Updated: Friday, October 9, 2015
Experian breach roils T-Mobile
S ecurity analysts are warning that cybercriminals are increasingly targeting data brokers and credit screening services that aggregate consumer data. Experian Information Solutions Inc. estimates that up to 15 million consumers had their personal information stolen from the company’s T-Mobile USA database; the incident was first reported on Oct. 1, 2015.
The global data aggregator, based in Dublin, Ireland, with operations in the United States, United Kingdom and Brazil, employs 16,000 people in 39 countries. A statement on the company’s website portrayed the event as “an isolated incident [that occurred] over a limited period of time.”
Hackers gained entry to an Experian server that held “personal information for individuals, including some current customers, and also consumers who applied for T-Mobile USA postpaid service or device financing, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015,” the company stated.
Security analysts argue that the unauthorized entry into a global credit bureau’s database that continued undetected for two years is neither an isolated incident nor the first reported security data breach of T-Mobile customers, whose records were entrusted to Experian’s credit screening service. In 2003, Experian acquired Decisioning Solutions, a credit screening service for T-Mobile USA applicants, and discovered later the same year that the vendor had been compromised.
Big data, bigger breach
T-Mobile USA is a division of T-Mobile International AG, a German holding company for Deutsche Telekom AG's mobile communications subsidiaries outside Germany. Security analysts have questioned the company’s continuing fealty to Experian, which has been documented to have failed repeatedly to protect and secure the personal data of millions of T-Mobile USA customers.
“I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion, and this did not involve any payment card numbers or bank account information,” said John J. Legere, Chief Executive Officer of T-Mobile USA. Legere invited potentially affected customers to sign up for two free years of credit screening services at ProtectMyID.com, an Experian subsidiary.
“Instead of walking away from Experian and actually protecting its customers, T-Mobile continued to employ the firm,” wrote blogger Todd Haselton. “Guess what T-Mobile offers for customers affected by the breach? Yep, you guessed it, another two years of free credit monitoring from ProtectMyID, the Experian-provided service.”
Data brokers as targets
Experian positions its company and brand as a leading global information service that helps businesses manage credit risk and prevent fraud. These attributes make Experian and similar firms attractive to criminals. Personally identifiable information (PII) such as name, addresses and Social Security numbers can fetch a higher price than cardholder data on the Deep Web, also known as the Dark Web, where criminals freely traffic in stolen data and assorted types of contraband materials.
Security analysts have openly questioned how any breached data broker can effectively protect and defend the individuals and client companies it serves. “A breached data broker seems to lack strong intent when you consider how adept they are at collecting and validating information about consumers,” said Dante LoScalzo, Senior Manager of Security Consulting at Atlanta-based ControlScan Inc. “Couple that with the fact that many consumers are unaware of the methods used to collect information about them, the volume of information that’s held and who exactly has it, and the gravity of the situation becomes apparent.”
LoScalzo went on to say that the “secret sauce” that some firms use to protect data is an insufficient defense against attackers who have already gained access to a network. “Many of these firms use antiquated means of obfuscating data, poor encryption implementations and inadequate access control,” he said, adding that these vulnerabilities highlight the need for security innovation and best practices.
Call for reforms
TrackOFF, a Baltimore-based startup that develops privacy and security software, predicted that a leading data aggregator like Experian would be hacked. Warning that hackers and foreign intelligence services will increasingly exploit this type of company, TrackOFF is calling for reforms in regulation and consumer protection, including educating consumers about how data brokers obtain and use their PII.
The company recently published a white paper in response to the Federal Trade Commission’s invitation for public comment in preparation for the agency’s Nov. 16, 2015, workshop on cross-device tracking. The paper offered insights and recommendations on ways to manage and regulate the “mass collection and storage of consumer information by data brokers.”
“When we were putting together the white paper, we were shocked that no one else is addressing this topic,” said Chandler Givens, co-founder and CEO at TrackOFF. “This is surprising considering how hackers are actively seeking high repositories of consumer behavior; if I were working for an underground group or government intelligence agency, these data brokers would represent ideal targets.”
