Too Many Targets! Why Target isn’t the only retailer poised for a breach.

Unless you have been living without a source for current news this week, you undoubtedly have heard the bad news about Target Corporation and how hackers breached the technological defenses and stole credit-card data for roughly 40 million customers.

target-midstoryThe media frenzy focused on Target Corporation has already spawned a dozen class-action lawsuits against the retailer. They all claim that Target was negligent in protecting their data that enabled hackers to steal information related to the credit-card accounts of 40 million shoppers.

As a consumer, and quite possibly one of those 40 million shoppers, I am always sympathetic to customers who suffer through identity theft. Unlike 99.9% of those 40 million customers, I am in the business of information security, privacy and cyberspace law and see the breach problem differently. Going after Target is a Band-Aid approach to solving the root cause which is where the focus of attention should be instead.

For some background, in the course of my career as a Chief Security & Privacy Officer many times over, I’ve had access, influence and insight into the technology driving thousands of retail, commerce-based and financial processing companies. While the size and exact scope of business varies from company to company, there are two (2) significant common denominators that have more to do with why data breaches occur so often. The first is Federal Laws and the second is the Payment Card Industry (PCI) Data Security Standards (DSS).

I’ll target the low lying fruit and start with Federal Laws. Well shoppers, good luck finding any laws specifically regulating credit card processing and the controls in place to protect consumers. As a consumer and a tax payer, this is so very disappointing.

Next, I going to share some dirty industry secrets that those 99.9% of shoppers I mentioned are unaware of through no fault of their own. The Payment Card Industry (PCI) Data Security Standards (DSS) or PCI for the layperson is simply a set of guidelines established by the credit card companies, specifically, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa.

All companies who process credit cards must adhere to the PCI data security standards and be subjected to regular audits. While this sounds pretty good I’m about to share some specifics about what it really means that will make you very afraid to shop anywhere in the United States using your credit card again.

Dirty Industry Secrets

  1. PCI is not driven, monitored, influenced or managed by the government, but by the same industry foxes guarding the proverbial hen-house.
  2. Only when a retailer exceeds the 6 Million credit card transactions a year threshold are they required to hire an independent external security assessment firm authorized by the PCI consortium to assess the company’s security controls. Everyone else has only to conduct self-assessments. Again it’s the foxes guarding the hen-house.
  3. The PCI certification is only as good as the honesty, integrity, and competence of the qualified security assessor (QSA) which in my experience is extremely subjective.
  4. The default encryption level required by PCI is an algorithm known as 3DES or TDES that was defeated in 2005. While there are more modern and faster encryption algorithms such as AES available, because PCI authorizes the use of this antiquated cipher which happens to be the default cipher for commerce solutions everywhere, we are all put at risk at virtually every location you use a credit card.
  5. When 99.7% of all businesses in the United States are considered small businesses and most of these companies are only required to complete self-assessments.
  6. There are no security certified, PCI certified or otherwise independently verified software solutions for retailers to choose from in the market today.
  7. Most SSL implementations are vulnerable to attack. Did you know that nearly 100% of all communications between you, your browser and the company you are connecting to over SSL is technically worthless in its ability to protect you? While a remedy is available known as Perfect Forward Secrecy (PFS), most companies conducting secure communications or secure financial processing are not using this technique. By the way, PFS is virtually free to implement.

I’ve been concerned about the weak business driven PCI standards and the lack of Federal regulations on the industries that handle our data for years and you can read more by following the links below. The Target Corporation breach is not a surprise to me and Target will not be the last for certain.

The good news is that while breaches will happen, there are a number of possible solutions we can implement quite easily that will indeed make a difference and go a long way to both protecting consumers and companies.

Solutions

First and foremost when considering a solution that actually protects consumers rather than protecting the credit card companies is to implement reasonable regulations for credit card processing industry. By requiring modern techniques and technologies we fundamentally stand a chance. Currently, we allow big business to regulate itself and if history teaches us anything, it’s a recipe for consumer disaster. This would obviously require a paradigm shift for both the public and the private sector that would require some bi-partisan work in Washington occur so I’m not holding my breath there.

Another solution, and a better one, is that the people concerned about security who work for or represent the vulnerable companies out there should implement stronger controls despite the minimums required by PCI. This does require some diligence but you can do it and you can make a difference!

Further Reading

[google_authorship]