With many questions surrounding the early March breach at Global Payments, what steps should card issuers take now to ensure they protect their brand images and don't injure their customers and members' trust?
The breach, which is believed to have exposed card data on about 1.5 million debit and credit accounts, has put card-issuing institutions on alert, and now those institutions should be taking steps to help their customers and members mitigate fraud risks.
ID theft expert Neal O'Farrell, founder of the ID Theft Council, says all banking institutions, even those that don't issue cards, need to warn retail and commercial accountholders about phishing and other socially engineered attacks that could emerge as a result of the breach.
"A data breach like this is a good reminder to kick your awareness into high gear again," O'Farrell says in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
"The only good really to come out of this is that it's just a wake-up call that you really do have a role to play in protecting your own identity, no matter what other people are doing," O'Farrell adds.
The Global Payments breach will no doubt erode consumer confidence, but it offers an opportunity for consumers to think more about their ID theft protection and account security. "Are they taking precautions?" O'Farrell asks. "Are they monitoring their credit reports? And are they being careful about who they share their information with?"
During this interview, O'Farrell discusses:
- Steps banks and credit unions can take now to limit ID theft risks;
- Why PCI compliance is not a cure-all;
- The positive educational steps that can come out of a breach.
Once described as one of the world's top 20 security experts, O'Farrell was the driving force behind a number of national security awareness initiatives, including Think Security First, a non-profit partnership between Chambers of Commerce and cities across the country to improve cybersecurity education at a community level. Over his 25-year security career, O'Farrell has worked as a security advisor to financial organizations, governments, the military and Fortune 500 firms around the world. O'Farrell is a board member of the Center for Information Security Awareness and recently created the first course and certificate program to be endorsed by the FBI/InfraGard to provide free security awareness training to the nation's 26 small-business owners and their employees. He also was the first security expert to train an entire police department in identity-theft awareness. The program has since been used by more than 200 police departments and police academies, as well as the FBI, the Department of Motor Vehicles and U.S. Attorney's Office.
Global Payments Breach
TRACY KITTEN: Before we get started, I'd like for you to give our audience a little background about the breach. We've just found out about this breach so information is still a bit sketchy at this point, but what do you know about the breach and the resulting financial fraud?
NEIL O'FARRELL: From what we can tell so far, this could be a big breach. Although no one's really saying too much so far, we're hearing reports that as many as 10 million cards could be involved, and we're also hearing that it may primarily be focused on commercial credit and debit cards, as opposed to consumer personal cards, which may kind of sway the attack a little bit.
KITTEN: What does this tell us about the lack of PCI compliance?
O'FARRELL: I think it tells us what we've known all along about PCI. PCI is a great first step, but it's not an absolute. It really doesn't guarantee much except that your security is probably better than it was before PCI. But we know from these attacks and these attackers that there are so many vulnerabilities to be exploited that PCI is absolutely no guarantee that you're going to be able to keep them out.
What to Tell Customers
KITTEN: What should banking institutions be telling their customers now?
O'FARRELL: I think the first thing they should do - and I'm always counseling this - get in ahead of it. Don't wait until a couple of days or a couple of weeks before you announce it, because consumers are going to start reading about it already. Get out there in front of the story, let them know exactly what the facts are, that their cards are not affected or, if they are affected, what they can expect. In particular, start warning about phishing and social engineering attempts, because we know from previous attacks that even if a consumer's card is not affected by this breach, scammers will still use the story to launch phishing scams and social engineering scams to trick consumers with an e-mail, for example into responding in some way believing that they were actually affected by it.
KITTEN: That's a great point and it's a nice segway to my next question, which is, what actions should consumers be taking?
O'FARRELL: Well, I always try to find the positive in data breaches, and although there's not an awful lot, except it keeps the data breach response industry in business, it's a great learning tool. It's a great learning exercise. It's a great clarity call that you're supposed to be vigilant, in a way, all the time. A data breach like this is a good reminder to kick your awareness into high gear again. Check your statements, even if you don't think you're affected by this breach. It's a good excuse to check your own statements. Check your credit reports. Just be very, very aware of any e-mails or phone calls that you get in connection with this or any other breach that may ask you for information you really shouldn't be providing.
KITTEN: Based on the sketchy details that we have at this point about this particular breach, what could you tell us about the warning signs and what should we be heeding?
O'FARRELL: For the consumer, probably the first sign that they're going to detect is that there's something unusual on the card, their payments or transactions that are not theirs. Unfortunately, most consumers only find those out a little bit too late at the end of the month, if they even bother checking their statement. As far as the scams around it, if they start receiving e-mails from credit card companies or from any other organization in relation to the breach asking them to click on anything or respond to anything, that is always a tell-tale sign that they're being played. No reputable financial institutions will or should be asking consumers to respond by providing any kind of information. If you receive anything other than e-mail warning you that it has happened and that further information will follow, I would be very suspicious. If you also get an 800 number to call, I would say call the 800 number on the website of that financial institution first. Don't rely on any information that you're going to get from an e-mail.
As far as the credit card process is concerned, who knows what the early warning signs are. I mean obviously the transaction behavior is going to be the first thing that they will spot, and normally at that time it's far too late because in this hack it appears, as with many hacks, it's an outsider taking advantage of poor administrative controls, particularly weak passwords. If you have administrative controls, you can hide your behavior for a lot longer than an external hack.
ID Theft Concerns
KITTEN: In closing Neil, what are the ID theft protections and concerns?
O'FARRELL: The most obvious again is the impact on consumer confidence and small business confidence too, if it turns out these were primarily commercial cards. We've had an average of one data breach every single day for the last five years, and that's just the reported breaches; who knows how many more are not reported or not detected. But every single breach, and especially the massive, highly publicized ones, they erode consumer confidence. They make people wonder, "Well, if the biggest organizations can't hang on to their information, who can?" That just harms e-commerce and banking generally, but as I mentioned earlier, this is a great opportunity for consumers to think more about their identity. Are they taking precautions? Are they monitoring their credit reports? And are they being careful about who they share their information with? The only good really to come out of this is that it's just a wake up call that you really do have a role to play in protecting your own identity, no matter what other people are doing.