of the three
companies resigned, a move which would have perhaps have meant more in the
U.S. than it does in South Korea, because it would be almost unheard of
here. The Financial Times reports that

"The mass resignations may bolster complaints, widespread among industry
analysts and executives, that South Korean financial companies are
excessively beholden to the instructions of the government and
regulators... The frequent security breaches in South Korea’s financial
sector have come despite a stringent regulatory regime that slows down
online banking and shopping. All online transactions require the use of a
government-provided “digital certificate” and a range of applications using
Microsoft’s outdated ActiveX system."

Still, the South Korean government has said it will increase regulation
within the financial services system in order to prevent future breaches.
For their part, U.S. lawmakers are demanding more secure credit cards, but
credit card companies for now remain largely protected, while Target will
likely take the fall and bear the expense.

In South Korea, it seems this breach has been done and the damage assessed,
while the Target case is ongoing and will likely drag out for months, if
not years, in the courts. It remains to be seen how the case will shake
out, but we have a feeling that strong words will not affect credit card
companies as much as a lawsuit, and in order to see real change we might
have to wait until the next major breach, or see if this one continues to
get worse before it runs its course.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.