by Anthony Watson

Cyber security is job number one, says Barclays CIO

Jan 13, 201410 mins
Financial Services IndustryIT LeadershipIT Strategy

London truly is the most amazing city on the planet to ring in the New Year. I love the fact that hundreds of thousands of people from around the world descend on the British capital to celebrate the dawn of 2014 and new beginnings!

As we enter 2014, I will personally look back on 2013 with great fondness; in a lot of ways 2013 was a great year. However the same cannot be said for the technology industry as a whole, and the United States technology industry in particular. Between the NSA leaks and Orwellian revelations, to mishaps, Yahoo’s cloud email outages (which are still lingering), to the Target Corporation incident two weeks ago where 40 million credit and debit card identities were compromised and stolen, and then on December 31, when it was reported that hackers stole 4.6 million phone numbers and usernames from Snapchat, 2013 actually was a pretty brutal year for the promise of technology to better our society.

In a recent interview with The New York Times Vinton Cerf and Robert Kahn, arguably the co-creators of the modern internet, described the NSA spying scandal as a “global threat to privacy and the internet itself”.

The actions of the NSA are going to see revitalised demands to change the way the internet is governed, globally. Governments that do not favour the free flow of information, in particular foreign governments – especially if information flows through systems designed by Americans – will, I suspect, call for the internet to be regulated in a way that would Balkanize it. This will significantly curtail free and open access to all; a sad and terrible consequence.

For the most part, I believe that the internet should remain independent of all state control. I am a proponent of the idea of network neutrality — the principle that internet service providers should enable access to all content and applications, regardless of the source.

Whilst global internet governance is obviously more critical in the medium to long term, it will literally take years to reach a global consensus. In the short term however, the Target incident in particular is truly worrying and shows the US has a long way to go in order to catch up with the rest of the western world, in particular Europe, in terms of combating retail credit and debit card fraud.

The Target Corporation, the US’s third largest retailer revealed in a press release on December 19, 2013, that credit and debit card data from over 40 million customers had been compromised and stolen sometime between November 27 and December 15, 2013.

This is the second largest public breach of personal credit and debit card data in US retail history and could potentially affect one in four Americans. The largest single breach of credit and debit card data in US retail history involved the TJX group of companies (parent company of TJ Maxx, Winners, HomeGoods, HomeSense, TK Maxx and Marshalls), back in July 2005, when the data of nearly 90 million credit and debit card cards was compromised and stolen.

Target’s response to its customers? It offered a 10 per cent discount for shopping for the weekend of December 21-22, 2013, and for those customers whose cards were actually compromised; it offered credit monitoring for a year. A surprisingly weak response, to say the least.

As Target now tries to repair its battered reputation it will hit by a swell of lawsuits (federal, state, civil and/or criminal) and regulatory fines all alleging negligence in handling and managing customer data and that; as a result, the retailer should be liable for significant monetary damages. Target is also bracing itself for lawsuits from major banks, which have had to handle claims – and associated costs – from their customer who’s cards were compromised. Then there’s also the obvious added cost to assure that its infrastructure is now secure – a process that will take months to complete fully. I suspect Targets total liabilities due to this fiasco will be counted not in the millions, but the billions.

So just how big is the fraud? How many were affected? And how did it happen?

First, it is unclear just how many consumers actually had their cards compromised and used before their banks had a chance to cancel them. But you can be sure it is significant. Target confirmed that hackers gained access to customer names, card numbers, expiration dates and CVV security codes. Various news sites and blogs from around the world have been reporting that the credit and debit card accounts stolen in the Target data breach have been flooding underground black card markets, apparently selling in batches of one million cards, and going for asking prices of more than $100 per card.

Back in 2006, following the TJX breach, American Express, Discover Card, JCB, MasterCard and Visa formed the Payment Card Industry Council to oversee the new PCI Data Security Standard.

Disclosure:Barclaycard US – one of the top five issuers of credit cards in the US – is a wholly owned division of Barclays and is a member of the PCI.

In basic terms, the PCI DSS defines how organisations secure and manage cardholder information.

Importantly it does not assess compliance itself, nor do organisations report their compliance to the PCI. Enforcement of organisation compliance is managed by individual payment brands such as Visa or MasterCard. Target, among many other retailers, pay to get assessed and accredited annually by the by hiring one of only a handful firms in the US that are certified to perform and certify PCI compliance to ensure respective organisations are operating to agreed PCI DSS standards and requirements.

