Written by Canh Tran
What happened at Target?
It started with a simple innocuous temperature control device from an HVAC vendor. Once inside the outer perimeter the attackers installed a piece of malware whose code they probably tested on virustotal.com to make sure it hadn’t been detected by the 40 or so anti-virus vendors. The malware then spread to every point of sale terminal cleverly collecting the credit card information during the millisecond that it was not encrypted thus defeating industry standard network perimeter security, anti-virus, and encryption technologies in one fell swoop.
When it was all said and done, Target, the second largest US retailer with over 1,900 stores and $73 billions in sales, was breached. Hackers stole 40 million cards and information from 70 million consumers. The breach will likely cost Target between $400M to $2Billions in losses from purchasing identity protections for consumers, paying for banks to replace credit cards and fending of litigation.
Read related articles in Business Review USA
Only going to get worse
According to Adam Levin of credit.com, it’s only going to get worse. The number and scale of data breaches have been growing at epidemic proportions over the last five years and the common refrain among security experts is “It’s not if you are going to get breached, it’s when.”
How disastrous are these breaches? While large retailers suffer tremendous financial losses and tarnish to their brand, most will recover. However, the threat is even more acute for smaller retailers who don’t have the same IT and security resources or online retailers with many similar competitors. For those companies a data breach could prove fatal as consumers switch to competitors and never come back.
Chip and Pin, PCI compliance, and Data Encryption
Starting in October 2015 the payment industry is supposed to move toward a new payment technology commonly known as Chip and Pin that is supposed to make the credit card information harder to steal and also shift liability for fraud to merchants who are not Chip and Pin compliant.
Additionally the Card Industry Data Security Standard (PCI DSS) has also issued a set of requirements to ensure that merchants process, store, and transmit encrypted data in a safe environment.
While these measures will help, this won’t eliminate the possibility of data being exposed at the point of sale, according to Al Pascual, a senior analyst at Javelin Strategy who has written extensively about data breaches.
It’s worth noting that an earlier version of chip and pin was hacked (hack link), and that most of these breaches circumvented PCI DSS standards and encryption. Some of these merchants were certified compliant while they were actually infected with malware (PCI malware link).
Regardless of what solutions are currently being talked about, one thing is for sure, it won’t be a magic bullet and it won’t be enough. Fraud is like a balloon, you squeeze one end and it will grow somewhere else.
Don't be the next Target
5 steps merchants need to take to protect themselves
1. Secure your perimeter IT network and web-based applications. Your IT network is like your house and you need to secure the windows, doors, and vents - anywhere you think a thief can come in. Web-based applications are like the mail, cable, electricity, water, gas, package deliveries that help run your house - anything that needs to come in and out of the house in order to communicate with the outside world.
2. Be prepared. Prepare yourself with data breach and incidence response training. Just like you have disaster preparation, conduct data breach preparation and readiness training by developing processes, training your people, and practice often. As Mike Brummer, VP of Experian Data Breach Resolution, explains to bankinfosecurity.com “organizations really have fewer excuses why they shouldn’t be prepared. It’s much more cost effective to prepare, to pay the price and invest upfront, versus paying later.”
3. Buy cyber security insurance. This is a growing field and insurance companies will also help you focus on what is important and what is financially at risk that will help provide you with the discipline to discern what needs to be protected.
4. Monitor your systems 24/7 for suspicious IT traffic and fraudulent financial traffic. It’s not good enough to do periodic audits. Today you need constant 24/7 monitoring so you can detect quicker and take immediate actions to stop the breach and mitigate the losses. Just as consumers we get alerts from our bank or credit card to verify purchases often in real-time, merchants need to adopt similar technologies to notify them of potential threats.
5. Finally have a security forensics team on speed dial. Even better bring the team in before a breach occurs to understand what they can and can’t do for you and also evaluate their skills and expertise before having to use them
Every merchant we talk to wants a magic bullet to prevent data breaches but the reality is that bullet doesn’t exist. These recommendations prepare you to be ready, to be proactive, and to respond better. As Jeff Multz, a security evangelist at Secureworks said, “Security is a journey not a destination” – one that merchants need to undertake to give them a fighting chance.