Posted by: John S Kiernan

High-stakes hacking has been a major theme for American businesses in 2014. The recent wave of data breaches at popular retailers have made consumers more aware — and warier — of the very real threat that their sensitive financial information could slip easily into criminal hands.
In the past year-plus, hackers have infiltrated the payment systems of several big-name retailers — the most notable of which include Target in late 2013 and most recently Home Depot — accessing credit and debit card data for more than 100 million consumers. Other recognizable names that suffered breaches of lesser scales involved Neiman Marcus, P.F. Chang’s, Michael’s and Supervalu. 
Financial Information Insecurity
Although much of the shock associated with data breaches has worn off as consumers return to patronizing previously hacked retailers, which, along with financial institutions, are responding with beefed up security measures, many still wonder how safe their financial information is and whether these emerging threats will eventually bring a cost to their own wallets.
“Perfect security is a myth,” said Mike Whitman, Director of the Center for Information Security Education at Kennesaw State University.
All of the security experts WalletHub consulted agreed. “No enterprise is 100 percent immune to data breaches,” said Amos Olagunju, a professor of computer science and information technology at St. Cloud State University. “All enterprises ought to have operationally defined security policies and procedures,” a lack of which was exactly what led to the Target and other breaches.
Experts also acknowledged that the retailer attacks during the past holiday shopping season showed an advanced level of technical ability. With hackers constantly learning how to bypass security, businesses will need to keep up with system upgrades, which come with costs that typically get passed on to consumers in the form of higher prices for goods and services.
But consumers needn’t worry too much.  They don’t have to concern themselves with any unauthorized transactions that hackers rack up on their accounts, as credit cards — and to a lesser extent, debit cards — guarantee zero liability for such charges. Provided that consumers also apply common-sense safeguards to their financial information, such as changing login credentials on a regular basis or downloading antivirus software for their computers, identity theft shouldn’t be too big of a problem.
Looking to the Future
In the wake of the breaches, retailers, financial institutions and the federal government have kept busy beefing up security measures. Businesses have implemented improved encryption systems, set up call centers and employed credit-monitoring services — significant unbudgeted expenses costing tens of millions of dollars but offset by insurance reimbursements for those who were hacked.
Card issuers such as J.P.Morgan Chase and CapitalOne, which shoulder the heaviest burden of protecting consumers, responded initially to the breaches by reissuing cards and have also continuously monitored customers’ accounts for any signs of fraud and identity theft, the fastest growing crime in America.
The most sweeping action, however, came from the White House. On Oct. 17, President Obama signed an Executive Order for the BuySecure Initiative to speed up the transition to more sophisticated payment technologies, prevent identity theft and discuss best cybersecurity practices with stakeholders.
By January 2015, a raft of policy changes that include switching to microchip and PIN technology as well as enabling payment terminals that accept them will be implemented. The federal government, Wal-Mart, Walgreens, and of course Home Depot and Target will be participating in the national effort. But credit card networks, including American Express, MasterCard and Visa are the powers fueling the transformation.
Recently, many banks have also began experimenting with more sophisticated ATM technology, such as fingerprint account access and advanced software protection. This is in response to a forthcoming shift in tactics among financial criminals, according to Wade Chumney, assistant professor of business ethics and law at Georgia Tech University.
“In the future it is likely that attacks may focus more on the software that runs the ATM, as this provides greater potential rewards for the thief, and potentially less risk,” he said.  “While future security will still focus on physical attacks, by implementing new hardened designs, they will also feature security that is less obvious to the user, as in the software utilized to run the device.”
However strong a fight merchants and banks put up against cybercriminals — through encryption, credit monitoring or advanced hardware — their efforts face new obstacles every day. Policy hurdles must be overcome, consensus among industry stakeholders must be achieved and technology that outpaces rapidly evolving criminal endeavors must be innovated. “The protection of personal information calls for joint efforts from consumers, corporations and government,” Olagunju said. “All have a role to play in ensuring data protection.”
Ask the Experts
What are the lasting lessons from the recent string of high-profile data breaches?
What needs to be done to ensure that our personal information is better protected in the future?
 

