I’ve been covering the latest data breach news for SecureState, since details of the Target breach first broke. Last week, in the days following news that Target’s compromise was much larger than originally reported, affecting 110 million customers opposed to 70 million, retailer Neiman Marcus announced that they too were hacked. What followed was a rash of security and retail experts offering up chip and pin technology as a solution to this problem.
Chester Wisniewski, senior security adviser at Sophos, told NBC News,
“With EMV (Europay, MasterCard and Visa), in other parts of the world, we have never seen more than one credit card compromised at a time, as opposed to 40 million in one go,” he said. “It changes the game.”
CIO Journal reported that Carter’s CIO Janet Sherlock said,
“We’re all generally excited about chip and PIN and how that will potentially lower our overall loss as an industry.”
Chris Gates, a partner at LARES, a cyber security consulting firm told USA Today,
“More and more retailers will be breached until we get firmly into the EMV chip and PIN technology.”
The fact of the matter is, EVM technology will not solve this problem; it will only reduce risk and force criminals to find other means to obtain information.
What we know:
Current U.S. credit and debit infrastructure was built on 1960’s technology and we are still using this archaic system today. A quick Wikipedia search will tell you that in 1960, IBM used magnetic tape to develop a reliable way of securing magnetic stripes to plastic cards,under a contract with the U.S. government for a security system.
In most of Europe over the past 10 years, most countries have switched to EMV technology. According to the United Kingdom Chip & PIN Report, released May 2007, the UK rollout commenced in October 2003 and involved upgrading 860,000 shop terminals, 40,000 ATMs, and an issuing of 140 million new credit and debit cards to accept the new technology. The rollout was completed on February, 14, 2006 and all cardholders were required to use their PIN instead of a signature.
Despite this change, fraud losses on UK cards totaled £610m (a little more than 1 billion U.S. dollars) in 2008, a peak year for fraud. Though, between 2008 and 2012 there was an overall decrease of 36%, which the UK Card Association attributes in their 2013 fraud report to efforts by the cards industry to enhance security of payment card systems.
Unfortunately, despite European efforts, the UK Card Association reports that fraud is on the rise again: “A return amongst criminals to traditional methods of fraud, such as low-tech deception crimes, has led to increased fraud losses borne by the banking industry. Experts have highlighted the impact of improved security features, such as Chip & PIN and more sophisticated detection tools, which have driven criminals to resort to deceiving consumers into such things as parting with their own cards, PINs and financial passwords.”
So why isn’t the payment card industry upgrading?
The research tells us that implementing this technology does indeed reduce risk (counterfeit card fraud is down roughly 58% in the UK, and 71% abroad), but is it a game changer? No. It would certainly help, but even chip and pin has reported vulnerabilities.
From the payment card industry perspective, the fact of the matter is that it would cost the retail and banking industry untold billions of dollars to implement chip and pin, and the cost vs. benefit simply isn’t worth it.
Let’s look at who is actually impacted… the customer. Who actually ends up paying for a breach? The customer. Sure, Target and Neiman Marcus will have some financial loss, but it will likely be much less than it would cost to upgrade all of their systems. So why are we surprised that the payment card industry is unwilling to spend billions on something that they don’t already pay for?
Spend the dollars, protect consumers
The problem we see is that with most businesses, security is an afterthought. Billions of dollars are spent every year on legal and audit, and only a fraction is spent on security. We perform assessments for clients, find glaring vulnerabilities and then the client does nothing with the information, because they are only required to perform a penetration test and not remediation.
Consumers should be angry about this. SecureState’s CEO, Ken Stasiak told NBC News, “It’s 2014. We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data.” They don’t because consumers and the government don’t demand it.
When breaches like this happen we have seen stocks rise, and little consequence for the organizations responsible. Instead retailers like Target take the approach that they are victims. But they are not victims, they are negligent.
These breaches are only the tip of the iceberg. How many more have to happen before organizations get serious about security?
If you’re interested in learning more about how you can secure your business, seek out resources to help your security team and work to communicate with the line of business to map security to the organization’s overall strategy.