60 Minutes "Hi-Tech Heist", an analysis
Last evening, 60 minutes ran a report on the TJX breach entitled "Hi-Tech Heist: How Hi-Tech Thieves Stole Millions of Customer Financial Records." If you haven’t yet had an opportunity to view, the video it can be found here. Go ahead, and watch, I will wait for you to come back.
Back? Beauty.
As is typically true with reports on the TJX breach, I both agree and disagree with several of the points. I will start with where I agree.
Firstly, it is high time that focus (beyond the industry) is paid to the retail location as a potential source of breach. I, for one, was not "surprised" by the demonstration of wardriving nor the fact that many retailers continue to use WEP as their network protection of choice. For those of you who follow my blog, my posts on PABP (i.e. PA-DSS) have hopefully underscored the focus that the PCI Security Council is placing on the issue of security in a commerce application at a physical location.
Secondly, I found the level of technical detail presented in the piece rather interesting. It is a good reminder that the audience that is most affected by issues of security are often not nearly as versed in details as those of us who spend our lives in the world of commerce.
Above all, reporting stories, such as this, is critical to ensuring that the Software Companies and Service Providers who engage with the retailer are positioning their product suite properly.
That’s it for the good. . .now for my concerns.
I’m not too sure how vested the credit companies are as far as securing customers’ data," Hogan says.
"And you’re saying that the credit card companies are the one’s who are not security conscious?" Stahl asks.
"In my humble opinion, no," Hogan replies.
He accuses the card companies of using this issue as a way to make money. Visa, for example, has started fining large chains that do not have up-to-date security $25,000 a month.
"If you do the math on it, this could be a windfall of $200 million annually for the credit card companies as far as a revenue stream," Hogan says.
Dave Hogan, National Retail Federation
I have to admit that I heard this statement and was taken aback. I understand the purpose of the NRF which, as a trade association, exists to espouse and verbalize the concerns of the retailer. (Perhaps "lobby" is a more appropriate term?) With that said, the thought that the credit card companies are not interested in securing cardholder data is specious (definition: "deceptively attractive"). PCI-DSS and PA-DSS exists solely to address the concerns associated with the protection of cardholder data. . .that is their purpose. To quote Branden Williams, "the real problem comes in the lack of data cleaning and disposal by those collecting it."
In my opinion, the reputation most damaged by security breaches is not that of the retailer (it is, hopefully, a one-time event) or even the issuer (it isn’t "my" banks fault). However, repeated breaches reflect poorly on the card brand. As Evan Schuman discusses, the concept that the card companies would turn a blind eye to PCI violations solely for the purpose of monetizing retailer fines seems a far reach.
Retailers need to adopt the next appropriate technology, and the next one, and the next one, and the one after that, because they want people to keep buying from them," Rasch says.
Mark Rash, FTI Consulting
I have worked with big-box retailers. Frequently. While the onus of meeting security requirements falls squarely on the retailer, I think that there are few (and I could identify some) who are able to take on the task alone. This is why partnership is so extraordinarily important. The industry must approach commerce security in a collaborative fashion.
The retailer should rely on their Service Providers and Software Companies as trusted advisors on security issues. In fact, they should begin demanding PABP compliant applications and begin remediation planning if their current application is not compliant.
In turn, the Software Companies must partner to ensure the services they consume are properly configured to ensure heightened security. In addition, security must become an immediate focus in the SDLC that these companies employ.
Finally, the Service Provider should begin ensuring that all applications consuming their services are properly secured and are meeting appropriate requirements.
Frankly, this is not a simple task. . .but it is also not insurmountable. The model of "going it alone" is no longer sufficient. Partnerships across industry responsibilities must be forged to ensure that cardholder data is protected. (ASIDE: In fact, this is something that we see happening frequently at IP Commerce. Of course, we are in the unique position of being technology enabler to all the participants listed above)
It is not, and cannot, be a mentality of us vs. them. . .(however, you choose to define "us" and "them" is up to you.)
What’s your perspective? Agree? Disagree? Anything to add? Critiques?
The comment form is below. . .
November 27, 2007
2 responses to 60 Minutes "Hi-Tech Heist", an analysis
The recent “60 Minutes” story on credit card data theft is a reminder that merchants are vulnerable to attack when personal credit card data is retained within their computer systems. However, the report failed to mention one of the most serious consequences of credit card data theft: funding terrorists.
The CBS story demonstrated systemic weaknesses, including poor or nonexistent encryption technology. “Encryption alone is not the answer. The best way to secure data is to not store data,” said J. D. Oder II, Vice President/Chief Technology Officer, of Shift4 Corporation, a leading provider of enterprise payment solutions. Shift4 Corporation’s Tokenization technology offers a greater level of security by substituting a unique identifier (a token) for a card number, so sensitive personal card data is never retained in the system. “When there is no useful data in the system, there is nothing for data thieves to access and use,” Oder added.
While the “60 Minutes” piece did mention “bad guys” who steal credit card data, it did not mention that some of the “bad guys” are terrorists. According to Dennis Lormel, a former FBI Section Chief for financial crimes and now Senior Vice President of the consulting firm Corporate Risk International, credit card fraud is a low-risk, high-reward way for terrorists to generate cash or to purchase items such as weapons, bomb-making materials and night-vision goggles.
“They are very adept at exploiting weaknesses in the financial system, such as vulnerable credit card data in computers,” Lormel explained. “Since terrorists have become adept at hacking into computer systems to steal card data, technology that removes credit card data from computer systems effectively chokes off this revenue stream.”
@shift4
“The best to secure data is not to store data”
I agree with this completely, and the Shift4 approach of tokenization is one proven methodology to eliminate this insecurity from commerce applications.
With that said, I’ve never been a huge fan of the FUD (fear, uncertainty, doubt) method of marketing. The story of, and necessity for, secure payment processing should stand alone without having to resort to concerns of funding terrorists.