Cyber security is job number one, says Barclays CIO

London truly is the most amazing city on the planet to ring in the New Year. I love the fact that hundreds of thousands of people from around the world descend on the British capital to celebrate the dawn of 2014 and new beginnings!

As we enter 2014, I will personally look back on 2013 with great fondness; in a lot of ways 2013 was a great year. However the same cannot be said for the technology industry as a whole, and the United States technology industry in particular. Between the NSA leaks and Orwellian revelations, to healthcare.gov mishaps, Yahoo’s cloud email outages (which are still lingering), to the Target Corporation incident two weeks ago where 40 million credit and debit card identities were compromised and stolen, and then on December 31, when it was reported that hackers stole 4.6 million phone numbers and usernames from Snapchat, 2013 actually was a pretty brutal year for the promise of technology to better our society.

In a recent interview with The New York Times Vinton Cerf and Robert Kahn, arguably the co-creators of the modern internet, described the NSA spying scandal as a “global threat to privacy and the internet itself”.

The actions of the NSA are going to see revitalised demands to change the way the internet is governed, globally. Governments that do not favour the free flow of information, in particular foreign governments – especially if information flows through systems designed by Americans – will, I suspect, call for the internet to be regulated in a way that would Balkanize it. This will significantly curtail free and open access to all; a sad and terrible consequence.

For the most part, I believe that the internet should remain independent of all state control. I am a proponent of the idea of network neutrality — the principle that internet service providers should enable access to all content and applications, regardless of the source.

Whilst global internet governance is obviously more critical in the medium to long term, it will literally take years to reach a global consensus. In the short term however, the Target incident in particular is truly worrying and shows the US has a long way to go in order to catch up with the rest of the western world, in particular Europe, in terms of combating retail credit and debit card fraud.

The Target Corporation, the US’s third largest retailer revealed in a press release on December 19, 2013, that credit and debit card data from over 40 million customers had been compromised and stolen sometime between November 27 and December 15, 2013.

This is the second largest public breach of personal credit and debit card data in US retail history and could potentially affect one in four Americans. The largest single breach of credit and debit card data in US retail history involved the TJX group of companies (parent company of TJ Maxx, Winners, HomeGoods, HomeSense, TK Maxx and Marshalls), back in July 2005, when the data of nearly 90 million credit and debit card cards was compromised and stolen.

Target's response to its customers? It offered a 10 per cent discount for shopping for the weekend of December 21-22, 2013, and for those customers whose cards were actually compromised; it offered credit monitoring for a year. A surprisingly weak response, to say the least.

As Target now tries to repair its battered reputation it will hit by a swell of lawsuits (federal, state, civil and/or criminal) and regulatory fines all alleging negligence in handling and managing customer data and that; as a result, the retailer should be liable for significant monetary damages. Target is also bracing itself for lawsuits from major banks, which have had to handle claims – and associated costs – from their customer who’s cards were compromised. Then there’s also the obvious added cost to assure that its infrastructure is now secure – a process that will take months to complete fully. I suspect Targets total liabilities due to this fiasco will be counted not in the millions, but the billions.

So just how big is the fraud? How many were affected? And how did it happen?

Related:

First, it is unclear just how many consumers actually had their cards compromised and used before their banks had a chance to cancel them. But you can be sure it is significant. Target confirmed that hackers gained access to customer names, card numbers, expiration dates and CVV security codes. Various news sites and blogs from around the world have been reporting that the credit and debit card accounts stolen in the Target data breach have been flooding underground black card markets, apparently selling in batches of one million cards, and going for asking prices of more than $100 per card.

Back in 2006, following the TJX breach, American Express, Discover Card, JCB, MasterCard and Visa formed the Payment Card Industry Council to oversee the new PCI Data Security Standard.

Disclosure: Barclaycard US – one of the top five issuers of credit cards in the US – is a wholly owned division of Barclays and is a member of the PCI.  

In basic terms, the PCI DSS defines how organisations secure and manage cardholder information.

Importantly it does not assess compliance itself, nor do organisations report their compliance to the PCI. Enforcement of organisation compliance is managed by individual payment brands such as Visa or MasterCard. Target, among many other retailers, pay to get assessed and accredited annually by the by hiring one of only a handful firms in the US that are certified to perform and certify PCI compliance to ensure respective organisations are operating to agreed PCI DSS standards and requirements.  

There are lots of theories for how the breach actually happened. Working for Barclays, one of the largest universal banks and credit card issuers in the world, I have significant experience in building, provisioning, supporting and protecting complex and large scale enterprise technology platforms – such as global credit card platforms – that service the needs of tens of millions of customers’ daily. Even though information is limited at this time (and rightly so), I do have my own theories of how this incident occurred. While the TJX breach was carried out by one lone person who gained access to unsecured back office systems, the Target fraud is, I believe, on a whole different scale.

First, assuming that Target is in full compliance with PCI-DSS. DSS standards dictate that Target would be required to encrypt all customer data, in transit and/or at rest and then segment said data, meaning properly encrypted data would useless to the thieves.

Secondly, from what we currently know, the breach didn't affect its e-commerce operations, just its physical stores only.

Thirdly, if wireless transmission data was encrypted between the point-of-sale (“POS”) terminal and the wireless router, intercepting the personally identifiable information must have happened elsewhere in the processing chain. This strongly suggests that attackers gained access to information that was snatched directly from the physical POS terminals and not via its back end systems. To my mind this is undoubtedly a “skimming” scam, where thieves capture magnetic stripe data from customers swiping their cards as they complete their purchases at POS terminals. How did they capture the actual data? Well that’s still conjecture at this point. Most likely the thieves hacked in remotely to the POS terminals located in stores, most probably exploiting vulnerabilities in their built-in web servers, or less likely they added a small device – possibly a chip with a transmitter – directly to the POS terminals. Either of these techniques is particularly smart as there would be no need to penetrate and subvert the company’s back ends systems. They would then just capture the data real-time, making this one of the most sophisticated and highly coordinated retail frauds ever committed.  Not sophisticated in the sense that the technology used by the thieves is new, complex or even impressive, but sophisticated in the sense of the sweeping nature of fraud across multiple states and in thousands of stores. To carry out an attack of this magnitude during the holiday season is extremely difficult and would require almost laser precision across a whole network of devices and locations. I suspect in the final analysis’s we will learn that this was an insider job.

But it does not end there – it gets worse. According to reports it took less than 24 hours for fraudsters to try to profit from the confusion caused by the original fraud. Many consumers received an email that looked genuine – in fact the text was identical to the message posted on Target's own website. The hackers sent an email that mimicked the retailers warning to customers about the credit and debit card breach and then directed the recipient to a fake website where the user was encouraged to entre their information. However, upon closer inspection it was a phishing scam designed to steal even more personal information.