Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Retailers Brace for the Holiday Breach Season

by Avivah Litan  |  November 19, 2014  |  1 Comment

Holiday shopping season is upon us and is the busiest season of the year for hackers and shoppers alike. 2014 will be no exception and we should brace ourselves for more high profile cyber-attacks although this time, they are likely to gain much less public attention. Consumers have rightfully learned that they suffer little harm from payment card hacks.

So who does suffer?

Home Depot and Target, two big box retailers that suffered two of the largest card breaches ever, just released rosy third quarter financial results proving consumers value attractively priced merchandise more than they do payment card security. Sales were up at Target by 2.8%. Home Depot’s U.S. same-store sales rose 5.8 %, and both breaches seemed to have had negligible impact on consumers. This is a replay of what happened after the massive 2006 card data breach at TJX stores, first disclosed in January 2007. TJX reported an increase in revenue of approximately 7% for the six months ending 28 July 2007, compared with the same period in 2006.

This is a totally rational reaction for consumers, who are well protected under U.S. law and the rules of the credit card companies from unauthorized use of their credit and debit cards. They almost always get all of their stolen money back.

Moreover, I believe that there is relatively very little fraud committed using cards stolen during these massive breaches. I imagine the crooks are only able to make illicit charges against less than 5% of the stolen cards because the credit card companies are well prepared to cut off stolen card use once they become aware of which cards were compromised. This happens relatively quickly once the breach is discovered. (This isn’t the case with theft of other types of data, such as identity or tax or health records).

I estimate that the Home Depot and Target heists resulted in less than $10 million of direct fraud costs although total breach costs incurred by these companies were significantly higher. Target spent about $153 million on breach related expenses and Home Depot so far shelled out a net $34 million in 2014 for its breach. These much higher costs include the money the breached retailers have to pay for customer service, communications, lawyers, and reimbursements to card issuers for card reissuances.

Who pays the most for these breaches?

Clearly the retailers. They already pay in advance for fraud costs as part of their payment card interchange fees. U.S. retailers have also shelled out some $6 billion to secure their payment acceptance systems (sometimes not so successfully) in accordance with PCI (Payment Card Industry) rules they are bound by. They also pay hefty fines and fees if and when they are breached. Although consumer sales do not suffer – the costs of data breaches are still much higher than the costs of securing data in the first place.

What measures should retailers take?

Gartner recommends retailers use strategic data protection technologies which are garnering tremendous interest among our retailer clients, including;

a) point to point encryption (p2pe) which encrypts card data from the time it is presented until it gets decrypted by a merchant acquiring processor or some other central service designated by the retailer. Not all p2pe solutions and implementations are created equal and it’s not a slam dunk security win unless it’s implemented properly.

b) Tokenization of card data so that it is represented by surrogate values that are useless to thieves. Again tokenization is not a panacea and must be implemented properly – and as soon as card data is presented, so as to avoid holes in the security program. (One of the retailers recently breached had in fact implemented tokenization but the breach happened before the data was tokenized). Also merchants need to be aware that merchant based tokenization schemes collide with Visa and MasterCard tokenization schemes as implemented first by Apple Pay. (http://blogs.gartner.com/avivah-litan/2014/11/07/token-collision-and-point-to-point-encryption-confusion-ala-applepay/ ) Merchants therefore need to make sure their token service providers can retrieve a credit card number from an Apple Pay Token so that the merchant can then use their own tokenization system to tokenize the card number. Otherwise merchants can end up with multiple token numbers for one card.

Until and unless these strategic data protection measures can be taken, Gartner also recommends retailers focus on key tactical measures including

a) Prevent malware and hackers from entering enterprise networks in the first place

For example, keep POS systems single-purpose, and segment the card holder data environment from the rest of the network.

b) Prevent malware installation and operation, assuming the malware manages to get inside the network

Such steps include restricting outbound connections from POS and back office systems, keeping auto-login passwords unique on each POS machine, and using whitelisting techniques on POS endpoints.

c) Rapid detection of active malware, assuming preventative steps fail.

For example, monitor network logs, especially from file integrity monitoring systems, implement processes for physical and logical detection of USB drives often used to introduce malware and exfiltrate data, and sample store system memory for signs of malware.

