Payments security researchers today find themselves in an awkward position and it's retailers who have put them there.
When a researcher finds a security hole in a retailer's site or mobile app, the first priority is to alert the retailer so that the security hole can be patched. What happens, though, when the security hole is not patched? How long can the researcher allow the hole to exist, potentially allowing consumers and businesses to be financially injured by the hole?
The latest example of this struggle comes from Starbucks and a giftcard hole that allowed thieves to enrich themselves at Starbucks customers' expense. Some of the issues: Do security researchers have the right to prove a security hole exists by using it to steal? Do retailers have an obligation to fix such holes?
The answers are not that simple. First, payments is a remarkably connected industry, so the actionsor inactionsof any major player can sharply impact others. When fraud happens, it impacts consumers, processors, other retailers and many other pieces of the payments jigsaw puzzle. Any retailerStarbucks includedcan't justify inaction by saying "It only impacts us so it's no one else's business if we choose to do nothing."
That said, yes, every business has the right to make its own spending decisions and if a retailer decides a problem doesn't rise to the top of its to do list, it has the right to make that call. But it can't learn of a security hole, choose to ignore that security hole and then complain when it's made public in an attempt to pressure them to fix that hole.
This problem is made worse because many retailers don't make it very easy to report security problems. These chains also have a tendency to ignore security holes until they are indeed threatened with having the hole made public. A security researcher's obligation is to try and improve security. If a retailer ignores an issue, the researcher has two choices: be silent and let the security problem continue; or do something about it. And if researchers choose silence, are they in any way morally responsible for the damages that result?
The most difficult element of this is when a researcher is in a position where, to prove the existence of a hole, he/she must test it. And that can mean engaging in an illegal action. Consider: A researcher reports a bug and the retailer says "That's only a theoretical hole. We have many security defenses that would prevent a thief from actually stealing anything."
Should a researcher say "Okey dokey. Everything is fine then"? Or should they carefully and meticulously test the system? That's what the researcher did in the Starbucks case. The researcher, Egor Homakov, made sure that the amount taken was tiny, $1.70, and he immediately added money into his account to cover the loss "to make sure the US justice system will not put us in jail over $1.70," according to a detailed account of the test the researcher published.
Based on that account, it's clear that the researcher had no intention of defrauding Starbucks and he made sure to pay it back within seconds, just in case. I would say that Homakov's tacticsmall amount, pay it back immediatelyis the perfect model for security researchers to follow.
As for the "why do it at all?" question, the only way to establish if the retailer has some background security mechanism to prevent this fraud is to test it. If the retailer was actively working on a fix, that's different, but if the retailer goes silent, a professional security researcher can only wait so long.
In a perfect payments security world, retailers would routinely have their own IT talentor a respected third-partyconstantly attempting to break in, so that security holes can be quickly discovered and patched. White hats is what they used to be called. But with cutbacks, few chains do this today. That makes it that much more critical that security researchersand journalists, for that mattercarefully watch for security holes. Would you rather they be discovered by cyberthieves or terrorists, whose goals are very different?
By the way, where is law enforcement in all this? Homeland Security routinely sends undercover agents into airports to test security. The rationale is that they need to identify holes before the bad guys do. When was the last time you saw the Secret Service or the FBI using the same tactic to test payments security? They are entrusted with protecting payments systems just as Homeland Security is entrusted with protecting airports. Why the difference?
If you're a global terrorist intended to cause panic and to undermine the U.S., what better way than to attacks banks and processors and retailers and make Americans afraid to pay for anything other than with cash? That's the best way to attack the U.S. economy. If retailers don't pursue security proactively and if law enforcement also passes, it falls on security researches to test and to sound the alarm. It's not the ideal way to protect payments, but until the more direct players do so, what choice do we have?
Evan Schuman is a reporter for PaymentsSource.