Thursday , April 19, 2018

Security Notes: Lessons from Target

Gideon Samid • Gideon@BitMint.com

Security is weakened in proportion to the degree that its representation strays from the truth. False assurances on the one hand, and threat inflating on the other hand, lead to suboptimal countermeasures, and greater vulnerability. Alas, the people who talk, preach, and write about security (including me) always reflect their personal baggage, even if they try to shake it off. Hence, the naked truth is a challenge to us all.

The largest footprint in electronic commerce is claimed by the merchants, the banks, and the networks. They share an interest in assuring the public that the intimate financial information that is collected about them is totally safe. The security outfits that sell security measures to these merchants, banks, and networks also have a vested interest in portraying whatever they are selling as comforting and reassuring. And the cryptographers, whose interest is job security, assure their employer that the crypto math they are toying with is beyond cracking.

Alas, the naked truth is that the ciphers we use are of unknown strength. The security measures sold by security outfits are only good if the hackers they defend against are dumber than the defenders. And banks’ and stores’ words of assurance to the public are crafted on Madison Avenue with as much liberty with the truth as the lawyers will allow.

All these layers of misrepresentation fall apart hundreds of times a year. It is simply so very convenient to be gullible, and rely on sweet-sounding phrases like “safe and secure.” A security breach must be catastrophic, like the one that hit Target Corp. in December, for these dovetailing layers of misrepresentation to melt away and expose the naked truth.

And what happens next? What do you know—truth grabs at any cover available! Target first tried to cover the fact that PINs were stolen, and when I approached Target with some questions on the encryption procedure, the answers were not forthcoming. In its full-page letter to customers, Target does not even mention the stolen PINs.

The threat to Target’s shoppers is that their payment information will be used to make purchases on their accounts. Such purchases don’t trigger any of the identity-theft alerts Target now offers for free to their customers. Target surely knows this … PIN transactions are not even reported to the credit bureaus.

By contrast, a truth-respecting approach would be (1) to help banks in spotting odd transactions, on the technical side, and (2) to use the unfortunate embarrassment as an incentive to prevent a repeat anywhere in the e-commerce space.

The same algorithms that banks use to authorize or reject a transaction can be used to spot odd transactions already logged. The idea is simple. Thieves of payment cards will use those cards in a way that looks odd compared to the way the rightful owner historically used the card. Such transactions should be red-flagged in the monthly statement, inducing cardholders to double check if these are a legitimate charge or not.

A brave decision to leverage the embarrassing event into an industrywide case study would win the admiration of the industry. A consortium of independent cybersecurity professionals should be assembled and funded by Target. This consortium should be given access to all the relevant internal documents at Target, exposing how security parameters were identified, evaluated, considered, and decided upon.

Questions for this group would include: What was the official threat analysis that led to the implemented defense measures? What alarms were in place to spot such a breach early? Did the security personnel have sufficient professional expertise? I find that many cybersecurity “certificate holders” graduate from subpar academies, and are no match for the hackers they are hired to defend against.

Target, most likely, behaved the way similar chain stores behave, and what happened to Target could likely have happened elsewhere. It is not enough to point to some obscure SQL command and its clever manipulation as if that is the root cause for such a breach. The root cause is to be found in the hidden policies and concealed priorities articulated by the executive levels, and to those levels the fact-finding has to reach. Short-term embarrassment to Target would be an honorable price to pay to buy the long-term benefits of e-commerce security, described in a truthful and public manner.

And so the converse of my opening sentence is also true: Security is strengthened in proportion to the degree that its representation hews to the truth.

 

 

 

Check Also

Cardholder Spending Lifts AmEx’s Discount Revenue Despite Declining Rates

Boosted by higher cardholder spending, American Express Co.’s discount revenue grew 9% in the first …

Leave a Reply