The Target breach that took place over the holidays is now believed to have affected as many as 110 million Americans about one in three. Target's stock price dropped about three dollars, the New York Attorney General has opened a nationwide investigation into the breach, and members of Congress have called for an investigative hearing. Meanwhile, Neiman Marcus and three other retailers are also said to have suffered similar data breaches around the same time as Target's.
These security breaches have become impossible to ignore. Even JPMorgan Chase CEO Jamie Dimon said Tuesday that the threat to cardholder information "is a big deal, it's not going to go away" as the bank announced it is replacing two million payment cards as a result of the Target breach.
Have we reached a tipping point will the U.S. banking and payments industries finally summon the strength, consensus and cash needed to take the firm steps needed to prevent such breaches in the future?
Gary Olson, president and CEO of ESSA Bank in Stroudsburg, Penn. ($1.5 billion in assets), says no.
"This is an issue nobody pays attention to," he says. "I've been harping on it for 10 years, always on deaf ears. I think a couple more breaches would have to happen relatively soon to get anybody's attention. If nothing happens for another six months or a year, they will forget about Target." The entire card payment system is very weak and the PCI standard is "not effective at all," he believes.
Olson himself was an early card-fraud victim when his bank first launched debit cards in the mid-90s. "I had used my card at a sporting goods chain and within three days I realized someone was using my card to make long-distance calls. Right from the get-go, I knew this was going to be a problem," he says.
The first large-scale data breach that caught Olson's attention was the one that hit BJ's Wholesale Club in 2004. This was followed by break-ins at Heartland Payment Systems and TJ Maxx.
"When you have thousands of cards and you have to reissue 1,000 or 2,000 cards for each breach, it's an overwhelming expense in terms of time, dollars and inconvenience to the customer," Olson says. The recent Target breach affected 1,000 ESSA card accounts. The bank reissued all of them, at a cost of more than $20,000.
MasterCard and Visa ought to be doing more to protect the card payment system, Olson believes.
"MasterCard and Visa drive these programs," he points out. "They have various touch points hitting customers who use their cards, banks that issue the cards and merchants who use the cards to process payments. Somebody has to be in control of the process." (Visa and MasterCard did not respond to interview requests for this story.)
Olson also believes retailers ought to take more responsibility for security. "[The card associations] give retailers a free pass and every time something goes wrong they charge the banks," he says. "Unless something happens on the retail side, as long as there are debit cards this is going to be a problem, because the retailers' systems are too easy to hack into."
He's a proponent of EMV, the chip card standard used throughout most of the world. Data stored on the chips embedded in the cards is encrypted. (Chip cards do not address card-not-present fraud, in which card data is entered online and there's no device to read the information on the chip.)
To date, the industry has been reluctant to spend the money to convert or replace all existing point of sale terminals and ATMs to accept chip cards and to replace all magnetic stripe cards with smart cards.
"The inertia is simply the retailers don't care because they know the banks will pay," Olson says.
This blame-the-retailers attitude has been echoed by others in the industry. Retailers, in turn, accuse banks of failing to safeguard the payments system.
Information Sharing As a Breach Cure
But Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (a Washington, D.C. organization that gathers threat information from bank and card processor members, anonymizes it and distributes it back), points out that there's little value in pointing fingers.
"This hit banks pretty hard, because they have to reissue cards," he acknowledges. "There's a lot of concern, but understand that Target is the victim and nobody wants this to happen again. We need to think, is there a way for us to work together? Maybe there are lessons learned from the financial community that we could share with retailers."
Nelson does believe the card industry as a whole has reached a boiling point and that it will improve card security through the use of chip-and-PIN and better information sharing.
"The sharing of information has prevented a lot of fraud and massive attacks that a lot of people don't know about," he says.
For instance, a couple of years ago there was a security incident that involved compromised virtual merchant terminals. "One payment processor detected it and issued alerts about it," Nelson says. "We were able to bring everybody together and show what [the criminals'] tactics were, and we worked with the Secret Service to facilitate meetings. That allowed all the payment processors to have knowledge of it and nip it in the bud. It was an interesting attack because it was almost undetectable. It was a balanced file the debits equaled the credits so the merchant wouldn't notice it until the returns came back."
