High-profile data breaches affecting retailers including Target, Nieman Marcus and Michael’s have put information security into the mainstream, affecting sales and prompting Congressional hearings. As these breaches show, it is becoming increasingly difficult for businesses and technology companies to stay ahead of cyber-criminals.
The financial fallout and erosion of consumer trust continue to reverberate from Target’s disclosures in December and January that the personal and/or credit information of as many as 110 million customers was compromised after hackers reportedly installed malware onto the retailer’s point-of-sale machines through one of its suppliers.
On a conference call following the company’s fourth quarter earnings report February 26, Target CEO Gregg Steinhafel said the retailer is still analyzing what went wrong and is increasing the company’s investment in security. “This incident and recent security breaches at other companies have shaken [consumers’] confidence in both Target and the U.S. payment system more broadly,” he said. So far, Target has had $61 million in expenses related to its data breach with $44 million covered by insurance.
Meanwhile, the threat from hackers continues to cause ripples in the retail industry. Last week, Sears announced that it was investigating a possible breach, though the department store chain said so far it had found no evidence of an attack. “Certainly, information security has been in the press more in the last year than the entire decade before, and that’s raising awareness,” says Andrea Matwyshyn, a legal studies and business ethics professor at Wharton. “Consumers are still at the point where they don’t know how to protect themselves.”
Indeed, the Target incidents weren’t that surprising given that Verizon, for example, tallied and analyzed 47,000 security incidents and 670 confirmed data breaches impacting a number of businesses and industries in its 2013 data breach investigations report. The ongoing study has logged more than 2,500 data breaches and 1.1 billion compromised records over nine years.
“Security is better than we’ve had in the past, but not good enough to address what we’ll face in the future.” –Andrea Matwyshyn
The 2013 report, which looks at incidents from 2012, is put together with the cooperation of partners across various industries and nations to conduct forensic analysis on security issues. The incidents covered in the report spanned 27 countries and multiple industries, with 37% impacting financial institutions, 24% at retail establishments, 20% at manufacturing, transportation and utility companies, and 20% at information and professional services firms. According to the report, 92% of the attacks were perpetrated by outsiders to the entities being targeted.
But the Target breach — which caused the company’s sales to soften “meaningfully” after it was made public, Steinhafel said in a statement — put security concerns front and center for many, and illustrates how organized crime networks have used technology to create armies of attack programs and launched marketplaces where stolen data is bought and sold. “Ultimately, companies will have to get their acts together because there can be real brand damage,” says Wharton marketing professor David Bell.
Unfortunately, firms may not know how to protect themselves, notes Matwyshyn. “There will have to be new security approaches from the technical and legal side. Security is better than we’ve had in the past, but not good enough to address what we’ll face in the future.”
One obvious way to improve security would be for banks and credit card issuers to adopt the so-called chip and PIN technology used in much of the European Union. The technology would replace the credit card’s traditional magnetic stripe which, along with the customer signature, are used by retailers for verification with a computer chip-embedded smart card that requires consumers to enter a PIN (personal identification number) to complete a transaction.
Among those advocating that a version of these smart card chips known as EMV (after the technology’s original developers, Europay, Mastercard and Visa) become the norm in the U.S. is Visa CEO Charlie Scharf, who said in a statement released in January that the breaches “remind us of the need for all of us to continue to work together to secure payments from criminals.” Mastercard has also urged customers to accelerate adoption of EMV. Credit card issuers and merchants have long resisted the technology due to the cost of manufacturing the cards and purchasing new point-of-sale machines.
But the breaches at Target and elsewhere may be changing that. The National Retail Federation (NRF), which represents the retail industry, said it wants mandatory use of chip and PIN technology and is pushing for federal legislation that will make it easier to share information about data crimes. According to the NRF, “the biggest reason card information can be stolen is that the U.S. credit card industry and issuing banks still use 1960s technology while criminals have moved into the 21st century.”
Wharton legal studies and business ethics professor Kevin Werbach calls the switch to chip and PIN “a no-brainer to cut down on fraud. It’s not a panacea, but it will certainly help with one significant security vulnerability.” Ultimately, however, Wharton experts say it will take more than just that one technology to better secure businesses in the U.S. A change in the nation’s legal framework and a shift in consumer attitudes are also needed.
The Cyber Arms Race
A fundamental issue for companies is that cybercrime has surged with new technologies, such as automation tools that allow hackers to step up attacks.
In a presentation February 26 at the RSA Conference in San Francisco, a team of security experts outlined the most dangerous attacks and threats in the future. The key themes were that mobile applications are allowing criminals to use wireless devices to poach credit card data. In addition, malware is being added to point-of-sale terminals at stores so data can be collected before it’s encrypted. And in the future, the security experts expect that social network information will be mined and combined with other records to procure personally identifiable information that can be sold or used to conduct cybercrime.
“Companies will have to run quickly just to keep up,” says Matwyshyn. “New technologies are sometimes the answer, but companies may have to innovate their way out of this tough situation. How do you mitigate risk?”