Givens noted that hackers can use up-to-date information from data aggregators to launch personalized attacks against consumers. “In certain instances, the hackers may know that someone will be taking a trip to Chicago,” he said. “The hacker could send out a phishing email related to the upcoming trip.” He went on to say that if the information in the email squares with the target’s itinerary, it increases the chance that the consumer will click on that link and become infected with malware. “If it hasn’t happened already, it will happen,” he said.
Chinese hackers breach LoopPay
Thursday, October 8, 2015
A n alleged Chinese state-sponsored hacker ring known as the Codoso Group or Sunshock Group apparently breached the corporate computer network of LoopPay Inc. starting as early as March 2015. The Massachusetts-based subsidiary of Samsung Electronics Co. Ltd. is the developer of magnetic security transmission (MST) technology, a core component in the new Samsung Pay mobile wallet released in the United States Sept. 28, 2015.
According to a report published in The New York Times on Oct. 7, LoopPay became aware of the intrusion in late August when an unnamed group discovered LoopPay data while investigating the Codoso Group in a separate breach incident. Earlier this year, the group was linked to a multistage, malicious code attack on the Forbes.com LLC website, which infected the computer systems of site visitors. On Aug. 28, LoopPay hired two private forensics teams to investigate the breach.
Payment data not at risk
LoopPay said it appears the hackers may have been seeking inside information about the MST technology itself. Key executives from LoopPay and Samsung indicated they were confident the infected machines had been isolated and that customer payment data and personal devices were not exposed in any way.
"Samsung Pay was not impacted and at no point was any personal payment information at risk," said Samsung Chief Privacy Officer Darlene Cedres in a statement. "This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay."
Security experts tracking the Codoso hackers told The New York Times that with the investigation still unfolding, it is premature at this point to estimate the extent of damages to LoopPay; this particular group is known for planting hidden back doors in previous attacks that have continued to infiltrate networks long after the breach.
Lucas Zaichkowsky, Enterprise Defense Architect at AccessData agreed that once cybercriminals do the initial footprint and reconnaissance of the company they wish to target, after the initial entry, an intrusion can escalate quickly, especially when they gain access to privileged credentials that allows them to siphon information undetected over long periods of time.
PCI SSC delivers data breach guidance
Wednesday, October 7, 2015
T he PCI Security Standards Council in collaboration with a team of PCI Forensics Investigators (PFIs) released guidelines to help organizations implement breach response plans. Its Responding to a Data Breach: A How-to Guide for Incident Management document was unveiled during a PCI SSC-hosted North America Community Meeting in Canada. Additional data security awareness meetings were slated for Japan and France.
According to the PCI SSC, the average cost of a data breach to merchants is now $3.8 million, collectively, per incident. In reflecting on the global state of data security awareness, PCI SSC International Director Jeremy King noted that in the United Kingdom, the government closely monitors data breach incident levels through an annual business survey that tracks all types of data breached.
"This isn't just financial, this is any data breach," King said. "They found that in the last two surveys over 90 percent of organizations had a data breach of some form or other." He said that given the fact that in over 95 percent of data breach incidents an external party was the first to alert the compromised organization that a breach had occurred, data security guidance has reached a time-critical point.
Basic security still an issue
But the council is optimistic that will change. "The silver lining to high-profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business as usual," said Stephen Orfei, General Manager of the PCI SSC. "Prevention, detection and responses are always going to be the three legs of data protection."
Unfortunately, a significant number of merchants believe a breach won't happen to them. Many in this category are most vulnerable to attack, since basic security measures, including an incident response plan, are not being implemented.
"Each year Verizon and Trustwave publish separate data breach reports," King said. "Consistently, they have found over the years that organizations that are breached have not been PCI compliant, but it's not that they were a little bit not compliant, they were massively not compliant. There are some huge holes there. There are simple things they are still not getting right."
For example, he noted that lack of good password security remains a problem as does clicking on phishing emails that allow malware to be downloaded. He noted that cybercriminals continue to use basic attack methodologies because unprotected business environments are not difficult to find, and lack of employee training and response strategies only compounds matters for merchants.
