Data Breach Trends - Mary Monahan, Javelin Strategy & Research
This is the message from Mary Monahan, Managing Partner and Research Director at Javelin Strategy & Research. In a discussion of current data breach trends, Monahan touches upon:
Monahan has 10 years of financial services industry experience. Her banking background includes extensive managerial experience working with growth businesses, strategizing and implementing cross-sectional financial plans to accommodate multiple projective scenarios. As a college educator, Ms. Monahan's work focused on current issues in accounting and economics.
Javelin, based in the San Francisco Bay area, provides direction on key facts and forces that materially determine the success of customer-facing financial services, payments and security initiatives.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about data breach trends, and we're talking with Mary Monahan, Managing Partner and Research Director with Javelin Strategy and Research. Mary, thanks so much for joining me today.
MARY MONAHAN: Thank you for inviting me.
FIELD: Mary, what data breach trends have you noted so far in 2009? I know this is something that Javelin pays a lot of attention to.
MONAHAN: Fraudsters are definitely taking advantage of website vulnerabilities. This is a common trend that they have been taking advantage of these website vulnerabilities and then identifying them over and over and over again to download package sniffers, open back doors, and off-load credit and debit card information. That is definitely a trend that we did see at the beginning of 2008, but it is up in 2009.
FIELD: Well, how would you say that the breaches are trending different, if at all, this year from last year? Are there more, are there fewer, are they different?
MONAHAN: What we are seeing is the criminals are moving up the food chain. They are going after -- last year we saw them at the restaurants; this year they are at the processor, the restaurant processor. So they are definitely moving up the food chain. The Heartland breach with 130 million credit and debit cards is a lot bigger breach. So they are taking what they are learning at the smaller breaches and moving up that food chain. Using the same types of messages, but refining them as they go along, so last year where we might have been able to find that package sniffer, now they are learning to erase traces of the sniffer on their computer program.
FIELD: So clearly they are getting smarter and they are aiming higher?
FIELD: It begs the question: What is next on the food chain? As you say, we saw sort of the restaurants and the institutions targeted last year; this year you see Heartland. What would the next logical targets be?
MONAHAN: Well, I would think the next logical target, if they could get in, would be the card networks. That is where they are aiming. That is where the largest amount of data would be, so that is where they are headed.
FIELD: So it always comes back to the old adage about bank robberies: You go there because that is where the money is.
MONAHAN: Exactly. And what we are also seeing, and this will be new, is that because there is so much data being stolen that they are going to have to kind of change. We see them changing their target. So because there are so much credit and debit card numbers out there that this data is becoming less valuable. So they are going to start targeting other types of information.
FIELD: Interesting. So they are devaluing their own work?
MONAHAN: Exactly, and so what we will begin seeing, we believe, is more targeted pin thefts. So they have learned how to decrypt PINs we saw, and now they are going to be targeting, we think, more pin thefts.
FIELD: Not specific to banking and banking institutions, what are the types of things that the institutions need to watch out for this year?
MONAHAN: Well that is just what I was explaining, the pin theft is going to be big I think, so they are going to have to watch out for that. Be much more careful teaching their customers to guard their PINs. They are also going to have to be looking at, we saw with, we also saw Reader Act where it has recently happened with 5 million consumers so with a financial institute, and so we have to be careful about those as well. So we have to make sure that we are looking at things like EBSSL, you know and then teaching consumers to look for EBSSL as well because we seen that SSL is easily broken. So we are really at Javelin we're really encouraging financial institutions to set the bar high and to go with EBSSL now.
FIELD: Now for those that might not know what you meant when we are talking about redirect Mary, could you explain that, please?
MONAHAN: Well, where the consumer thinks that they are at the bank site, but they are actually redirected to a site and this is where it happens, they are actually redirected, they were at bill payment site and they were redirected to a site in the Ukraine and it was actually the criminal site. So they were stealing their information as they logged on to their bank site, what they thought was their bill payment site.
FIELD: So it sounds like what you are saying is one the institutions need to up the ante on the security measures that they are offering, but two it sounds like you are also saying, they've got to increase the awareness that they are offering to customers?
