Time to Change the Weird Logic Behind Data Breaches

Data Insecurity (Editor's Note: This is the first of a 10-part series by noted electronic-payments-industry analyst Steve Mott on the current crisis in transaction security?its causes, its costs, and its possible solutions?ranging from the point of sale to the Internet to mobile commerce. After eight weekly articles, the series moves to Digital Transactions magazine, which will carry the final two installments in successive issues.) No topic in the field of information compromises and transaction security is getting more play today than data breaches. But data breaches have been occurring ever since the first restaurant waiter illicitly skimmed card information in the back room. In simpler, physical-world times, we learned to cope with that problem. Today's data breaches have gotten way scarier, to be sure. Data thieves find a lost tape or steal a file or hack into a network and grab multitudes of financial-account credentials and other confidential information all at once. But most current surveys proclaim that the rash of recent data breaches has resulted in very little true ID theft, or even material amounts of account fraud. And many of the compromised credentials are for signature-based bank cards, where most cardholders face little or no financial liability. So why worry? Well, the truth is, we don't know when the data thieves will use this ill-gotten information. Today's fraudsters are savvy enough to store these credentials to use months or years from now?long after hyper-vigilance that typically takes place after an incursion dies down. With bank cards, the thieves could wait up to three years, when the normal expiration date hits. In fact, much of the recent forensic evidence shows that increasingly patient hackers appear to test the credentials, gauge the value of the accounts revealed by the credentials (mostly by online log-ins), then store and trade them in a fluid and robust black market?in effect, assembling a portfolio of accounts for subsequent attacks. The online market for these stolen credentials is booming, so much so that large-scale operations are required to make real money. Symantec reported recently that stolen credit card numbers, with verification numbers and expiration dates, retail for a mere $1 to $6 apiece. A relatively full financial identity?including a U.S. bank account, credit card, date of birth, and government-issued identification number?trades in just the $14 to $18 range. PayPal log-ins for accounts with small balances yield less than $5 to $6 (though larger-balance cards can net fraudsters up to $50 or more). Meanwhile prices for phishing kits for those starting out in online crime have dropped from about $300 two years ago to less than $30 today. Just add several million e-mail addresses from eBay for $15 to $20, and away you go! For big-time online crooks, Trend Micro reports that do-it-yourself Trojan Horse programs that sniff out financial credentials without most computer users ever knowing it sell for between $1,000 and $5,000. So we delude ourselves by thinking that maybe there still might be time to lock up the barn before the horses are actually gone. The TJX incident?the veritable “mother of all data breaches” with more than 45 million accounts exposed?revealed how naïve that thinking was. The crooks in this case only got caught because they made sustained hits on Wal-Mart and Sam's Club stores, buying hundreds of stored-value cards for $400 each (avoiding managerial scrutiny for gift card purchases of $500 or more) at one time. What if these particular thieves hadn't been so impatient? The real issue is that the solutions we've devised so far smack of last-century, pre-digital-era backwardness. For example, while it's true that more than a third of recent data breaches have hit merchants like TJX, large-scale compromises at banks (e.g., BofA), corporates (e.g., Lexis-Nexis), processors (e.g., Card Systems) and third-party marketers (e.g., ChoicePoint), are all a significant part of the problem. Yet most of the commotion and hand-wringing is about punishing the merchants. The payment card companies created and are now promulgating a new data-protection standard (the Payment Card Industry data-security standard, or PCI), with heavy fines for merchants that don't comply, and substantial costs for implementing compliance (up to $500,000 or more for larger merchants). Many smaller merchants, though they are the most vulnerable to compromise, are finding PCI compliance daunting, if not impossible. Is it any wonder the rates of PCI adoption are clearly falling short of targets and expectations? Then we scramble to throw billions against mitigating the consequences of breaches?after the fact. It's true: Once a breach does occur, the ensuing costs can range from $180 to $300 per compromised record, according to researchers like the Ponemon Institute and TowerGroup. So some are calling for mandates of immediate notification of all breached accounts, forcing banks to reissue new cards and accounts en masse?at a cost which can easily run $10 to $25 apiece. Others are seeking to mandate expensive credit-monitoring services for potential victims. And some groups, such as the Massachusetts Bankers Association, in its lawsuit against TJX, want to make retailers liable for these and other bank costs in the event of a breach. Punish the merchants again! Good one. And then there's the rush to create a rash of after-the-fact consumer protections and violator punishments that will undoubtedly escalate the costs of data breaches, all the while putting consumers into even more of a panicked state. The root of the problem is our enslavement to the wrong payment products. “After you replace a compromised signature-debit card for the fourth or fifth time for a consumer,” laments an executive vice president for a top-20 bank, “you and he begin to doubt the value of that product.” The payments industry decided half a century ago to put financial-account information on top of plastic cards designed for a face-to-face purchasing environment. That worked great for a long time. Fifty years later, though, in an increasingly challenging electronic era, we're still authenticating that account information, meanwhile exposing it at up to a dozen touch-points in a single transaction, instead of authenticating the accountholder at the origin. The rest of this series on Data Insecurity will address similar and related predicaments, and offer some thoughts on how to find a way out of this mess. ?-Steve Mott