Incidence response plan needed
However, for small merchants cost can be an issue. "In Europe, some of the card brands offer a limited breach response service, because they know that small merchants can't afford full forensics investigation breach support, so it becomes a relationship between the acquirer, the merchant and the brand to try and resolve this," King said. "If you're a small merchant working in the e-commerce space, you've really got to do this properly."
He said that with a good incident response plan, merchants know exactly what to do, how to respond and who to notify. If a breach should occur outside of business hours, key personnel understand the chain of command and what factors determine whether to open for business the next day. Businesses are advised to establish relationships with forensics investigators beforehand to reduce response time and prevent errors in the aftermath should a breach occur.
An incident response plan should also include instructions on how to limit data exposure and preserve evidence, which may require isolating a system rather than turning it off completely. In addition to a PFI contact, the plan should list current business partners, including payment card brands, acquirers and other entities requiring notification. The PCI SSC recommends that specific provisions be written into contracts with third parties on how evidence will be accessed and reviewed in the event of a data breach.
The PCI SSC breach response guidelines contain a section on what businesses can expect from a PFI, the services PFIs perform and what businesses can do to facilitate PFI investigations. The PCI SSC maintains a list of PCI-certified PFI professionals on its website at www.pcisecuritystandards.org .
Card1 platform sets sail on Indiegogo
Tuesday, October 6, 2015
P ayment veteran Randy Smith would like consumers to help his company create a new payment product. Card1, launched Sept. 18, 2015, on crowdfunding site Indiegogo, would aggregate consumer credit and debit card products into a single plastic payment card and cloud-based mobile wallet. Smith is promoting the Card1 platform on TechCrunch Disrupt’s Startup Alley, an AOL Inc. subsidiary that, in 2010, awarded first prize to his previous startup MobilePayUSA.
Card1 combines the benefits of mobile wallet tech with the ubiquity of traditional plastic payment cards, Smith stated. Noting that Europay MasterCard Visa (EMV) and near field communication (NFC) technologies are now in approximately 10 percent of retail locations in the United States, he wanted to find a way to serve a broader population of consumers, particularly younger people who want to use their smartphones to make payments at the POS.
“Millennials live in a digital world and demand the convenience that it affords,” he said. “Card1 provides this convenience along with added security in a solution that works within the confines of today’s payments infrastructure.”
Security, tokenization are key
Smith said that Card1 looks like a conventional payment card but employs advanced data analytics, tokenization and identity authentication software to protect consumers at the POS. Card1 users can use their mobile phone cameras to add payment cards and digital currencies to cloud-based Card1 mobile wallets. Card1 users can also authorize each card payment during the online and in-store checkout process, he added.
As an additional precaution, the app will validate that phone and store locations match before authorizing a transaction, the company pointed out. “We can lock our cars, homes and computers, but not our payment cards,” Smith said, further noting that he designed the solution to turn a single payment card into a fully functional and secure wallet that supports debit, credit, loyalty and rewards programs. “Consumers deserve a universal card they can depend upon to work consistently to make payments.”
Campaign countdown begins
As the countdown continues on the Indiegogo site, Orange County, California-based Card1 is offering an array of micro-level awards to prospective contributors who help Smith and his team of payments executives reach their funding goal of $250,000 for the universal payment platform. The awards, which range from $25 to $50 and include pricing incentives, custom card and wallet holders, are designed to get the new card into consumers’ hands.
Additional information about the Card1 movement can be found on Facebook, Twitter and on the company’s website www.getcard1.com, which is directly linked to the company’s Indiegogo campaign. “With your support and help in recruiting others to also be backers of Card1, we can hit our goal, which will enable us to continue our application and platform development into the next phase, attract the attention of major partners and bring to the world the next-gen, future-proofed, financially secure payment card,” Smith said. “Now it’s up to you, my backers, to make Card1 a reality.”
Fraud liability shifts today, are your merchants EMV-ready?
Thursday, October 1, 2015
T oday is Oct. 1, 2015. EMV Day. Who is ready for the new card security protocol and who is not? Newly released reports from The Strawhecker Group and leading insurer, The Hartford, point to broad swaths of businesses where EMV readiness is sparse. But that’s OK for now, because so is card issuance.
