BY ELYSA MANTEL — If you’re like me, you probably shop at Target Stores, especially over the holidays when the deals are great and everything is a one-stop-shop. However, nothing is more frustrating then shopping at stores like Target and then receiving that alarming phone call from your credit card provider regarding the “unusual activity” noticed on your account. This past December, the Christmas commotion came a few weeks early and continues to last well into the New Year for nearly 40-million credit and debit card users[i], including myself. So, what’s all the commotion about?
Between November 27th and December 15th, U.S. Target Stores had a nation-wide security breach that involved access to customers names, credit or debit card numbers, card expiration dates, and CVV security codes.[ii] These hackers also snatched personal information including email addresses, phone numbers, and home addresses.[iii] The Wall Street Journal has reported that these cyber thieves accessed the consumer data from magnetic strips stored on the back of credit and debit cards.[iv] In the past, security breaches often involved hacking into a company’s main server but this Target breach seems to be a lot different. According to the Wall Street Journal, this hacking “may have involved tampering with the [payment] machines customers use to swipe their [debit or credit] cards when making purchases.”[v] Yet, it still remains unclear as to how these cyber criminals were able to compromise the payment stations on such a large scale.
As everyday consumers, what difference does it make if we are told how, where, or why? We still have to continuously worry and keep an eye on our credit or debit card statements. We still have to call our financial providers if we see any potential fraudulent activity. So, what do we really need to know from this Target Stores’ fraud scandal? Unfortunately, we first need to understand this type of cyber breach is now common and we need to know how to deal with it because it’s not going away. In the past, there has been security breaches in companies such as T.J. Maxx, J.C. Penney, 7-Eleven, and JetBlue, all of which had more than 90 million customers’ card numbers and personal data stolen.[vi] This market activity should not come as a surprise to us though because this kind of activity is the result of the economic times in our country. Customers who have been hit with this fraud are frustrated and want Target to do something about it. According to Target, it has “moved swiftly to address this issue so guest can shop with confidence,” and has also hired a third-party forensics firm to investigate and catch these hackers.[vii]
So what does the Target Stores’ security breach really teach us? It teaches us that companies like Target Stores who tell you their “moving swiftly to address the issue” will not give you the confidence you really need as a customer at Target or as an everyday consumer. The confidence we really want doesn’t breed more worry. The question customers should really be asking is what we can do as everyday consumers to secure our bank accounts from fraud and release the worry, and not ask what Target Stores is doing about this specific security breach.
As a general rule, here’s what you should do to gain confidence as an everyday, plastic-card using consumer. If your not willing to use cash for every purchase you make, then you should try to get a copy of your credit report or view your online statements periodically. You should set up fraud alerts through credit reporting agencies or through your financial provider. When I realized that my bank account may have been jeopardized by Target Stores, I quickly called my financial provider and set up a system where the bank must telephone me when a purchase reaches a certain amount of money and/or when a purchase is made in a location that seems unusual with regards to other purchases I recently made. For example, my bank alerted me when someone tried using my debit card number at a gas station in South Carolina. Seeing that I didn’t make any recent purchases in South Carolina, my bank denied the transaction and quickly telephoned me to ask if I was in South Carolina.
When it comes to security breaches like Target Stores or even my South Carolina fraud, it may be best to just cancel your debit or credit card and get a new card number instead of having to keep a close eye on your statements and create more worry. If you continue to use credit or debit cards, then write in large words “SEE I.D.” on the back of your card. Although stores are now reacting to identity thefts and have created new store policies that require check-out clerks to ask for identification to verify your card, by writing “SEE I.D.” on the back, stores such as Target will know to check your I.D., even when there is no store policy in place. So, what we can really learn from this security breach is that the confidence we will need to shop at Target Stores is not through a Target representative’s statements but through our very own actions of implementing at least some of the above practices.
Among the myriad lessons from the Target breach, perhaps the most important is that “Compliance” does NOT equal Security. Target was certified as compliant according to all applicable regulations, and were discovered after the fact to have failed to meet many of the requirements. So how did this happen?
– First, compliance is often used as a guide to the least possible amount of security necessary to comply.
– Second, regulations are based on best practices to provide a baseline of security for past threats, not a solution to maximize security for the future.
– Security auditors often come in selling a solution, rather than looking for a problem.
– In other cases, auditors are paid to come in and find what they’re told to find by the very company they’re supposed to be assessing!
– Many companies rely on access controls and firewalls for security, even though they consistently fail to prevent breaches.
– Monitoring approaches like SIEM solutions are fogged by noise and usually find evidence only after a breach has already occurred.
Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. The answer lies in independently verified solutions that protect the data itself. Decoupling the assessment from the solution is vital to an unbiased audit. I think that cyber insurance should play a bigger role in this scenario. The insurance premium level should be related to the types of security controls that the merchant implements. The insurance premium could reflect the quality of the security solution and that of the auditing performed.
In addition, if breaches cannot be wholly prevented or detected in real time, then the data must be secured to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization. Studies have shown that users of data tokenization experience up to 50 % fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users.
With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, companies can be assured that they are actually secure, rather than just ticking a compliance checkbox.
Ulf Mattsson, CTO Protegrity