We outline a more complete list of the measures involved in these three tactical steps in our research note “How to Avoid Becoming the Next Target Retail Breach Victim”. But these tasks can be overwhelming in number and ongoing hyper-vigilance is required to ensure the security controls are maintained. In many cases, this will be too much for most retailers to take on.

To breathe more easily, we recommend moving towards point to point encryption and tokenization technologies, while recognizing those measures are no panacea either and most assuredly will be compromised if improperly implemented. We are already hearing reports about poor implementations in the field.

But focusing on a couple strategic technologies is far easier and more effective then juggling dozens of point solutions whose plethora of alerts is bound to blind even the sharpest shooters amongst us.

The other alternative? Use cash.

1 Comment »

Category: Uncategorized     Tags:

Token Collision and Point to Point Encryption Confusion ala ApplePay

by Avivah Litan  |  November 7, 2014  |  1 Comment

With all the excitement about ApplePay, big systemic problems are starting to surface on the retailer side. Here they are:

a) Point to Point encryption confusion – Some vendors who certified their payment card applications for point to point encryption left out certification of the contactless payments since there was very little volume in the past and they just didn’t get around to it.

What this means is that any contactless payment presented to their NFC readers is ignored by the point to point encryption process and the transactions go into their own ‘suspense’ bucket. Retailers need to be aware of this and work with service providers to implement a compensating payment process flow accordingly.

b) Token collision – ApplePay uses a tokenization scheme supported by Visa and MasterCard which have not released the numbering scheme they use. (Essentially their tokens are pseudo card numbers with pseudo BINs (bank issuing numbers) at the front so they know which card issuer process to route the data to when it comes into their network).

But this system collides with the merchant or acquirer based tokenization systems the merchants have spent so much money on over the past years in order to secure card data and limit the scope of their PCI audits.

Here’s why the tokenization systems collide: An ApplePay token will be presented to a merchant tokenization system. The merchant tokenization system will simply tokenize the Apple Token and store that tokenized token in their system for future use since there is no way for the system to distinguish it’s an Apple token and not a credit/debit card.

What are the consequences?

a) Merchants could end up with two tokens for one card number

b) But more importantly, merchants now have an ApplePay token and no process to get back to the card number. They have no interfaces with the ApplePay token/detokenization system. The whole reason merchants tokenize card data is because they need to get back to the card number at some future point, usually for chargeback and dispute purposes or for recurring billing.

What’s the solution? Big token mapping tables in the sky? Seriously. And Messy. Someone– likely the acquiring processor or even the card brands — is going to have to provide merchants with a table that maps their token numbers to the card issuers’ token numbers (first brought to market by ApplePay). This doesn’t bode well for on premise solutions unless they can be tied directly somehow into these monstrous mapping tables.

More Security Problems: One other piece of interesting information I came across with regards to ApplePay is that the one time code numbers that are part of the security scheme are not being accepted or read by terminals and their payment acceptance protocols. At least not yet and not universally. This means that if an ApplePay token is stolen from a merchant, it can be used at another merchant accepting ApplePay, assuming the consumer doesn’t have to use their TouchID biometric to confirm the payment instruction and a hacker somehow steals the consumer’s password. ApplePay token numbers are the same across merchants since they are issuer based.

Retailer Vs. Card Networks – Interests Continue to Collide: What all this says to me is that retailer interests and card issuer interests continue to collide. It would have been nice if all this had been thought through at the beginning of PCI planning and rollouts and if tokenization standards were developed and implemented years ago so that we didn’t have to face this collision going forward. It’s only going to get more confusing and messy in the years to come before it straightens out.

1 Comment »

Category: Uncategorized     Tags:

Apple Pay vs. CurrentC; will Merchants lose out again to Visa and MasterCard?

by Avivah Litan  |  November 3, 2014  |  1 Comment

The recent ruckus in the media about Wal-Mart, CVS and RiteAid and other national retailers refusing ApplePay has created bad PR for the fragmented retail sector. News commentators have been ranting on about how these merchants need to give consumers free choice and turn back on ApplePay acceptance.

These comments reflect the great job Visa and MasterCard have done winning consumers over with superior service and payment protections (i.e. zero liability) and the outstanding job Apple does creating sleek and seamless user interfaces.

In stark contrast, the commentaries also show the horrendous job big box retailers who are part of MCX (Merchants Customer Exchange) – e.g. Wal-Mart, Target and CVS – have done telling their side of the story and producing an alternative mobile payment system after more than three long years since they announced one.

