The revelation of another data breach in the banking and financial services sector should come as no surprise. That this newest breach — courtesy of Heartland Payment Systems — is potentially the largest such incident to date is definitely troublesome. But in reading about the breach, there are two other nuggets of information that I found to be even more of a concern.
1. The plain and simple truth is that hackers are usually one step ahead of their targets. With the Heartland breach, however, hackers may have taken a quantum leap forward. The software used by the hackers to steal credit card numbers, expiration dates, and other data stored on magnetic stripes is “light years more sophisticated” than what was previously available, Robert Baldwin, Heartland’s president and chief financial officer, told the Wall Street Journal. Always playing from behind is never a good rule of thumb. But now it seems as though the banking industry is playing the role of Charlie Brown, never to get an opportunity to kick the football. Good grief, indeed.
2. During the majority of the payment transaction process, all the data is encrypted, making it harder to mis-use if stolen. But, according to Baldwin, there are still points in the process where the data must be unencrypted. How is this still possible in 2009? (I’ll save the question of why I’m still using a magnetic stripe card for another day.)
The cold, hard truth is that hackers will always target banks and financial services companies. That’s where the money is. That some brilliant hacker or group of hackers devised a new and innovative means of intercepting data is allowable. Transmitting unecrypted data, however, seems inexcusable. How is that still allowed? How many hundreds of millions of records have to be compromised before something is done? Granted, the banking industry is in the midst of a credit and liquidity crisis. That crisis has eroded much of the inherent trust placed with banks by their customers. Breaches like these only make banks’ jobs harder.
The one conclusion I walk away from after reading several articles about the breach is that hackers are working to continue improving their techniques. The same can not be said for the banking industry.
Michael –
what do you think of the claims regarding portions of transactions being and new innovations in hacker software?
I think the transactions’ being called “new innovations in hacker software” is certainly premature as this remains undetermined.
I think it is doubtful that this software use is “light years more sophisticated” than what we have seen in the past and that the comment which was made by Robert Baldwin was to cover his back side.
Monitoring data breaches daily (take a look), I think that the Heartland breach is more indicative of the greater problem and may be just be the dead canary in the coal mine.
What we will learn in the coming days, weeks, and months is that the issue is about the lack of adequacy in the defenses across all credit card processing companies and banks and that the current compliance standard are not enough of a defense.
Is there something banks should be looking for?
Banks (or any card processors) should look to exceed PCI compliance standards and additionally be looking more closely for suspicious patterns in transactions.
Likely they should share this data (akin to what the federal agencies do) with one another to identify fraudulent patterns.
Thank you,
Keith