<
>

Amos Olagunju

Professor of Computer Science and Information Technology, St. Cloud State University

Sherly Abraham

Program Director for IT and Cyber Security, School of Business and Technology, Excelsior College

Mike Whitman

Director of the Center for Information Security Education and Professor of Information Systems at Kennesaw State University, Coles College of Business

Mark Ciampa

Assistant Professor of Computer Information Systems, Western Kentucky University

Manos Antonakakis

Assistant Professor of Electrical and Computer Engineering, Georgia Institute of Technology

Karim Noujaim

Chief Investment Officer at QBank Group

Rich Mogull

Analyst & CEO, Securosis

Zachary Peterson

Assistant Professor of Computer Science, California Polytechnic State University

Wade M. Chumney

Assistant Professor of Business Ethics and Law, Scheller College of Business, Georgia Institute of Technology

Amos Olagunju

Professor of Computer Science and Information Technology, St. Cloud State University

What are the lasting lessons from the recent string of high-profile data breaches?

No enterprise is one hundred percent immune to data breaches. All enterprises ought to have operationally defined security policies and procedures. Security plans that have no clearly defined security auditing and testing procedures are meaningless. Periodic testing, auditing, and updating security mechanisms are crucial to overcoming security breaches. Enterprises should scrutinize all database-enabled web-based applications for their immunity to server-side and cross-site scripting attacks. No operating systems and applications should be configured to execute any program on a mission-critical system without authenticating its signature. Security managers of enterprises might need retraining to become at least as smart as the hackers.

What needs to be done to ensure that our personal information is better protected in the future?

Enterprises ought to implement layers of security defenses with network and host computer intrusion detection systems. The need exists to have automated systems to collect and correlate all intrusions in the log files detected by various intrusion detection systems, and alert security managers in real-time. All mission-critical systems of enterprises should implement smart intrusion detection systems that are capable of prying opening all inbound packets, and denying risky ones.

All personal information in the databases of enterprises and smartcards should be encrypted. Unfortunately, the enemies of security that work inside any organization are difficult to detect. Consequently, employees should be granted access to vital data in databases based on their roles. The logs of accesses to data and applications should be regularly reviewed.

Sherly Abraham

Program Director for IT and Cyber Security, School of Business and Technology, Excelsior College

What are the lasting lessons from the recent string of high-profile data breaches?

The recent data breaches at Target, Neiman and Marcus emphasizes the importance to be proactive and not just reactive in information security protection. The recent data breaches had targeted point of sale systems and there were alerts generated earlier in the year by VISA in regard to increase in memory-scraping malware. A lot of security breach exploits have a history of being discovered months prior to being manifested at a large scale. Being proactive in the security environment are key for large retailers, banks and other institutions. Recent sources suggest that the attack at Target was originated by a HVAC firm that did business with the retailer. Organization need to have strict policies in place for third party vendors connecting to their networks and need to be actively monitoring networks and hosts for anomalous behavior. Finally, the recent breaches just reiterate that attackers are actively on the lookout and can infiltrate networks from the least expected entry points. Therefore organizations cannot afford to be only reactive anymore.

What needs to be done to ensure that our personal information is better protected in the future?

The protection of personal information calls for joint efforts from consumers, corporations and government. All have a role to play in ensuring data protection. Although it is not possible to have a completely secure environment, some basic and important steps can go a long way in preventing data breaches and identify theft. From the consumer perspective, credit monitoring, two-factor authentication, anti-virus, encrypting data, changing login passwords on a regular basis and reporting fraudulent activity are some basic steps. From the corporate perspective, it is important to know the enemy and be extremely proactive as attacks can occur via the least expected avenues. Employees need to be trained and it is important to have a layered approach to security. Basically corporations need to have both offensive and defensive security technologies. Also, skilled security staff in the organization is pivotal in keeping the security environment healthy. Finally, the Government plays a key role in identifying and implementing the needed Cybersecurity protection laws. It is also important to ensure that the laws are enforced.