There are lots of theories for how the breach actually happened. Working for Barclays, one of the largest universal banks and credit card issuers in the world, I have significant experience in building, provisioning, supporting and protecting complex and large scale enterprise technology platforms – such as global credit card platforms – that service the needs of tens of millions of customers’ daily. Even though information is limited at this time (and rightly so), I do have my own theories of how this incident occurred. While the TJX breach was carried out by one lone person who gained access to unsecured back office systems, the Target fraud is, I believe, on a whole different scale.

First, assuming that Target is in full compliance with PCI-DSS. DSS standards dictate that Target would be required to encrypt all customer data, in transit and/or at rest and then segment said data, meaning properly encrypted data would useless to the thieves.

Secondly, from what we currently know, the breach didn’t affect its e-commerce operations, just its physical stores only.

Thirdly, if wireless transmission data was encrypted between the point-of-sale (“POS”) terminal and the wireless router, intercepting the personally identifiable information must have happened elsewhere in the processing chain. This strongly suggests that attackers gained access to information that was snatched directly from the physical POS terminals and not via its back end systems. To my mind this is undoubtedly a “skimming” scam, where thieves capture magnetic stripe data from customers swiping their cards as they complete their purchases at POS terminals. How did they capture the actual data? Well that’s still conjecture at this point. Most likely the thieves hacked in remotely to the POS terminals located in stores, most probably exploiting vulnerabilities in their built-in web servers, or less likely they added a small device – possibly a chip with a transmitter – directly to the POS terminals. Either of these techniques is particularly smart as there would be no need to penetrate and subvert the company’s back ends systems. They would then just capture the data real-time, making this one of the most sophisticated and highly coordinated retail frauds ever committed.  Not sophisticated in the sense that the technology used by the thieves is new, complex or even impressive, but sophisticated in the sense of the sweeping nature of fraud across multiple states and in thousands of stores. To carry out an attack of this magnitude during the holiday season is extremely difficult and would require almost laser precision across a whole network of devices and locations. I suspect in the final analysis’s we will learn that this was an insider job.

But it does not end there – it gets worse. According to reports it took less than 24 hours for fraudsters to try to profit from the confusion caused by the original fraud. Many consumers received an email that looked genuine – in fact the text was identical to the message posted on Target’s own website. The hackers sent an email that mimicked the retailers warning to customers about the credit and debit card breach and then directed the recipient to a fake website where the user was encouraged to entre their information. However, upon closer inspection it was a phishing scam designed to steal even more personal information.

Unfortunately, for 2014 the retailers  “Big Target” logo has a whole new meaning.

Target deserves some slight praise for the speed at which it has acted. When the TJX breach took place in 2005, it took TJK until 2007 – almost two years after the incident – to publically admit the fraud. Target, by contrast took just four days. Impressive, by any standards.

However, it’s so easy to pin all the blame on Target. The US card industry, and by extension US retailers and consumers alike, have a much bigger problem. The credit and debit cards used in the US all have magnetic strips (50-year-old technology, first prototyped by IBM in early 1960s). These old fashioned and outdated magnetic strips make fraud so much easier for the bad guys. Data encrypted on microchips has been used here in Europe and other parts of the world for years. We at Barclays created a product called PayTag – an industry first. PayTag is a handy little Near Field Communication-enabled sticker that can turn any mobile phone into a new way to make contactless payments in seconds. So consumers don’t need to fumble with cash or use their card. Unfortunately, the US lags way behind most of the western world when it comes to payments, making it a haven for black market hackers. Encrypted microchips, products like PayTag and other differing NFC technologies are by no means a silver bullet solutions or indeed the only solutions on the market, but the US card industry needs to significantly up its game if it is going to protect retailers and consumers against this type of fraud in the future.

With all that said, its not all bad news for Target – if you’re an investor. The retailer is trading significantly undervalue, at $39.99B (market capitalisation). It opened on January 1, 2014 at $62.57. During the day’s session, Target traded between $62.50 to $63.80 with the trailing 52-week range being $58.01 to $73.50. Meaning Target shares are currently priced at 17.30x this year’s forecasted earnings, which makes them relatively inexpensive compared to the industry’s 28.34x earnings multiple for the same period.

Update:On January 10 Target revealed that up to 70 million customers had personal data stolen and not 40 million as first estimated – a full 30 million more. In addition to the 70 million customers, a further 40 million payment card numbers were reported stolen taking the total figure to a possible 110 million – about a third of the US population. Further, it is now known that these thieves did indeed hack into the physical POS terminals where they stole customer data real-time, in all 1,797 Target stores, in exactly the manner in which I first described on January 1, 2014.

About the author:

Anthony Watson is Managing Director & Chief Information Officer of Europe Middle East Retail & Business Banking and Global Operations at Barclays Bank PLC. He tweets from @AnthonyWatson

Anthony Watson is currenty number 6 in the CIO 100.