In a previously undisclosed project, the FS-ISAC is automating its threat reports. Today, the organization sends members emails and PDF reports about cybercriminal tactics, techniques, and procedures. A report might include 500 threat indicators including malicious email subject lines and IP addresses. Members enter that data manually into their firewalls, intrusion detection systems, antivirus software, DDoS mitigation systems and other security mechanisms.
"We've found we're sharing so much information that it's becoming difficult for members to keep up with it," Nelson says. "People don't realize every company is being attacked all the time, by criminals, nation states, and hacktivists. Even the large institutions can't keep up with it," he says.
Speed has also become more important. "If you have a lag on reporting information, by the time you act on it, you may be infected and not even know it," Nelson says. "Automation is the key to the future."
The group is developing an appliance (a server preloaded with software and data) that bank members can keep in their data centers. The appliance, code-named Avalanche, will interact directly with banks' security software, turning the FS-ISAC's alerts and updates directly into block-and-tackling maneuvers within the bank, in real time or close to it. The product is expected to go into beta in the third quarter of this year.
FS-ISAC's bank members are taking this seriously several have contributed $500,000 to the project. One member gave $1 million and has already begun using the appliance. (FS-ISAC itself put in $500,000.) About 83 banks and vendors are involved so far, Nelson hopes thousands will join. He hopes eventually the technology and threat data will be shared with retailers and other sectors including electric utilities and communications companies.
To get FS-ISAC's data to communicate directly with banks' security software, the group is using two standards developed by Mitre (a not-for-profit company that operates federally funded research and development centers): STIX and TAXII. "TAXII is the communications protocol and STIX is the format for the threat indicators," Nelson says. Standardizing all the information involved, including campaign type, threat actors, and prevention and remediation techniques, is a "big, tall order," he says.
The organization created a data repository of STIX and TAXII formatted security threat information last year that went live in May. It contains information on a quarter million threat indicators, and thousands more are added every month.
Companies will be able to decide what to do with the data in the repository and the appliance, Nelson notes, depending on how reliable they believe the information to be. "If the data comes from another member, that might have a certain reliability factor versus information from the government or another sector," he says. FS-ISAC is also working with security vendors to make their software work with Avalanche.
"Consumers Are Getting Hit Everywhere"
Avivah Litan, vice president at Gartner, believes card security has reached an inflection point, not due just to the Target data breach but also malware on Yahoo's advertising networks, impersonation in Google accounts, and other threats.
"Consumers are getting hit everywhere," she says. "But I don't know what the answer is." Chip-and-PIN would be more secure than magnetic stripe cards, but wouldn't help with scams like the ones Google and Yahoo are experiencing.
"One thing is clear: the PCI standard isn't working," she says. "Maybe this is an inflection point to forget about PCI, but I doubt it."
In addition to chip-and-PIN, Litan believes the use of true end-to-end encryption could make the payment system more secure. "When I say end-to-end, I mean merchant to issuer," she says. "The point-to-point encryption systems the processors are selling are not good enough because they don't go all the way to the issuer."
Card data needs to be encrypted in the key pad and remain encrypted until it reaches the card issuer, she says.
End-to-end encryption is uncommon because it requires equipment upgrades. "But it's a lot easier than upgrading for chip," she says. Other security measures that would help include mobile authentication and dynamic codes. Like Olson, Litan believes MasterCard and Visa should take the lead on card security.
Another potential solution, in Litan's view, is Bitcoin. "Bitcoin is really secure, it has the best encryption ever," she says. "People say it's not great, but it is great. It hasn't been broken yet."
If we all switched to Bitcoin tomorrow, would we have a more secure payment network?
"We'd definitely have a more secure payment network," she says. "I don't know that wed have a more stable network.
"This is a great opportunity for a dollar-based Bitcoin. But it's not going to happen. It's really hard for people to give up their cards."