The Year of the Breaches And How The Industry Responded

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pymnts.com/in-depth/2014/the-year-of-the-breaches-and-how-the-industry-responded/#.VKG7Wl4AKA

While it’s not quite faster to list all the retailers and other
institutions that haven’t been breached, the list of those who’ve been
targets is long and scary. As we look back a year ago, who would have ever
thought that the Target breach would be eclipsed – at 40 million cards – by
other incidents that would follow over the course of the year. Ten months
later, Home Depot saw its system breached in nearly the same way Target’s
was, this time with 56 million cards’ worth of data going out the door and
up for sale on the black market.

What was interesting, however, was how seemingly immune to security panic
the consuming public had become. Target’s breach cost the retailer a 46
percent decline in revenue the quarter after it happened; Home Depot did
not see the kind of crippling blow to revenue that Target suffered.

And while Target may have been the “black swan” of the payments industry,
at least that how MPD CEO Karen Webster characterized it, Home Depot is now
just another entry on the list of big breaches that started last Christmas
and continued as the not-so-welcome gift that just kept on giving. And, for
the moment, the cybercriminal world seems to have moved on – the latest
breaches – are of data (at Sony) instead of payments information. A
development that is none too surprising now that card data is getting too
tough to obtain – why not just go after customer and account data so that
new accounts and cards can be set up that don’t have to be hacked in order
to use.

The retail ecosystem still cares about security – deeply – from all
corners, but the way the ecosystem has come to view securing data is
evolving. Securing consumer information is no longer about simply slapping
the best security lock on a POS system and hoping for the best – this year,
at least we saw evidence of an awfully large number of ways that the bad
guys found ways to pick those locks. Instead, security is now about the
best systems that make data unusable – rather than trying to block out the
bad guys entirely, the game is to make what they get useless.

PYMNTS spent a lot of 2014 talking to those on the forefront of securing
payments online, in the real world, on mobile and at all points in between.
These are their best insights.

In one of PYMNTS’ first interviews on data security in 2014, a theme that
persisted throughout the year first emerged – there are no easy solutions
and there is no single solution to solve the fraud problem. Fraudsters can
and will take advantage of any security flaw they can, and the first rule
in combatting them according to Balfany is to think as expansively as they
do.

“What we need to think about is securing all channels. We need to be
employing EMV in a face-to-face environment — terminals in retail
locations. We need to be employing it at the ATMs, and we need to be
employing other tech and security measures as we think also about the
card-not-present channel,” Balfany told MPD CEO Karen Webster in an
interview.

EMV is a step in solving the problem, she noted, as is tokenization and a
variety of other means – but most centrally mounting an effective defense
will be deploying solutions in tandem and broadly .

Cyber-criminals are not a band of disorganized rabble rousers, Luca told
PYMNTS. Rather, they are organized criminals undertaking a business they
take seriously – after all it is how they make their living. And that
business is going to evolve around and past any solution that seeks to
disrupt it.

“The reality is, as a better lock is built, a better lock pick comes onto
the marketplace. Part of that comes from security that’s been bolted onto
the back of a solution that wasn’t originally envisioned in that manner.”

Luca was a security pessimist, noting that the security infrastructure used
to secure payments needs a redesign from the ground up – and within that
redesign, there is room to create systems that employ a variety of
solutions from the security tool box – including EMV, tokenization, P2P
among other things. That day, however, he thinks is still far away, and
that until then the goal is detecting and minimizing the effect of
organized security breaches.

In November of 2014, about two months after tokenization became a household
word thanks to the launch of Apple Pay (and its much lauded security
protocols) MPD CEO Karen Webster sat down with Johnson and Matt Barr, Group
Head, US Emerging Payments at MasterCard, to talk tokens and how they will
transform payments. Specifically customer experience, security, and
ubiquity which Barr referred to as the “holy trinity” of payments.

“Tokenization and what’s been introduced through the MasterCard Digital
Enablement Service is, we think, very transformational. The end-goal as we
see it is that tokenization goes as far as saying that the only place
you’ll see a traditional PAN in the future is on a plastic card. Every
MasterCard transaction through any channel will eventually be conducted
through the use of tokens.”

Key to building the new, tokenized world is consumer education. That
education, according to Barr and Johnson will need to be broad, need to
fold in EMV (a important foundational technology) and need to bring along
both the merchants and consumers who will have to make the change.