Mike Whitman

Director of the Center for Information Security Education and Professor of Information Systems at Kennesaw State University, Coles College of Business

What are the lasting lessons from the recent string of high-profile data breaches?

We live in an era where data breaches are not an IF, they’re a WHEN. Perfect security is a myth. Any organization, any individual can be the target of a data breach. The level of sophistication shown in each of these breaches indicates ‘professional hackers’ - individuals or groups who was able to breach these businesses’ systems and extract data. The Target and Neiman Marcus attacks in particular showed a very advanced level of technical ability, with – in the case of Target - a custom malware attack bypassing industry standard security systems. The Michael’s attack has been attributed to Ukrainian hackers, and is generally considered less sophisticated than the others.

With the level of sophistication of modern information systems, it is almost impossible to completely secure them. What is important is to establish layers of protection – defense in depth, to include not only technical security mechanisms, but also mitigation controls – such as an effective incident response plan. Both Target and Neiman Marcus have been very proactive and cooperative with law enforcement and their customers in notifications and efforts in loss management.

The key to effective response is early notification. After the Egghead.com fiasco in 2000, organizations have been more honest and forthcoming in notifying consumers of potential data breaches. In 2000, the ‘clicks and mortar’ store Egghead.com delayed notification of a massive data breach, and denied any such loss until several weeks after it occurred. The resulting loss of confidence in the store contributed to its eventual bankruptcy, with major part of its infrastructure sold off to other online and commercial vendors.

As Target has indicated that their breach originated from legitimate credentials stolen from one of their vendors, the attacks highlight the issue of securing not just your systems, but those of supply chain partners and any stakeholders connected to your systems.

What needs to be done to ensure that our personal information is better protected in the future?

If you are notified of a potential data breach at an organization where you do business, notify your payment card issuer immediately to shut down those accounts and have a new card issued. Payment card vendors have become quite proficient at processing these types of claims, and will work closely with you to determine if any fraudulent activity has occurred on your account.

Avoid the use of debit cards at point-of-sale system wherever possible. Credit cards have a built-in layer of protection as they are not tied directly to your bank accounts. I personally use one credit card for recurring purchases – such as automated payments to service providers, and a different card for online and store purchases, minimizing the amount of hassle in obtaining replacement cards and resetting any automatic payments.

Become familiar with the data breach notification and resolution policies at the stores you shop at. This information should be available on the stores’ web sites. Know how much of a loss you are responsible for, and how much the store will cover.

Scrutinize your payment card statements when received. Do not hesitate to contact the card issuer if you see any suspicious activity.

Regularly request and review your credit reports. The Fair Credit Reporting Act permits consumers to obtain a free copy of their credit report once a year from each of the three major credit reporting agencies - Equifax, Experian, TransUnion.

For more information on obtaining your free credit report visit www.fdic.gov and search on Consumer Response Center.

Mark Ciampa

Assistant Professor of Computer Information Systems, Western Kentucky University

What are the lasting lessons from the recent string of high-profile data breaches?

Regarding your questions, there are several lasting lessons from the recent data breaches. First, organizations must be more proactive in creating an environment to defend against attacks. The Target breach started with a third-party contractor who was responsible for the renovation and installation of new refrigeration systems at Target. These refrigeration systems are connected to a network and can be monitored and managed remotely by the contractor. Target gave the contractor access to its network in order to perform this oversight. Attackers targeted the contractor and stole the login credentials that then allowed the attackers to access the Target network. Once on the network the attackers could launch their attack by downloading malware onto Target's point-of-sale terminals. The contractor made a serious mistake by not protecting those credentials. Target made a serious mistake by not segmenting its network so that financial functions like collecting customer credit card and personal information would be separate from functions like refrigeration control.