The market doesn’t realize that all these solid payment protections and frequent flyer points that we have come to love from using our credit cards come at a great cost to the retailers who bear the financial burden for these programs. In other words, the retailers are paying for our protections, zero liability programs, and our frequent flyer points as part of the interchange fees they pay to the card companies. The average consumer and journalist is unaware of this important point.

The burden of securing an inherently insecure magnetic stripe card instrument has also fallen largely on the retailers, and they have had to become security specialists in order to compensate for a painfully insecure payment system that they are basically forced to participate in. (Which retailer can afford to NOT accept credit or debit cards and still run a big business)?

Unfortunately for the retailers they are probably going to lose again. They have had more than three years to produce an alternative mobile payment system – now called CurrentC- but have failed to leverage the new form factor (mobile phones) that could level the playing field and let them finally take on the card companies.

MCX memberships have about a four year term, and many of their member retailer contracts are coming up for renewal soon. It will be interesting to see if the MCX members hang in there or abandon ship and give up the fight against the credit card companies – now indirectly spearheaded by ApplePay. Even if they do stay in the fight, MCX ‘s ability to produce a sleek system that is as easy to use as ApplePay is virtually impossible, especially if they continue to base their system on QR codes, and shut off NFC so that ApplePay can never work at their stores.

There is no way the merchants can distinguish ApplePayments coming through their NFC enabled terminals, since Visa and MasterCard are not releasing the numbering scheme these payments use. This means they cannot be rejected through software filters. This also means they have to reject or not accept ALL NFC payments – so they can never use this form factor for CurrentC and at the same time reject Apple Pay.

In the meantime, the big Visa and MasterCard machines continue to profit while retailers continue to pay high fees for credit/debit card acceptance – or generally 1-3% of every transaction. (These fees can go up to 7% or more for smaller merchants with less credit worthiness).

Rates have not gone down despite the important fact that volume continues to grow – so much so that Visa and MasterCard had record earnings causing their stocks to soar around 10% last week. Each of these card brands have seen their stock price rise handsomely beat the S &P 500 rise in the last few years. Likewise card issuers announced record profits this year, and the biggest rise seen since 2008. (see http://blogs.gartner.com/avivah-litan/2014/10/14/2014-the-year-of-the-worst-data-breaches-and-highest-profits-at-u-s-credit-card-issuers/).

Moreover, countless lawsuits, typically led by WalMart against the card companies for usurious business practices have also largely failed – even when a battle or two is won, the retailers continue to lose the war.

Too bad. I think competition is good for the market and would like to see alternatives win out so that prices can come down and overall security can increase. It would have been nice if Apple had announced a Bitcoin or PayPal interface, for example, but they didn’t – at least not yet. The retailers need to hire a startup with the innovation, flexibility, speed and technological prowess that they lack. Otherwise, CurrentC will end up being toast and consumers won’t even get a toaster back in return.

1 Comment »

Category: Uncategorized     Tags:

Can Credit Report Monitoring become more useful?

by Avivah Litan  |  November 3, 2014  |  Comments Off

For years companies whose troves of credit cards have been data breached have been offering potential fraud victims’ credit report monitoring as relief. I always cringe when I hear about this because I view this largely as a PR move on behalf of the breached entity that does virtually nothing to protect a cardholder from unauthorized use of their stolen credit or debit cards. Plus it costs the breached company lots of money it could more wisely spend elsewhere, and puts it in the pockets of the big credit bureaus and data aggregators who are happy to capitalize on this distortion in public perception.

Still this offering looks good in the media, earns the breached company brownie points, and consoles congressional representatives who have never taken the time to understand the difference between credit report monitoring and credit card monitoring.

Nonetheless, free credit report monitoring for potential breach victims has been a standard offering following credit and debit card data breaches. Unfortunately, the entities benefiting the most from this are not the potential consumer victims but rather are the companies selling credit report monitoring to breached entities who in turn offer it for free to potential victims whose data has been compromised.

