News of the Global Payments Inc. data breach rippled across mainstream Web sites in recent weeks, reawakening consumer and industry concerns about the risk to millions when criminals expose sensitive data.
“It’s clear the fraud problem is not going away, and major breaches are not slowing up like we were sort of hoping,” says Mike Urban, director of financial crimes solutions at Fiserv Inc. He was referring to a lull in major data breaches during portions of 2010 and 2011.
The payment industry over the past few years has made progress in protecting data against major breaches after the massive Heartland Payment Systems Inc. breach in 2008, Urban notes. “But after Heartland, last year we had the Sony breach, and now this one, which proves this problem is ongoing.”
Moreover, “while really large breaches are still taking place, a lot of little data breaches have continued, and all evidence suggests those too are escalating,” he says.
The resulting consumer backlash and erosion of trust in payment cards is difficult to estimate, but some believe each major breach undermines perceptions of payment systems’ integrity, which hurts adoption and use.
“This breach is not an isolated incident and will cement the idea in many consumers’ minds that credit cards are, in some sense, untrustworthy,” Terence Spies, chief technology officer at Cupertino, Calif.-based Voltage Security Inc., tells ISO&Agent Weekly via email.
Global Payments’ breach seems particularly “tragic,” Spies says, “because most of the industry has been working hard on building security and encryption that will make these kinds of breaches much, much less frequent. In this case, it looks like an attacker found a point where those measures were not being employed.”
What is the risk to cardholders whose data were exposed?
Global Payments on March 31 said criminals stole only “Track 2” magnetic stripe card data, including cardholder account numbers. The thieves did not get cardholders’ names, addresses and Social Security numbers, the processor said.
In the past, “criminals have used such data to purchase (typically high-value) goods online, had them shipped to a third party, who then forwarded the shipment on to the real destination, usually in another country,” Andrew Brandt, director of threat research for Solera Networks Research Labs, tells ISO&Agent Weekly via e-mail.
“The third-party shippers usually believe they are engaged in some sort of ‘work-at-home’ scheme, unaware of the criminal activity,” he says. “The goods can then be sold, and the criminal pockets the proceeds.”
Criminals also abuse card data when they “sign up the user for some sort of service which incurs a small monthly charge,” Brandt says. “The charges are typically low enough to fall under the threshold for fraud detection–for some time, at least–but in volumes that can earn the criminals a lot of money. As cardholders begin calling banks to complain about the charges, the fraud investigation then will identify the charges, but sometimes they aren’t detected for some time.”
“And if physical goods or products exchange hands as a result of the fraud, the losses usually end up in the laps of the business(es) that sold the goods or products. ... The retailers are the largest potential victims here,” Brandt says.
Sometimes, criminals may not take immediate action with stolen card data.
“The oversaturation of black markets with stolen credit cards has reduced the value of pilfered cards,” Brian Contos, customer security strategist and senior director, Vertical and Emerging Market Solutions, McAfee Inc., tells ISO&Agent Weekly via email.
As a result, it seems likely that “many cybercrime organizations are sitting on stores of stolen credit card information awaiting the improvement of market conditions before they sell them,” Contos suggests.
And if an organization has not yet detected a breach, “in many of these cases, it is likely that nobody is aware that those credit card have been compromised,” he adds.
For issuers, the cost of reassuring customers and responding to potential losses will become an administrative headache, Spies says.
“Most people will be at least thinking of checking recent transactions on their credit cards in the wake of this breach,” he says.
Financial institutions “generally take the brunt” of card-fraud losses, Urban notes. “They will make their customers whole, but the very broad publicity about these breaches hurts reputations,” he says.
The Global Payments breach underscores the need for the U.S. to embrace the EMV standard without delay, at least one chip card proponent contends.
U.S. adoption of the chip card technology would not prevent such breaches, but it would make such capers a lot less worthwhile to thieves, Randy Vanderhoof, executive director of the Smart Card Alliance, tells ISO&Aget Weekly. The alliance i advocates the switch to chip card payments.
EMV adoption “devalues the transaction data by introducing a dynamic data element,” so if criminals intercept such sensitive account data they would be unable to create counterfeit cards with the information, he says.
Processors would not have to store such mag-stripe card data if they adopt EMV technology, and the lure of such readily cloned data would greatly diminish, Vanderhoof says.
“If there is no mag-stripe data stored inside the secured processor or merchant point-of-sale system, why would hackers make the effort to break into it?” he asks.
Indeed, processors still would need to handle sensitive personal-account data associated with EMV transactions, such names and account numbers, “but there would not be enough data stored for an EMV transaction to create a fully functioning cloned copy of a payment card,” Vanderhoof says.
Vanderhoof says Global Payments’ breach should be a wake-up call to industry participants that are on the fence about EMV.