The Green Sheet Online Edition
February 23, 2009 • Issue 09:02:02
Data breaches, more than bad publicity
Network breaches, long the Achilles' heel of data-centric business spheres like the payments industry, seemingly have become more flagrant of late. Breaches are also proving to be more expensive for victims and society as a whole.
The Tucson-based Ponemon Institute reports organizations that experienced data breaches in 2008 spent, on average, $6.6 million in responding to those incidents. According to the research firm's annual U.S. Cost of Data Breach Study, released Feb. 2, 2009, the typical data breach last year cost companies $202 per compromised record, compared to $197 per compromised record in 2007.
Meanwhile, there's an emerging sense among law enforcement officials that financial data breaches aren't merely instances of fraud, but a means by which far more sinister crimes (such as terrorism and drug trafficking) are financed.
Against this backdrop, consider the consternation created among owners and operators of small online businesses (many processing fewer than 1,000 card payments a year) and their network services providers by initiatives like the Payment Card Industry (PCI) Data Security Standard (DSS), which is designed to ensure proper security of personal financial information associated with credit and debit card payments.
Patrick Harris, who operates a Web development and hosting firm called Cyberian Frontier, warns that the current push for PCI compliance among smaller e-commerce businesses could force large numbers of them out of business. The card companies are "pulling the rug out from under many of these small businesses by making it impossible for them to make money without investing large sums in PCI compliance," he said.
John Bartholomew, Vice President of Sales for SecurityMetrics in Orem, Utah, concurs that PCI may have the effect of weeding out the field. "We'll certainly see a reduction in the number of folks who are certified to handle card data, and rightfully so," Bartholomew said.
Bartholomew believes the PCI DSS has significantly reduced fraud. "There are lots of people who are better off today because they took all the proper steps [to secure card data] and they are maintaining them," he said.
While PCI compliance may be costly, it's also becoming increasingly expensive for firms to clean up after breaches involving private consumer information, like credit card numbers.
According to Ponemon's data, the largest cost component in any network breach is loss of business due to abnormal customer churn. Over the last four years the cost of churn has grown by more than $64 on a per-victim basis. That works out to a nearly 40 percent increase, the firm noted.
"After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, founder and Chairman of the Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."
Here are some additional findings of the Ponemon study, which examined 43 organizations across 17 industry sectors:
- Financial services firms experienced the second-highest rates of churn related to data breaches - 5.5 percent. Only health care firms saw more churn, at 6.5 percent. Average churn related to data breaches across industries was 3.6 percent.
- The all-in cost of breaches totaled $6.65 million per incident last year, compared to $6.3 million the year before.
- Third-party organizations accounted for 44 percent of all breaches studied.
Ponemon released its latest study just days after news of a major breach at Heartland Payment Systems Inc., ranked the sixth-largest bankcard acquirer in the United States in "Bankcard Today: 2008 Acquirers Report," GSQ, Vol. 11, No. 4.
Heart of the matter
No one can say for sure the extent of the breach at Heartland, but given the Princeton, N.J.-based processor's book of business, it would seem a fair assumption that data from millions of transactions was potentially compromised by what is being described as an international ring of cyber criminals.
Heartland was expected to handle 1.7 billion bankcard transactions worth a combined value of $77.2 billion in 2008, according to GSQ. The company acquires transactions from about 250,000 merchants, with a significant presence among small to mid-sized restaurants.
Heartland stated in a press release that no merchant information or cardholder Social Security numbers were compromised. However, some published reports suggest the stolen data was sufficient to create bogus cards.
According to those familiar with details of the case, the hackers were able to pick off data "on the fly" - as it passed across network wires.
"This was a very sophisticated and coordinated attack," said industry consultant Paul Martaus.
The Heartland breach is just the latest in a string of high-profile cyber crimes involving companies that handle data associated with credit and debit card transactions. And according to published reports, the incident (now contained) was similar in design to several previous attacks, including the TJX Companies Inc. and Hannaford Brothers Co. breaches, in 2007 and 2008, respectively.
In the case of TJX (which operates several national chains, including TJ Maxx), it was discovered that breaches over three years had potentially exposed data on 45 million credit and debit cards.
In December 2008, RBS Worldpay, the acquiring arm of Citizens Financial Group Inc., revealed a breach of its network may have affected more than 1.5 million cardholders.
As was the case with the breach at Hannaford (a U.S. grocery chain operating in the Northeast), Heartland had been certified PCI-compliant; the company said it received its certification in April 2008.
Heartland said it was notified of suspicious transaction activity by Visa Inc. and MasterCard Worldwide in November 2008 and responded by hiring forensic auditors to thoroughly investigate. That investigation ended in mid-January 2009 when auditors discovered "malware" had been surreptitiously installed to capture card data as it crossed Heartland's network.
No one knows for certain just how long the malware had been running, but according to published reports, the U.S. Secret Service (which investigates such crimes) has pinpointed the location of the hacker who installed it, which is outside North America.
That the Heartland hacker was foreign wasn't a big surprise to those who track cyber-crimes.
In an article for a forthcoming issue of the Santa Clara Computer and High Technology Journal, Kimberly Kiefer Peretti, a Senior Attorney with the U.S. Department of Justice's Computer Crime and Intellectual Property Section, details proven links between financial data thefts and known international terrorist groups.
Imam Samudra, a terrorist convicted for his involvement in the 2002 Bali nightclub bombings, is said to have claimed in an autobiography written in prison that he ran fraudulent credit card schemes to help fund those bombings.
The card scheme of choice: "carding." Carding is an umbrella term used to describe the theft and sale of personal financial information via the Internet for card or identity fraud.
In another case linking terrorists to card fraud, three Britons were convicted of inciting terrorist murders through a network of extremist jihadi Web sites.