MONAHAN: Yeah, it's a two-pronged approach. I mean banks, financial institutions are going to have to be very, very stringent and they tend to be so, but they are also going to have to include educational efforts from the consumer end as well. Phishing we've seen has worked in the past and now redirects, we are going to have to use both sides operating together as well as using what ever we can to fight these criminals, because they are getting more and more sophisticated, and their websites are looking more and more like the real thing. So we're going to have to work together to bring them down.
FIELD: Now the same question regarding government agencies. We saw a massive denial of service attack over the 4th of July weekend. What are the things that government agencies need to be looking out for in terms of breaches and risks of breaches?
MONAHAN: One of things that we've seen at a lot at Javelin is that there has been -- it sounds almost intuitive, but we've seen a lot of breaches happening in the government level where information is being taken off site or by third parties and even just in thumb drives or anything coming offsite, and this information isn't encrypted and it's lost or stolen and then they've got all this data. So just protecting information that is going offsite or that's in third party hands for the government is very important. Getting away from the social security number as much as possible when they don't need to use it, you know if it's just being used for identification often times when it doesn't need to be used. If it is for payment or payroll, or something like that it does need to be used, but many times we're using the social security number for identification. We need to get away from that, and we see that educational institutions that used to use the social security number are now moving away from that, but we still see breaches happening. Same thing with banks that have been using it for identification are moving away from that, and the government also needs to move away from that for identification purposes. There is absolutely no need, and many times people are collecting it -- I went to a doctor's office, and they asked me for it, and there is no need for it for identification. There is absolutely no need for it. That type of information can be used to open new accounts, and that is the hardest type of fraud to detect. So, you know we really have to get away from that.
FIELD: Mary, given what you know, what breach trends do you think you are going to be tracking as we go into 2010?
MONAHAN: Well, we want to see what's going to happen, if there is going to be any increase in insider breaches because of the economy. We are interested in just seeing if that has any affect. Curious as to what other breaches are out there that we don't know about that may come out in the next few months. So I still think there are a lot of breaches out there that we don't know about, so we are going to be tracking that trend, I think, into 2010. As you see, many of the breaches that are coming out this year happened back in 2007, 2008, and so I think the breaches that are going to be coming out in 2010 are actually going on right now.
FIELD: Yeah, it's fair to assume that nobody has retired and they are living off what they've done in 2008 and 7?
MONAHAN: That's true ,and I think many of these breaches, what's interesting is how long they can go on without being detected.
FIELD: Now you mentioned the insider threat, and I'm curious at Javelin, have you detected an increase in insider breaches this year?
MONAHAN: We haven't detected it this year, but that's were wondering about for next year because we are thinking that with the economy that individuals may be more likely because they are losing jobs, they may have less loyalty to their company if they know they are going to be losing their jobs. So we are interested in tracking that trend.
FIELD: Mary, one last question for you. For organizations that are concerned about breaches and are concerned about what you were saying about the fraudsters getting better and their mechanisms harder to detect: What advice to give them to protect themselves, whether they are merchants or they're institutions or government agencies even?
MONAHAN: Well, I think the best advice is that they need to concentrate on their own security. They can't be doing a security theatre type operation where they are trying to get maybe PCI approval and being PCI compliant for just the day that they get the approval. They need to keep systems in place and be even more secure then minimum requirements. So it's going to be ongoing battle, and it's a day to day battle, so right now we know that there is a special vulnerability in websites. That is the way that they are getting in. And if they are getting in through the websites, then we need to be looking at your website coding, making sure your payment applications are up to date, and are compliant. That's probably going to be the best way to keep these criminals out at the moment.
FIELD: So in other words, just because you are secure today doesn't mean you're secure tomorrow, and you've got to be vigilant?
MONAHAN: No they are always going to get in a different way. You've got to stay vigilant and always keep all the doors locked.
FIELD: Very good, Mary, I thank you so much for your time and your insights today. It's always a pleasure to hear what you are looking at Javelin.
MONAHAN: Well, thanks a lot Tom. I really appreciate the opportunity to talk to you as well.
FIELD: We've been talking to Mary Monahan, Managing Partner and Research Director with Javelin Strategy and Research. For Information Security Media Group, I'm Tom Field. Thank you very much.