Now You See Them, Now You Don't: Banks' Misdirection on Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.rollcall.com/news/now_you_see_them_now_you_dont_banks_misdirection_on_data_breaches-238551-1.html

A staple of the illusionist’s trade is “misdirection” — distracting the
audience with the movements of one hand while using the other hand to make
an object “magically” disappear.

Apparently, big banks have been studying prestidigitation when it comes to
credit card data breaches.

The banks’ strategy has been to call for data breach regulations on
merchants, while making their own responsibility for card data disappear.
Although there are approximately 1,000 times as many retailers as banks in
the U.S., banks experienced nearly three times as many breaches involving
data losses last year.

When merchants are breached, the criminals want payment card information,
but it is the banks and credit card companies that not only create this
data but also dictate how it is to be protected by everyone involved,
including merchants. And they have never prioritized security.

Numbers are still embossed in huge characters on the front of cards, even
though knuckle-buster machines and carbon copies are obsolete. Actual
account numbers are still used, even though technology to encrypt them or
substitute other data has existed for some time. Even though encryption
requirements are imposed on merchants, banks are still not required to
accept encrypted data. And while Europe has combined the use of computer
chips and personal identification numbers for 20 years, the banks’ and card
companies’ much ballyhooed plans to put chips in place here doesn’t involve
PINs — which doesn’t have the same benefits.

In short, the banks and card companies have made merchants the target of
data thieves by imposing a fraud-prone card system, then worked to convince
everyone that breaches result from merchants’ failure to protect data,
hoping no one will notice the real source of the problem.

But the banks’ misdirection doesn’t end there. Pointing to the Gramm Leach
Bliley Act (GBLA), they sing the praises of their own data standards while
neglecting to mention they suffer more breaches than merchants — and that
GLBA regulations do not require them to notify consumers when the banks
have a breach. The regulations just say banks should investigate and, if
they think consumers face risks, the banks should notify them.

Little wonder then that banks cite sources that use news reports to count
breaches. That way, the banks can try to claim they don’t have many. In
October, to take one specific example, we learned that JP Morgan Chase had
suffered the largest data breach in history only because the firm quietly
included the figures in a standard report to the Securities and Exchange
Commission. But, as The New York Times reported, nine other financial firms
were hit by related data thefts. Who were they? Darned if the Times could
find out.

Later, Bloomberg reported the real number of victimized firms was 12, in
addition to JP Morgan — and it managed to glean a handful of the names from
company insiders. But because of the banks’ data-disappearing act, the
public still doesn’t know who was hit or how badly, and likely never will.

Banks are only too happy to prey upon the public’s lack of knowledge and
sell data breaches as a merchant problem. But being able to fool people
doesn’t make it right. It is one thing for a magician, whom we pay to
entertain us, to slide a playing card up his sleeve and claim he’s made it
disappear. But banks can’t make their cards vulnerable to fraud and expect
the public to stand by while their money disappears as financial firms play
three-card Monte with their own culpability. And letting them get away with
it is standing in the way of real, comprehensive solutions.

If America ever wants to make real progress in combating fraud and
protecting consumer’s data, it’s time for the banks to stop the
sleight-of-hand and admit that any policy solution must cover everyone,
including themselves.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!