A second lesson is for users to remember that information security should not be viewed as a war to be won or lost. Just as crime such as burglary can never be completely eradicated, neither can attacks against technology devices. The goal is not a complete victory but instead maintaining equilibrium: as attackers take advantage of a weakness in a defense then the defenders must respond with an improved defense. Information security is an endless cycle between attacker and defender. Users must constantly be vigilant.

A third lesson is our need to provide practical security awareness training in elementary, secondary, and higher education environments. Since the release of Microsoft Windows XP Service Pack 2 users have been asked to make technical security decisions regarding their personal computers. Yet there has been no significant means by which this information is provided. Educational institutions need to make practical security awareness training a requirement for all students today, not just those majoring in IT. Numerous studies throughout the years have provided strong evidence for the need for this training. Yet as an educator in IT my students at the freshman and sophomore levels say they have never received this training, and practical security awareness training is always one of their top interests when asked what they want to learn. Until we educate we can't expect change.

Manos Antonakakis

Assistant Professor of Electrical and Computer Engineering, Georgia Institute of Technology

What needs to be done to ensure that our personal information is better protected in the future?

Companies needs to focus in how we can minimize the lifetime of the threat in their network. This means that we need to significantly improve our network level detection capabilities. Trying to prevent sophisticated threats is simply an unachievable and unrealistic goal.

Karim Noujaim

Chief Investment Officer at QBank Group

What are the lasting lessons from the recent string of high-profile data breaches?

Opportunistic attacks in the previous decade, drawing on target with little or no protection, have given way to advanced, persistent and focused cyber-attacks.

Organized crime has fully taken conscious of this and has focused its interest on fraud, theft and online spying most of the time in a pecuniary objective.

97% of organizations have been compromised, 75% of compromised organizations were subject of remote control by attackers, possibly to exfiltrate data. (Source: FireEye / Mandiant Cybersecurity MAGINOT'S LINE report).

The strategic dimension is also targeted (military advantage, economic influence), even if it is not directly related to Target and Neiman Marcus. In this area also methods change with the advantage of using asymmetric methods for players with more limited means.

What needs to be done to ensure that our personal information is better protected in the future?

Increase the maturity of public and private organizations in terms of cyber security (scale of 1 to 4, level 4 is the ability to manage the business risk on an integrated & global manner, which requires an ambitious transition plan).

Forget for a moment the technological solutions and return to basic principles: security is a process, not a product.

Improve the perception of safety in daily operations, incorporating systematically ergonomics communication and cultural aspect into the security mechanisms.

Rich Mogull

Analyst & CEO, Securosis

What are the lasting lessons from the recent string of high-profile data breaches?

It is long past time to get off of magnetic stripes and move to chip and PIN. While chip and PIN isn’t a panacea, it makes these kinds of breaches on this scale far more difficult.

What needs to be done to ensure that our personal information is better protected in the future?

Chip and PIN for one. And we do see some retailers moving towards tokenization to reduce the likelihood of similar events (and reduce their PCI assessment costs), but we don’t know if that would have helped Target until we know more.

Zachary Peterson

Assistant Professor of Computer Science, California Polytechnic State University

What are the lasting lessons from the recent string of high-profile data breaches?

Attacks are getting more sophisticated, and pervasive, and deployed at scale; the immediate use of compromised cards showed that this wasn’t just a prank or egotistical act, but an attack clearly designed to defraud a large number of institutions and customers.

Even with large security breaches, consumers are only slightly inconvenienced and may not have a lasting effect on their consuming habits or security behaviors; this is, perhaps, expected, as consumers don’t have much economic incentive to do so. Instead, merchants and banks, who largely are left holding the bag, may now be reaching a level of intolerance with respect to outdated technologies and security practices. Said another way, we may be at the economic tipping point where it makes sense to spend money on securing credit and debit transaction.