Consumers are basically smart and surely have come to realize the credit report monitoring does nothing to protect them from use of their stolen cards. Moreover they can get their credit reports for free from the government website three times a year (see www.annualcreditreport.com). A consumer survey Gartner conducted three years ago found that of the roughly 45% who had credit report monitoring at the time or in the past, only about 8% were currently paying for it. Another 10% had previously paid for it but discontinued their subscription. The rest got it for free from a breached company who offered it as part of breach follow up and compensation. More paying customers were dropping the service than were signing up. I have to believe that is still the case.

The credit bureaus must be finally seeing that they can’t expand their theft protection services without making them more meaningful so that they truly do protect breached victims whose cards have been stolen. So it is reassuring to see one of the three main credit bureaus partner with a startup (BillGuard) which analyzes consumers’ card statements for anomalous charges that consumers likely wouldn’t otherwise spot – either because they don’t take the time to comb through their statements or because they look legitimate (e.g. a charge under $5 for a seemingly legitimate telco service). It’s reassuring to see that market demand drives innovation and that in this case, consumers can finally get what they need and deserve.

Comments Off

Category: Uncategorized     Tags:

2014: The year of the worst data breaches and highest profits at U.S. credit card issuers

by Avivah Litan  |  October 14, 2014  |  2 Comments

It looks like the credit card companies keep winning and the retailers keep losing when it comes to making money on credit cards.

R.K. Hammer, a consulting firm in Thousand Oaks, Calif., estimates that U.S. card issuers will generate $158.6 billion in 2014 revenue, a 9% jump over the $146 billion they earned in 2013. It would be the first annual gain since 2008, according to the firm.

This in a year of record data breaches, including breaches at mega-retailers Target and Home Depot – over 100 million card records breached just across these two retailers.

So what does this tell us? That the data breaches certainly aren’t hurting the card companies. They have done a super job at managing fraud, customer retention and risk mitigation for themselves and their cardholders.

I’d like to see the commensurate numbers for the breached retailers who have taken the hits and paid the fines that contributed to the card issuers’ bottom line profit numbers.

All told data breaches can’t be good for the economy, but on the surface, they haven’t been bad for the banks that issue the cards. I guess the economic equation totally depends on which side of the payment chain you sit on. We already saw the data breach damage Target’s bottom line. I’ve got to assume that’s the same for every major retailer who has been breached this year. All things being equal, these breaches have got to keep retail prices higher than they would be otherwise. But at least we still get our loyalty points and frequent flyer miles on our credit cards. I certainly can’t complain.

2 Comments »

Category: Uncategorized     Tags:

Lessons from the Israeli CyberFront

by Avivah Litan  |  September 22, 2014  |  3 Comments

I just returned from a week in Israel, which always seems to me to be Ground Zero for CyberSecurity.

Here are some of the takeaways I came back with from my visit:

a) Life goes on – and the security community continues to innovate

I attended and spoke at one of the major Israel cyber-tech events of the year at Tel Aviv University (see www.sectech.tau.ac.il). You would never know this community had just emerged from a two month long onslaught of Hamas Missile attacks. I realize it’s an entirely different discussion on the political ramifications and issues but from a tech perspective, the resiliency had at least something to do with Iron Dome and the fact that the community didn’t take too many physical hits.

I was fortunate to spend a half hour with the founder of the Iron Dome project, Danny Gold, who described this three year development effort that started after his 2004 idea and difficult yet persistent efforts with the Israeli Ministry of Defense to raise the requisite funds. His contract was finally signed in one lucky week in 2007 and was followed by an intense three year development effort of a project team of 300-400 staff that worked 24/7 and had no other life until they finished the job. The interdisciplinary team was composed of engineers in multiple disciplines, including; software, cybersecurity, mechanical engineering, chemistry, metal logistics, genetic algorithms, aeronautics, neuroscience and more.

The most interesting panel I listened to at the conference was about ‘hacking the brain’ and reading and influencing people’s thoughts. A panel of SMEs involved in this subject concluded that these capabilities would have the most impact on fraud – by enhancing fraudsters’ cognitive abilities, ability to grow limbs and body parts and sequence DNA. Great, just what we need!

b) CyberTerror is alive and well

Maybe I’m naïve, but I was surprised to learn how active cyberterrorists are in attacking Israel’s crticial infrastructure. I’m not sure who backs these cyberterrorists and who writes their code, but some are technically sophisticated enough to create a real nuisance and damaging malware that must be dealt with. These players are not nation states like Iran or Syria, nor are they cybercriminals from Russia out to steal money, hactivists out to make political statements through service disruptions, or Chinese cyberspies out to steal intellectual property. They are their own category – i.e. terrorists using cyberwar techniques to disable civilian operations. I would imagine these terrorists don’t limit their targets to Israel. I just haven’t yet heard about them operating anywhere else.

