Friday, December 27, 2013

What The Target Data Breach Tells Us About Credit Processing Flaws

Don’t let Target fool you; the breach of magnetic stripe information from 40 million U.S. credit and debit cards, including debit PINs protected with breakable encryption, is a very big deal. The company’s crisis response has focused on regaining consumer confidence by convincing people that they are protected against fraud. It’s a legal confidence game, one in which the entire retail and financial services industries conspire to instill a sense of security where there is none. They want you to believe that they have our backs and will protect us from fraud. Do so at your own peril.

I don’t know what irritates me more, that we as consumers are so gullible as to place much of our financial health in the hands of companies built solely to extract as much wealth as possible from us or that the credit card data breach was predicted, repeated, and completely avoidable. Ignorance rules on both sides, and the consumer bears the majority of the expense.

The idea that the consumer is protected from fraud is almost laughable. While banks that issue credit cards do have anti-fraud algorithms that attempt to determine whether incoming charges are legitimate, those algorithms offer very limited protection. For example, one card I have almost always gives me problems when traveling, and usually just when I’m trying to pump gas. I reason that this is probably because travelers don’t usually have vehicles with them that need gas. 

Too many people believe that those algorithms will be more effective. This reasoning prevents us from asking the most basic questions. After convincing my mother to contact her bank about charges at Target, her bank stated that “she will not be liable for any fraud.” Target President and CEO Gregg Steinhafel suggested the same in this statement from Target: “You will not be responsible for fraudulent charges—either your bank or Target have that responsibility.” Both organizations are completely correct. By law, consumers are not liable for any fraudulent activities conducted using stolen credit card information. 

We need to be careful not to get a warm-and-fuzzy feeling about fraud protection offered by banks and retail organizations. The question we as consumers should ask is, “Who’s responsible for detecting the fraud?” An appropriate follow-up is then, “How much time do we get to detect credit card fraud?” Consumers who used their plastic at Target during this holiday shopping season face a sobering reality when answering those questions: 1) The consumer is responsible; 2) Sometimes we get as little as 30 days from the statement date to alert the bank of potential fraud. We rarely ask those questions, content in believing that it’s in these companies best interests to protect us. The U.S. Federal Trade Commission (FTC) provides this nice site to highlight specific protections and steps that consumers should take to defend themselves against fraud. 

Target does a good job of educating consumers amidst its “your protected” crisis management campaign. In Steinhafel’s statement, he says: “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.” In other words, Target isn’t going to help you identify the fraud that it would probably be held liable for. Instead, consumers are responsible for reviewing their usage activity for misuse. That makes sense, but consider this: fraud as a result of this data breach can occur at any time, sometimes years after the card number was even stolen. It’s our responsibility as consumers to always review our statements for fraud and report it as soon as we can. Target and our banks will do almost nothing to assist. Doing so isn't really in their best interest.

Also, don’t fall for the “credit monitoring” shell game. The Target data breach is not an identity theft situation and claiming that it is only serves to perpetuate the belief that we have no control over the situation, forcing us into a false sense of dependence.

What companies don’t want us to know is that this whole breach didn’t need to happen. Yes, Target is a victim of a criminal act, but it’s one that the banking and retail industries make far too easy to commit. The technology and techniques exist today to prevent much of these types of crimes, but depend on a will to implement. 

Chip-and-PIN, a smart card standard used by much of the world outside of the U.S., is a popular option being discussed in the press. NPR did this recent piece in which Brian Krebs, the security blogger that broke the Target story in this posting, explains that Chip-and-PIN technology increases the exploitation costs. Increasing the cost reduces the overall return, naturally pushing hackers to target more high-profile victims. That’s the main benefit that Chip-and-PIN provides.

However, Chip-and-PIN is vulnerable to potential man-in-the-middle and replay attacks due to its dependence on the endpoint systems that enable the card to validate a PIN number entered to unlock the card data for transmission. Since end-users would have to install new hardware and software to make this payment system work, it's open to all of the same types of malware attacks that other payment systems are susceptible to. Yes, stealing card information from a Chip-and-PIN payment mechanism is harder than simply stealing the credit card number, but I'm convinced that hackers would quickly develop automated attacks once more U.S. consumers begin installing the necessary software on vulnerable systems.

I would suggest instead that we look for innovative new ways to collect payment information that minimize hardware dependence and that eliminate the hacker's ability to cause long-term damage from a single consumer transaction. 

In past years, I would make frequent use of "virtual account numbers" offered through some banks. I could load an app or special web site to generate a "one-time use" credit card number for any purchase. If a hacker were to gain access to the number, either by infiltrating the transaction stream or through a vulnerable merchant database, my bank would immediately reject any nefarious charges as invalid. The system worked great for online shopping, but it was probably a bit too technical for most users and inconvenient for brick-and-mortar shopping. My credit cards eventually stopped supporting it.

Applying one-time password technologies at the card level, like those employed by SecurID and Digipass tokens used to access protected company networks, could solve both problems. With those technologies, the credit card number would frequently change based on time and the serial number of the card itself. The serial number represents a piece of shared information that the bank is able to use to determine the card number at any time, essentially replicating the advantages of the virtual account number within the card itself. With a numerical display on the card itself, consumers could even use it for online commerce. This is technology that exists today, but given that it probably wouldn't work with the current magnetic stripe systems that U.S. merchants use, it would face the same expensive infrastructure changes that have stymied Chip-and-PIN rollouts in the U.S. It would also at least double card replacement costs, making it a great deal less desirable to card issuers.

A reasonable transition mechanism may be found in the technologies that enable Two-Step Verification (2SV) for online authentication. I've discussed 2SV weaknesses in the past, explaining how they fail to represent a second factor needed to enable Two Factor Authentication (2FA). However, applying mechanisms such as mobile phone verification to credit card usage would represent a true second factor in a shopping context that could greatly enhance credit card security. 

I would envision a risk-based purchase verification technique for when a consumer uses a card at a new merchant or for an unusual value. Doing so would trigger a verification via SMS/text messaging or an app to allow the charge to proceed. Alternatively, when a consumer uses a credit card to make a purchase, an app could generate a one-time use PIN that the consumer must input into the payment terminal or as a field in an online purchase. This would cause the credit card to act more like a debit card, employing infrastructure already in use by merchants. It wouldn't be as secure as a one-time use credit card number, but it would largely eliminate the value that the credit card number would have by itself. Banks could also implement this approach in a much shorter timeframe and at lower cost than one-time use credit card numbers, but then leverage it for future Chip-and-PIN deployments.

The Target data breach should not have happened. After the analysis is complete, I'm confident that Target will be able to provide more detail as to the nature of the breach, whether it was due to malware that infected the Point-of-Sale (POS) systems or to some other architectural problem within the Target credit card processing infrastructure. The more that the company discloses, the better the retail industry will be able to protect consumer credit card information in the future. But, data breaches like this one are the result of a fundamental flaw in how credit works; credit card numbers are too static and the attack surface against them too broad. If there is any good news, it's that the technology and processes exist today to better protect consumers from harm.

Now, it's up to the banks to invest in what's needed to implement the necessary enhancements. I'm not very confident that will happen. So, it's back to reviewing statements every month for me.