Retailers battle for data security but who’s winning the war?

Let’s ask the question everyone’s thinking but no one says out loud. Is real data security just a myth? An urban legend? A fairy tale that parents tell children at bedtime that ends with… happily ever after”?

Given the massive data breaches that are causing a lot of sleepless nights for retailers like Target, Neiman Marcus, Michaels and even Marriott Hotels, it’s getting easier to believe in Cinderella than in cybersecurity.

The nightmarish theft at Target that compromised information on more than 70 million customers, could cost the chain upwards of $1 billion in fees for litigation, replacement of stolen cards, fines from payment card companies, and merchandise losses, security experts say. But this may be the tip of a very large iceberg.

The Leaky App

Cybercriminals are not only getting into store systems, but also consumers’ mobile devices through “leaky” apps that spew out a wealth of personal information, according to investigations by British Intelligence and the National Security Agency. In fact, Malware, targeting mobile devices, is one of the fastest-growing cottage industries, increasing over 600% in 2013 alone.

Overall, retailing is in an arms race with a sophisticated, mobile and highly-motivated criminal element that may be shielded by the countries — or corrupt officials — in which they operate.

How many of us have even heard of Aleksei Alexseyevitch Belan, one of his 10 aliases? He is a Latvian-born Russian citizen, an expert computer engineer and software programmer, who could be in Russia, Greece, Latvia or the Maldives. He may or may not wear eyeglasses and his hair is either brown, red or blonde. He allegedly got into the networks of three major e-commerce companies in California and Nevada, stealing encrypted data from millions of accounts.

How about a Pakistani national named Farhan Arshad for international telecommunications hacking, or Salvadoran Carlos Perez-Melara who ran a nifty little website that offered customers a way to catch a cheating lover, then installed spyware on their computers to steal identities and personal information.

Bugs for Sale

They are all part of a new global pandemic, a cybercrime underground where professionals and amateurs trade and sell bugs and viruses like baseball cards. There are actually Russian credit card online forums devoted to information sharing by hackers. We may never know who hacked Target, but you can bet these people do. And thanks to them, the black market for stolen data increased twentyfold after the Target breach, according to Easy Solutions, a company that tracks fraud.

One source jokingly suggested sending SEAL teams or mercenaries into Eastern Europe and Russia to deal with these people up close and personal. But that would be wrong — wouldn’t it?

The unfortunate truth is that everyone is vulnerable. Even the venerable Coca-Cola Company, whose penchant for secrecy and security is legendary, had personal information on 70,000 employees compromised because data on laptops stolen by a former employee hadn’t been encrypted as required by company policy.

And how embarrassing is it that in January 2014, hackers accessed financial information on companies that were bidding for contracts from the Department of Homeland Security?

The list goes on. Over the past year, 621 data breaches have been confirmed and 24% occurred in retail environments and restaurants, according to the 2013 Data Breach Investigations Report by Verizon. Even worse, it took months for most of them to be discovered.

About 52% of these breaches were done by hacking, but 76% involved attacks against networks, and 40% were traced to Malware. In a sign of the times, Verizon also found that 29% involved social tactics like phishing.

Paying Ransom

One new tool of choice against consumers is “ransomware.” Criminals break into consumers’ computers, encrypting all data and essentially locking people out of their own systems until a ransom is paid via a prepaid cash card.

Not every incident is quite as sophisticated. A new scam uncovered by the FBI attacks small businesses. While one thief goes in a store to purchase goods with a stolen credit or debit card, another climbs on the roof and uses tin foil to jam satellite signals from the retailer’s credit card companies. Shockingly low-tech, but it works.

Aside from criminals, the ones benefitting most from these activities are insurance companies like AIG which has seen a 30% increase in cyber insurance policies. This is a new growth industry since only about 31% of US companies have cyber insurance, according to Experian. However, these are custom policies and because insurance companies don’t have any historical data on risks, premiums are through the stratosphere.

The worst thing companies can do is waste time playing the blame game. Target is now claiming that the theft resulted from electronic credentials that were stolen from vendors. One has to wonder if this could be a setback to the already tenuous collaborative planning and information sharing between retailers and manufacturers.

Throwing fuel on the fire, the US Secret Service, which is leading the Target investigation, said the malware used in the incident was known to security experts for over a year. Moreover, some in security believe that previous incidents against smaller retailers were tests and the successful attack on Target will embolden criminals to up the ante.

Recently, the National Retail Federation sent a letter to the Independent Community Bankers of America (ICBA) laying the blame for data breaches at Target and Neiman Marcus on the financial services industry. ICBA returned fire, telling the organization that retailers need to get their own house in order by adopting new security solutions.

Public/Private Partnership

With this in mind, the Retail Industry Leaders Association (RILA), has launched a Cybersecurity and Data Privacy Initiative in an effort to bring the public and private sectors together. It is centered on three major elements:

1. Strengthening overall cyber- security through the formation of a retail leaders council, development of a federal data breach notification system, and federal legislation to promote information sharing mechanisms.
2. Improving payments security by eliminating mag stripe technology and promoting pin and chip-based smartcards.
3. Addressing consumer privacy with different shopping options and describing in detail how retail data is being used and protected.

This is a nice wish list although the latter could throw a fly in the ointment since, by its very nature; information on cyber- security measures shouldn’t really be made public.

Not to be outdone, Attorney General Eric Holder said the Justice Department has launched its own 120-day probe into the Target theft and how to fight cybertheft, a move which no doubt struck fear into the hearts of the international criminal community — after they stopped laughing.

With all due respect, history has taught us that law enforcement is good at busting down doors after the fact. But preventive measures must come from the industry and its trading partners.

Planning for the Worst

As such, the best defense for both companies and consumers, according to security experts, is to simply assume you are being breached 24/7. Suggestions include:

• Global, vendor-driven “bug bounty” programs which reward researchers for reporting and coordinating the patching of flaws.
• An international vulnerability purchase program (IVPP), under which major software vendors would purchase all of the known vulnerabilities at prices well above what even the black market is willing to pay.
• Instituting basic security procedures for routinely-collected data like email and mailing addresses, names and phone numbers.
• Changing encryption algorithms to protect payment information from “brute force attacks” or what’s commonly described as high-speed guessing on computers.
• Warning customers immediately after a suspected data breach and make sure they’re aware of the possibility of fraudulent emails asking for more personal data.
• Eliminating unnecessary data from computer systems.
• Collecting and sharing incident data with law enforcement, other retailers, and supply chain partners in order to detect problems faster.
• Adopting custom solutions. There is no such thing as a one-size-fits all security system.
• Controlling or limiting access by system administrators and other personnel.
• Adopting multi-layered security procedures so employees don’t accidentally compromise the data.

Author and visionary H.G Wells once said that if we don’t end war, war will end us.