Beyond TJX: Bracing for the Next Big BreachRisk Management and Customer Education are Banking Institutions' Best Defenses
More breaches, say industry and security experts, who urge banking/security leaders to focus now on two critical areas:
"It's not a matter of if, but a matter of when," says Dave Kennedy, Principal and Practice Lead of Profiling and e-Discovery at SecureState, a Cleveland, OH information security and risk assessment firm, "Until there are more of these systematic breaches hitting financial institutions, it's not likely that security will improve at some of these banks."
Attacking the Problem
The increasing sophistication and organized nature of the hackers troubles Steven Jones, director of information security at Synovus Financial Corp., a Columbus, GA-based banking entity with $34 billion in assets. "It's always been somewhat of an arms race, where defense in depth and awareness are key mitigating factors," Jones says. "Banking regulations are pretty clear regarding due diligence of risk management practices of third-party services providers." It's important that institutions have formal procedures in place to assess and monitor provider's security practices regularly and include these provisions in service contracts, he adds.
"The fact is this is a global problem that could easily visit you in your own backyard," says Tom Wills, Senior Analyst, Risk, Security, Fraud and Compliance at Javelin Strategy, the San Francisco, CA-based financial services research firm. "The attackers are smart and persistent."
There is much to lose, both from the financial institution's perspective and from the customer's view. "Financial institutions can experience significant damage to their bottom line and share prices from loss of business and customers, lawsuits and regulatory fines, and possible negative press coverage if the institution is ever implicated in a data breach," Wills notes. He adds that for every time the bad guys get caught "there are many more where they don't -- and many that are never disclosed despite data breach laws now in 38 states."
The Department of Justice indictments are proof of what industry researchers such as Aite Group have already qualified: Fraud is a growing problem, and the industry and individual institutions should be very concerned. In surveys conducted earlier this year, Aite Group found debit card fraud was viewed as a large area of concern, second only to check fraud, says Eva Weber, an Aite Group analyst. Based on the survey responses, debit cards are considered "important" or "extremely important" components of the overall fraud losses today by 62% of respondents. In three years' time, those losses are expected to rise to 69 percent.
Retailers and institutions alike need to assess the security weaknesses in their systems and know where the real dangers lurk. Current economic concerns are affecting IT budgets. As a result, hard-to-get budget dollars would be better spent on the highest threats or risk areas
These breaches highlight the need for financial institutions to have a more comprehensive and enterprise-wide view of activity in order to better manage fraud. "Many institutions have point solutions for various elements of fraud detection, but fraudsters are always evolving their tactics, and institutions must also be able to adapt," Weber says. Fraudsters are exploring new ways to compromise the increasing number of customer interaction channels such as mobile banking and other technology-based solutions.
Recommended solutions include testing of network and physical security through external third-party audits, as well as a layered security approach with a behavior-based preventive intrusion detection and prevention mechanism in place. "The problem with the TJX and Office Max breaches was they went on undetected for a very long time while they were compromised and didn't have anything in place to detect a breach when it happened," Kennedy says.
Stephen Katz, former CISO at Citibank and Merrill Lynch, says it comes down to a simple problem that is highly solvable. His suggestion of a data-centric model for financial institutions to follow is also highlighted by Forrester analysts as a viable solution for data protection. "Protect the data, no matter where it is, no matter where it is stored. I see encryption is the way to go," says Katz.
He uses the analogy of a homeowner who may or may not have an alarm system installed in their home. "Most people don't put a safe in their house until they are robbed," Katz says. Alarm systems are good; they'll maybe alert the owner or law enforcement about an intrusion. "But if that homeowner is really concerned about the 'crown jewels,' they install a safe. By encrypting the customer's information, it renders it useless to whatever criminal has taken it."
Dealing with Data Loss
Fresh in the memories of many institutions is the TJX breach that broke in January 2007. This single breach, with a record 45 million accounts compromised, had many banks and credit unions answering a flood of customer questions and soothing the wrath of customers when they were informed their bank or credit union credit cards had to be reissued.
"Banks do bear the brunt of customer discontent regarding stolen cards and identity," says Synovus' Jones. "Banks and credit unions also have a considerable amount of responsibility for "Know Your Customer" (KYC) and consumer awareness. Many of these cards are co-branded and issued through the institutions."
Because the customer's relationship is usually with the institution, "it's only natural that they would hear these complaints first hand," Jones says. "Without shifting the blame, it's important that institutions continue to reinforce the basic principles of security awareness, both in terms of what the institution is doing for them and what the consumer can do for themselves."
While institutions are educating their customers about the scams and different ways they can spot a fraudulent inquiry about their information, customers also need reassurance that their institution stands behind them, says Doug Johnson, Senior Policy Analyst at the American Bankers Association. "The bottom line is a customer needs to know that if a crime is committed against them through their institution, their bank will make them whole." There may be some level of inconvenience that may be caused, and customers need to realize that, but they will be made whole, Johnson emphasizes. He also points out that reminding all customers to monitor and manager their accounts, checking balances and transaction regularly also helps spot fraudulent transactions.
After a breach occurs, whether it is at an institution or at a retailer, Javelin's Wills recommends institutions remember the main essential item at stake - the customers' trust. "No customer is going to be happy to find out their personal information has been compromised, and since it's the financial institution who issued them the card or bank account in the first place, customers hold them in a special position of trust," Wills says. Be honest with them, he advises. "If an institution comes clean with them and offers appropriate services, e.g. identity theft remediation, credit monitoring, etc., customers will generally be more forgiving than if an institution tries to sweep things under the carpet (the worst possible strategy)."
The immediate future isn't bright for institutions, businesses and retailers, as security experts see more systematic breaches occurring across the country in large, high-value targets. The strengthening of all retail and financial institutions' security is key to stopping future breaches says Viveca Ware, director of payments policy at the Independent Community Bankers Association. "Any process is only as strong as the weakest link. Every commerce stakeholder - retailers, payments networks, third-party payments processors, financial institutions, and cardholdersï¿½must be committed to embracing the policies, practices and technologies necessary to protect transaction data and timely response to risks as identified."
This may require more push for mandatory encryption from banking regulators and the Payment Card Industry, says Katz. He's not a fan of more regulation, but sees the need to require encryption emphasis and points to TJX as an example. "Retailers such as TJX, are still trying to do as little as possible because they face such thin profit margins," Katz says. "They've got to wake up and realize they're facing the same trust issues as institutions." If the retail industry (and the financial services industry) want people to shop and bank online, and they want them to use credit cards, "They will have to take the next step and protect the digital consumer and their information," he says.