Heartbreak over Heartland: Why Prosecution for Data Breaches Isn't Enough | |
By ANITA RAMASASTRY | |
Friday, September 4, 2009 |
Debit card users often feel safe because their cards are PIN-protected. But recent events show that, like credit cards, debit cards can be compromised, when the databases of large retail merchants or card processors are hacked.(Editor's Note: Clarification...she's talking about the PAN, (Primary Account Number) not the PIN. Like Credit Cards, "Signature Debit Cards can be easily hacked. All you need is the PAN. The PIN provides an additional layer of security, which is why Signature Debit cards are 15 times more likely to be fraudulent than PIN Debit Cards)
In late August, the U.S. Department of Justice issued indictments in what is, to date, the largest data breach in the United States – with over 130 million credit and debit card numbers compromised. (Editor's Note: When PIN"s get hacked, there will be an exponentially greater fuss) Albert Gonzalez, 28, of Miami, Florida, and two unnamed co-conspirators allegedly used an intricate hacking techniques to break past computer firewalls and gain access to this confidential information, as well as to intercept packets of data that were being transmitted in real time.
When a credit or debit card is used, the card numbers are stored (Editor's Note: Therein lies the problem...if merchants didn't "store it" or "handle it" as is the case with a HomeATM transaction, the hackers have nothing to hack) so that the information can be transmitted back to your bank for withdrawal of funds or billing to your statement. Companies are required by various regulations and industry rules to have security measures that will safeguard sensitive customer data. However, hackers can and will try to outsmart the best security measures. (Outsmart this: With no data stored or handled, what can hackers hope to achieve?)
In this column, I will discuss the recent security breach and some of its implications and costs. While the arrest of the alleged hacker is important, it remains to be seen whether this action will be an effective deterrent to others. Moreover, after-the-fact arrests are not enough: There needs to be a renewed focus on security standards within the card industry. (Editor's Note: When it comes to eCommerce, fraud is exponentially worse. Card NOT Present Fraud is the leader. So, if you want to eliminate Card NOT Present fraud, you must eliminate the "Card NOT Present" environment. How do you do that? It's simple Swipe vs. Type and voilla! you've got yourself a "Card Present" transaction. Make Sense? You bet it does.)
The Recent Indictment
In late August, the Acting U.S. Attorney for New Jersey announced an indictment against Gonzales and his two unidentified co-conspirators. The three are charged with a scheme involving five corporate data breaches, including the single largest reported data breach in U.S. history. The scheme is believed to constitute the largest hacking and identity theft case Justice has ever prosecuted.
According to the indictment, 130 million credit and debit card numbers, together with account information, were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J.; 7-Eleven, Inc.; Hannaford Brothers Co., which operates grocery stores in Maine and Massachusetts; and two other, unidentified corporations.
Between October 2006 and May 2008, Gonzalez is alleged to have acted with his two coconspirators to select large corporations, and identify security vulnerabilities, both by in-person observation and by online investigation. For example, according to the indictment, Gonzalez and an individual identified only as "P.T." would visit the retail locations of their potential victim companies, seeking to identify the type of checkout machines and card readers they used.
The indictment alleges that, after this reconnaissance was completed, the three conspirators would upload information to servers – which served as hacking platforms – that were located in New Jersey and several foreign countries. The three conspirators allegedly used the servers first to store information critical to their hacking schemes, and then to launch their attacks. Through these attacks, the indictment alleges, they installed "sniffers" that conducted real-time interception of credit and debit card data being processed by the corporate victims' servers.
As noted above, the results were staggering: Reportedly, more than 130 million card numbers were stolen.
Is Our Data Secure? (Editor's Answer: Not until it is no longer stored, handled and if it's end-to-end-encrypted during tranmission)
We have a strong legal structure that kicks in after an infraction; both federal regulations and card industry rules provide consumers with great protections if someone steals their card or card numbers. (Editor's Note: I would eliminate the word "great")
But it is still a headache (I would replace "headache" with "extremely inconvenient") for the consumer to report false charges and get them erased, make sure money fraudulently transferred from bank accounts is replaced, and procure replacement cards. Moreover, such breaches are costly to companies and banks, and the costs get passed on to cardholders in the form of higher fees, interest rates and the like.
That raises a pressing question: Can more be done to prevent this kind of hacking activity?
Editor's Note: In a word, YES.
Editor's Note: In a word, YES.