There is hope when it comes to security, according to CA Tech’s
Subramanian, but for that hope to be realized, institutions across the
board need to get better at using the tools they already have. Simple
things, she pointed out, the lack of use of something like two-factor
authentication in her conversation with Karen Webster earlier this year,
make a big difference.

Also a potential game changer? The use of data, particularly in spotting
breach activities.

“All of the information that flows through in terms of cyber-security is
not being used intelligently to determine the problematic break-ins. And in
gray areas where there is high suspicion that something is going wrong,
potential fraudsters should be put through an additional hoop so data is
harder for them to get to. Those techniques will really have a huge impact
in the security space.”

Consumers may blame retailers when their data gets boosted, but they tend
to look to their card issuers to make everything alright. Given the
difference in relationship, that makes sense to Hancock, but does mean that
issuers need to think carefully about how they approach potential customers
when it comes to data.

“People generally feel that their bank has the ability to cover the cost of
any fraud associated with the merchant breach, and they expect any losses
to be refunded by their issuer or bank. Our survey revealed that consumers
would even go so far as to change their bank or issuer for better security
against fraud – quite a clear message to issuers on how they can
differentiate themselves within the industry.”

And the best way for issuers to reach those consumers?  Education,
authentication and empowerment.  As it turns out, consumers want to be a
part of the solution when it comes to preventing fraud, but issuers need to
give them the tools to do so.

When is a token not a token? When it’s a digital identity. That’s the
approach that MasterCard has taken to  develop its digital identity system,
MDES (MasterCard Digital Enablement System).  McLaughlin says that the
problem with the token conversation today is that it misses the huge part
it will play in redefining how commerce as we know it, will happen
worldwide.

“With our digital enablement system, we provide a unique account number for
the device that’s bound to that device. We can control how it’s being used
once the issuer has authorized that they wish that consumer and that device
to have a token, to block illegitimate use of the account. Secondly, when
that number is provisioned and put into the device, every transaction that
is done with that device has a one-time code that is generated, securely,”
McLaughlin told MPD CEO Karen Webster in an interview shortly after Apple
Pay launched.

Tokens as digital identity, he says is how the ecosystem will move beyond a
world where a device – a plastic card or a mobile phone – defines the
payments system to one where a payments system makes any device that much
more useful– and secure for conducting commerce.

 “Clean fraud,” – where thieves obtain legitimate identities of users from
the black market or data breaches to compromise a victim’s card account –
is on the rise and malware is getting smarter and more sophisticated both
in the mobile and non-mobile space. The solution? Once again Sarreal notes
there is no one solution, but surveillance is part of the package when it
comes to beating back cybercriminals.

Because while institutions can lock down account incredibly tightly with
authentication methods, those tend to scare off consumers.

“The most overlooked aspect of account takeover is the tendency to
over-correct and install so many controls that authenticating your systems
becomes a nightmare for the customer. By not considering the customer
experience trade-offs, an institution can potentially give up their repeat
customers or lose business by not making that customer experience as
friction-less as it can be.”

Vigilance, on the other hand, happens outside the customers’ experience,
and instead looks for usage patterns that shouldn’t exist.

“The best fraud prevention strategy acknowledges account takeover as the
threat that it is and puts protection sensors of various places in their
online estate.”

In March of 2014, secure payment technology firm Bluefin crossed a
milestone, it became the first company in the U.S. to receive PCI
validation for a point-to-point encryption (P2PE) solution. P2PE encrypts
payments data on its journey from the point of interaction (e.g. swipe,
tap, dip) until it reaches the solution’s provider’s point of safe
decryption.

It’s an important part of the payments solution, though Miles notes that
P2PE is really most effective when it is understood as part of the
“trifecta” of payments security with EMV and tokenization.

“What we need to focus on is the entire process not on one specific card
type, which is the chip,” said Miles. “That’s where point-to-point
encryption can protect against hacks.”

While it might be optimistic to hope that the world’s online criminals will
take up another business in 2015, more likely than not, they won’t.
However, those tasked with locking them out are also becoming increasingly
sophisticated, as are consumer themselves, who’ve been breached a few times.

The question for 2015 is whether that will be enough – or will 2015 be a
year in which 2014’s security woes look tame? We’re hoping that enough of
the former happens to make it harder for the latter to be realized.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!