EMV (for Europay, MasterCard and Visa) is a security protocol for chip-embedded (smart) cards and card-accepting terminals. It is considered far superior to storing card and cardholder information on mag stripes because it employs encryption to mask card information exchanges. EMV cards are also too difficult for fraudsters to reproduce to make counterfeiting cards profitable for them.
The United States has been slow to move to EMV, despite widespread adoption elsewhere in the world, leading the card brands to invoke a deadline. All merchants must be EMV-compliant by today; deadlines for acquirers and others to be compliant have already passed. Also beginning today any merchant or other party in a transaction stream that is not EMV compliant is financially liable for any financial losses from data breaches that stem from that lack of compliance. Historically, issuers have borne much of the cost associated with data breach-related fraud.
However, a survey of small businesses just released by The Harford indicates 50 percent of small-business owners don’t even know about the EMV liability shift. Among those surveyed, 86 percent are not yet ready to accept chip cards, the company said. Among those who are EMV ready, the largest share (43 percent) said they did so because chip cards are the future of payments. Less than one-quarter (24 percent) of those with EMV terminals said they made the switch to avoid being held liable for fraudulent transactions.
Certain verticals more prepared
TSG, a management consulting firm, released data in early September 2015 suggesting that just 27 percent of all merchants would be ready for the liability shift with EMV-compliant terminals in place. A second report released this week ranks EMV readiness by vertical markets. TSG said it surveyed a minimum of 75 credit and debit card accepting merchants in each category.
Shoe stores, as a group are best prepared; 69 percent have EMV hardware installed, TSG reported. Department stores and men’s and boy’s clothing stores follow in EMV readiness, with 59 percent and 57 percent, respectively. Stationary stores are the least prepared – just 23 percent have EMV terminals installed. Bookstores, boat dealers, and children’s and infant wear stores are only slightly more prepared, with EMV terminals installed at between 24 percent and 25 percent of businesses in those verticals.
Mike Strawhecker, a TSG Principal, isn’t surprised by the disparities in readiness. “It makes sense that certain retail merchant types are more ready than others for the liability shift, as some are much more likely to potentially see fraudulent transactions,” he said. Most big-box merchants (like Wal-Mart Stores Inc. and Target Corp.) were ready months ago, Strawhecker added.
The National Retail Federation blames financial institutions and their technology partners for the holdups. “Retailers are further along in the conversion process than credit card companies," NRF General Counsel Mallory Duncan said in a policy statement published Sept. 30. "However, in many cases credit card companies have been unable to grant the necessary software and payment terminal certifications to stores fast enough to meet their own deadlines.” He also said many merchants have EMV terminals in place but continue to swipe cards because the devices haven’t been certified as EMV compliant.
TSG’s analysis identifies four key hurdles to EMV implementation: processor readiness, gateway readiness, merchant business management software readiness and replacement POS terminal readiness. The company said it will probably be 2017 before most U.S. merchants (90 percent or more) are using EMV-compliant terminals.
Card issuance lags big time
Meanwhile, eConsumer Services said its analysis suggests large numbers of U.S. consumers aren’t ready for EMV either. Fifty percent of consumers with one or more credit or debit cards have not yet received EMV cards, said Gary Cordone, Chief Executive Officer of the firm. What’s more, 67 percent of those with one or more credit or debit card have not received any information from their financial institutions about EMV cards. eConsumer Services specializes in mediating disputes between consumers and merchants.
A new survey from ACI Worldwide paints an even bleaker picture. Among the 1,000 credit and debit cardholders surveyed, 59 percent have not yet received EMV cards, ACI reported. Among consumers who have received chip cards, 32 percent are aware the United States is moving to EMV security; the majority have no idea why they were sent chip cards. Awareness does vary by geography and demographics. EMV awareness is especially low among households with annual incomes below $35,000. Regionally, awareness is greatest among consumers living in western states (25 percent) and lowest among those living in the south (7 percent).
Mike Braatz, ACI Senior Vice President for Payments Risk Management, said this could create problems for merchants. “[I]f consumers are unaware, the implications for retailers come October and throughout the holiday shopping season could be major,” he said in a statement about the survey findings.
View prior breaking news