The trio was also convicted under that nation's financial fraud laws. The conviction holds that they used stolen credit card numbers to make $3.5 million in charges for items, including prepaid cell phones and airline tickets for themselves and other terrorists.
Other cases detailed in Peretti's upcoming article suggest criminals from the former Soviet Republics are major players in international cyber crimes. One such person, a Ukrainian national named Roman Vega (also known as Boa) allegedly ran a major carding operation before being arrested in Cyprus and extradited to the United States, where he remains, indicted on numerous counts of financial fraud.
Martaus isn't convinced recent high-profile breaches are the work of terrorists. "I think these were driven by pure greed," he said.
Encryption to bolster PCI
Nonetheless, reading through Peretti's report, it becomes apparent that thousands of companies (especially in the financial services sector) have been and continue to be compromised by cyber-criminals who cooperate through worldwide networks. And, she warned, "despite compliance with industry security standards, it is likely that hackers will continue to develop techniques to exploit the computer systems of entities holding cardholder data."
Heartland's Chairman and Chief Executive Officer, Robert O. Carr, believes end-to-end encryption can help. "PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps," he said in a statement. But Martaus doesn't see encryption as a silver bullet. It's not enough for one network to implement end-to-end encryption, he insists. And getting everyone on board would be a herculean task, requiring the installation of special software modules at every merchant POS. "It's got to happen at the terminal level," he said.
The value of PCI
The attack on Heartland has thrust to the forefront of public discourse concern about the security of payment card data, the responsibilities of organizations working with that data and the value of PCI.
An article published Jan. 26, 2009, in The Tech Herald, an online publication favored by information technology (IT) professionals, asked "Does the Heartland breach prove PCI useless?"
The author, Steve Ragan, concluded that "assuming PCI compliance equals security is stupid. PCI compliance, much like the often preached Industry Best Practices of IT, amounts to nothing more than a simple list of baselines.
"Taking all the steps needed for PCI compliance assures a company no more security than it would get by disabling guest accounts on workstations."
The notion that no processor or network is 100 percent secure has ISOs and merchant level salespeople (MLSs) concerned. A member of GS Online's MLS Forum writing under the moniker imsrick, stated about the Heartland breach, "We all have a processor. Is it possible that our compliant processor could have the same thing happen?
"While I'm using this to my advantage to pursue any and all Heartland merchants, I don't want to have it double back on me in coming months if the platform I use has a similar issue. I guess on further reflection I am starting to feel that I'm the one in the glass house because of my lack of understanding of the true risk position I'm in."
Harris, the Web developer, voices similar concerns, adding that PCI DSS hasn't done much to alleviate those concerns. "I'm getting a lot of conflicting information," he said. For example, Harris said he's considered routing all client transactions through Pay Pal Inc.
"But the way I read PCI DSS, we need to protect cardholder data, not just card data." And that requirement would rule out most of his clients.
Harris said his understanding of the rules is that a small organization accepting credit card payments for educational seminars would need to be PCI-compliant even if it handed off the payment processing to a third party like PayPal because it would be capturing (and retaining) information about the cardholder (name, address, phone) through the online registration process.
For now, Harris is advising clients not to accept credit card payments until and unless he finds a fail-safe, cost-effective means to ensure PCI compliance. He estimates it would cost his firm about $2,000 a month to put in place systems deemed PCI-compliant in the current environment.
"I work with a lot of not-for-profits that just don't have the e-commerce volume to justify the expense of PCI compliance," Harris said. "These are folks who are thrilled if they get two or three e-commerce transactions a day."
With the current PCI requirements, Harris noted, "I would have to say that the vast majority of my clients will no longer be able to do business under these circumstances." He suggested the same will be true for millions of other businesses. "In today's economic environment, if you make it expensive and harder for people to make money on the Web, you're going to run a lot of people out of business," he said.
Given the scope of data network breaches, and the potential economic consequences, improved cooperation will be necessary on all fronts.
DoJ's Peretti, for example, said there is need for cooperation among law enforcement officials worldwide. "Countries that either do not have the legal framework to prosecute such activity or that turn a blind eye through law enforcement inaction, in effect, become breeding grounds for organized criminal carding operations," she wrote.
Heartland's Bob Carr wants better cooperation within the acquiring sector. "I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks," he said.
"Up to this point, there has been no information sharing [regarding data breaches], thus empowering cyber crim-inals to use the same or slightly modified techniques over and over again.
"I believe that had we known the details about previous intrusions, we might have found and prevented the problem."
At press time, at least two dozen financial institutions had reported they were re-issuing credit and debit cards because of the Heartland breach. Additionally, at least three individuals were pursuing legal action against Heartland.
Such legal actions stem, in part, from state laws requiring notifications from financial institutions when customer financial information is compromised. According to Attorney Jill M. Miller, 44 states have implemented laws requiring some sort of customer notification or re-issuance procedure when credit and debit card information is breached. Miller, who is with the firm Jaffe, Raitt, Heuer & Weiss, P.C. in Southfield, Mich., addressed data security legislation last month in a presentation at the Northeast Acquirers Association's 2009 Winter Seminar & Outing.
While many of these laws require notifications by card-issuing financial institutions, at least one state, Minnesota, has enacted a "retailer payment card breach liability law," Miller reported. Similar legislation is now being considered in Texas and California, she said. The existence of state laws addressing financial data security and the international scope of cyber crimes may demand greater federal attention toward data theft. To that end, Miller noted, "The FTC [Federal Trade Commission] has announced its support for national data protection/breach notification requirements."
As for Heartland, it has tasked an internal department with developing end-to-end encryption to protect merchant and consumer data on its network.
"I believe the development and deployment of this technology will provide the ability to implement increasing levels of security protection as they are needed," Carr said. "Heartland has been working on end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.