Among the firms attempting to do that is Shape Security, which on February 25 announced that it had raised $40 million in a third round of venture capital. The company recently launched products based on polymorphic code, or code that changes each time it runs while still performing the same function. Today, many attacks launched on websites take advantage of the “view source” feature in web browsers that allows anyone to see the underlying code used to display the page. According to Shape, polymorphic code could combat attacks better because it rewrites itself every time a page loads. As a result, the code is harder for attackers to exploit.
The overall aim is to disrupt the economics of cybercrime by making attackers work harder. Today, it’s relatively easy for cyber-criminals to create “bots,” automated programs that are surreptitiously planted, lie in wait and then can be triggered remotely to attack when conditions are optimal.
“Cyber-security is an arms race, and the good guys are at a fundamental disadvantage. There is simply no way to plug every vulnerability.” –Kevin Werbach
Meanwhile, other security companies are also offering new approaches. For instance, FireEye has developed what it calls a Continuous Threat Protection model that identifies threats in real-time rather than updating their protection software only after a new form of malware is identified. Another company, Seculert, aims to detect and intercept so-called botnets automatically using traffic analysis and analytics.
According to Matwyshyn, there will have to be more experimentation like this from the technology companies charged with defending consumers. “With security, there needs to be next-generation thinking,” she notes. Werbach agrees, pointing out that “cyber-security is an arms race, and the good guys are at a fundamental disadvantage. There is simply no way to plug every vulnerability, because it only takes one person or company being lax about security to enable a successful attack. We need to deploy better technology, but what we really need to do is build more resilience and better incentives into the system.”
Steinhafel’s plan is to make Target a high-profile security reclamation project. “We are accelerating the adoption of advanced chip-enabled technology, investing more than $100 million to equip our stores and to issue Target branded smart chip credit and debit cards,” Steinhafel said during Target’s fourth quarter earnings conference call. “We have long supported this more secure technology, but broad adoption in the U.S. market has been elusive. We believe that recent events will help the industry to reach a tipping point toward accelerated adoption in the U.S., and we are investing to ensure that Target is a clear leader in driving this change.”
Werbach says that there needs to be more transparency regarding which companies are using best practices and which fall short. In addition, because consumers aren’t liable for credit card fraud, they are less likely to push for stronger systems at companies that have delayed security investments.
Wharton marketing professor Robert Meyer said Target and other retailers will have to wait and see how consumers change their behavior in the wake of the cyber-attacks. “People faced with risky situations tend to fixate on individual episodes,” Meyer points out. “For instance, [The Target breach] is a small event relative to the overall security landscape, but there is the potential to harm the brand if the company is associated with the attack.”
“However far behind we think we are compared to cyber-criminals, we’re probably even farther behind.” –David Bell
Target cut its sales projections due to the data breach, but the company’s leadership indicated during its fourth quarter earnings conference call that customer engagement was bouncing back.
“My guess is that the Target incident will fade relatively quickly,” says Meyer. “It’s more important how companies handle the event and restore trust. If the last thing people remember is that Target customers had accounts hacked — even if they don’t fully understand what that means — they won’t shop at Target or [use] their credit cards [there].” As part of its mea culpa after announcing the data breach in December, Target offered a 10% discount for all customers making an in-store purchase the weekend before Christmas. It also offered customers a free year of credit monitoring. “Anything done to make people feel more secure has a positive impact,” Meyer notes.
He adds that it’s unlikely that most consumers will give up their credit cards to protect themselves from hackers. “Perhaps consumers could and should cut back spending and shift to transactions with cash, but they are not in the position to do it,” says Meyer. “The average household is in debt, so that cash ship has sailed.”
For security to improve, Matwyshyn says that the incentive structure that exists among U.S. retailers, banks and credit card companies needs to change. One reason the chip and PIN technology worked in Europe is that the relationship between banks and regulators is fundamentally different than the situation in the U.S. Regulators in Europe have more clout and a less adversarial relationship with bankers, and were able to position security technology as a way to improve customer service and lower costs, says Matwyshyn.
In the United States, however, regulators generally don’t have the ability to easily foist mandates regarding new technologies and architectures onto companies. The argument against chip and PIN technology is focused on the cost of implementation and the massive administrative task of issuing new cards. “[European] banks saw promise, but EU regulators gave a nudge. Regulators don’t nudge here,” Matwyshyn states.
In addition, the determination of liability after a breach needs to be considered, she notes. If a company is proactive with security and can prove that it is using state-of-the-art technology, the firm should have an easier time with regulators and a stronger defense against any lawsuits that emerge. “The compromised entity has to convince the court and regulators that it acted reasonably,” Matwyshyn says, adding that the opposite side of that equation would be stiffer punishment for a company that scrimped on security and chose to allocate resources elsewhere.
“There are a lot of areas of infrastructure where we broadly lag in the U.S. How far behind we are in security varies by company, but most places are more lax than we would hope,” adds Bell. “However far behind we think we are compared to cyber-criminals, we’re probably even farther behind.”