What needs to be done to ensure that our personal information is better protected in the future?

At a minimum, enforce, have evaluated, existing security policies. Krebs’ claim that an HVAC contractor was able to gain access to the POS systems is a violation of fundamental secure system practices — simple principles that I teach in my undergraduate computer security course. My understanding is that this, if true, was a failure to implement existing standards put in place by payment card industry.

Looking a little farther into the future, it will be important to increase public awareness and help consumers develop defensive attitudes toward the use of sensitive information. Although, this is an uphill battle. Users almost always opt for convenience over security, and quickly become frustrated and move away from (or worse, circumvent) intrusive security measure.

Instead, those who have a more substantial economic interest in preventing these attacks (i.e. merchants and banks) need to incentivize the adoption of easy-to-use and effective security measures. This may include the need to replace the mag-stripe payment card system, which is woefully vulnerable, and frankly, anachronistic, with more secure standards. Given the claims that these attacks have affected nearly 1/2 of the American population (reports of 100M consumers affected!), this may be a great time to consider adopting new and better systems for payment systems.

Wade M. Chumney

Assistant Professor of Business Ethics and Law, Scheller College of Business, Georgia Institute of Technology

Banks are experimenting with new ATM features, such as the ability to get exact change, pay credit card bills, and access your accounts via fingerprint. How do you expect such features to be received? What will the average ATM be able to do 5 or 10 years from now?

Modern society expects such technological developments to be integrated in their daily lives. Look at the developments in the cell phone industry in the last 5 to 10 years and you can see the terrific pace of innovation. One thing to be cognizant of is the regulatory environment—laws can be enacted that significantly alter projected developments in ATM features. Additionally, jurisdictional issues may allow some features to be present in one country but not in another. Given the uncertainty of this critical issue, one cannot predict with certainty what features will be present on ATMs in the near future. Some likely candidates include: the ability to make credit card and loan payments, dispensing various bill denominations, and eliminating the use of paper waste with emailed receipts. One feature that is already rolling out is videoconferencing with a live teller via the ATM. Additionally, the likelihood of cell phones with near-field communications (NFC) capability will likely allow individuals to interact with ATMs without a bank card. Generally speaking, the younger the customer, the more likely they are to utilize these features. This is obviously the result of the ubiquitous nature of technology embedded in the culture within which they have been raised. Older generations may require more time to feel secure utilizing these features.

To what extent do ATMs with video conferencing capabilities enable banks to lower costs while giving customers the face-to-face customer service they desire?

Estimates vary, but there are certainly costs saving to be had in this scenario. Some estimates place the savings of using an ATM at about 50 times cheaper than that of a branch transaction. Another estimate states that banks could reduce costs by as much as 80% per transaction by having customers utilize an ATM as opposed to a traditional branch. Generally speaking, the younger the customer, the more likely they are to utilize the video conferencing capabilities. This is obviously the result of the ubiquitous nature of technology embedded in the culture within which they have been raised. Older generations may require more time to feel secure utilizing this feature.

What types of security advancements can we expect from future generations of ATMs?

Traditional ATM security has focused on the prevention of physical attacks. Increased surveillance and physical hardening have increased security in this area. In the future it is likely that attacks may focus more on the software that runs the ATM, as this provides greater potential rewards for the thief, and potentially less risk. While future security will still focus on physical attacks, by implementing new hardened designs, they will also feature security that is less obvious to the user, as in the software utilized to run the device.

Do banks typically relay the cost of investing in new infrastructure, such as cutting-edge ATMs, to customers in the form of higher fees?

It can generally be assumed that such costs will be passed on to consumers in the forms of higher fees. Of course, there are factors that can counter this assumption, such as competition for market share. Another likely scenario would be for banks to allow advertising to appear on these updated ATMs, thereby eliminating the issue of passing on costs altogether.