Digital Transactions Authoritative, insightful and timely information for payments professionals
When the payments industry broke out with a rash of data breaches in December, pundits and politicians were quick to blame technical factors such as the deliberate pace at which the industry is adopting chip cards. Why hasn’t the U.S. replaced its mag stripes with EMV chips, the cry went up, as most of the civilized world has done? Why didn’t Target do this years ago?
So spooked were the national card networks by this hue and cry that both Visa Inc. and MasterCard Inc. rushed to re-affirm a deadline they had set for a shift of liability for counterfeit card liability to the party not prepared for transactions on the Europay-MasterCard-Visa chip card standard. Before all the breach headlines, both networks might have granted an extension for the October 2015 deadline. Now, with Congress sniffing around the breaches, that’s politically impossible.
Lost in all this, however, is a proper appreciation for the role human frailty plays in such crimes. Not so much in the commission of them, though that is a moral failing that would require more than the space available here to address. No, we refer to ordinary human error, the forgetfulness, laziness, or bureaucratic ineptitude that makes such thefts easier, and more damaging, than they should be.
Back in December in this space we told you about a study done by ThreatTrack Security Inc. that showed that well more than half of 200 corporate malware analysts had not disclosed at least one breach sustained at their organization. Why not? ThreatTrack speculated that the reasons ranged from fear of regulators to embarrassment over executives letting their kids play with company-issued computers and using those machines to visit infected pornography sites.
Last month, Bloomberg Businessweek reported that Target could have easily prevented its massive breach—if only it had acted on warnings its own security system had issued. The system, built by security technologist FireEye, detected the data-stealing malware on Nov. 30, just before the hackers activated it. The system found yet another version on Dec. 2. FireEye issued alerts both times, and both times these were ignored by Target management, the magazine reported. As a result, the criminals were able to siphon 40 million pieces of card data and 70 million pieces of other personal customer data out of Target’s network.
Again, the question is why? Why did such precise, and timely, alerts go unanswered? The Bloomberg Businessweek story doesn’t say. You can’t fault the technology, which worked splendidly. No, the place to look for answers lies in the complex psychology of flawed human actors. And here, unfortunately, we will find one vulnerability the industry will have a tough time fixing.
John Stewart, Editor
john@digitaltransactions.net