c) Insiders continue to be some of our worst enemies

I met with a vendor that services most of the largest wireless telcos in the world. This provider has its own security research division that goes into the Dark Web via TOR to look for threats against their clients. What do they find? Lots of customer data and other company secrets (e.g. how to hack a PBX switch or which codes to use for free phone service) for sale on multiple Dark Web forums. And who were they purveyors of such goods? The carriers’ employees themselves. I know this may not sound like news to some of us but I was floored to learn of the extent of this activity.

d) Paranoia about Google and Facebook

OK, paranoia may be an extreme term here but Israel takes these companies seriously when it comes to their users’ abilities to affect national security. A former Israeli government official told me about an academic study (that many others know about) in which a control group of about 700,000 Facebook or Google users were influenced via various messages that influenced users’ behavior in predictable ways. The concern is that only the U.S. government presumably has legal access and influence over these mega U.S. based companies and is therefore at a great advantage from a national security standpoint. (I realize this is a very contentious area).

e) People People People

We all know that people are the weakest link in any security program but I heard a lot more about good old fashioned people screening in Israel than I have heard in any discussions with security folks in other countries. Israelis put a tremendous amount of effort into perpetual screening of their employees and partners etc. and take a risk based approach whereby those with greater privileges are screened more deeply and more often. I realize other countries and players may find such screening offensive to civil rights but it makes perfect security sense to me.

f) Parting thoughts

After speaking at a CISO forum, one of the attendees and I had a good chat afterwards and he summed up good security practices in three bullet points that I will definitely remember:

1. Forget about prevention and focus on rapid detection and containment. Criminals can easily see, figure out and therefore beat the prevention methods we put out there so why waste time on those?

2. Constantly change your environment. The hackers can only succeed if they know how your environment works. If you keep changing it, they can’t penetrate and perpetrate their crimes.

3. Focus on the people. Raise security awareness among employees and make sure you really know who is on your team and in your virtual circles.

Well informed practical advice coming from a practitioner who’s been through more real-world security training than most folks I run into.

3 Comments »

Category: Uncategorized     Tags:

Will Apple Pay Save Merchants from Data Breaches?

by Avivah Litan  |  September 9, 2014  |  6 Comments

Apple has finally gotten into the payments business with its Apple Pay announcement. While details on Apple Pay security features are still scarce, it sounds like they are working with Visa, MasterCard, the other card brands and the major issuing banks behind them to use a payment card tokenization scheme that these financial services companies endorse and recognize.

That means that consumers don’t have to store their payment card data in their mobile wallets. Instead, they would set up their Apple Pay system with a credit card (either one linked to their iTunes account or a separate one). When the consumer is ready to pay, their financial service provider would issue them a one-time token number that would initiate the payment process. The token would have policies governing its use, i.e. how long a time period it can be used in, where it can be used, how much it can be used for etc.

Token numbers are not considered credit card numbers and there are lots of security benefits to merchants when they DO NOT accept, store or transmit actual credit card numbers; i.e.

a) The scope of their PCI compliance audit is greatly reduced

b) They will avoid payment card data breaches and their systems will be more secure since criminals can’t reuse token numbers so they are not going to bother stealing them.

I firmly believe that merchant acceptance is what drives adoption of new payment systems, much more so than consumer acceptance does. For Apple Pay to succeed, merchants are going to have to want to accept it. So are the security features enough to incent merchants to adopt Apple Pay?

a) Probably not for most of the 30 some million merchants that accept credit cards. Unless ALL their shoppers use Apple Pay, merchants still have to spend money on all the onerous security functions required to be PCI compliant.

b) Merchants are already spending money on upgrading to EMV terminals (chip) and have to get ready for that upgrade and liability shift in October 2015 when they will start eating more fraud if they can’t accept an EMV chip card payment.

Granted, EMV-ready terminals come with NFC acceptance capability and merchants have to be able to accept contactless NFC based EMV payments as well. But Apple didn’t say anything I heard about support for the EMV standard, at least not yet. (They likely will support it).

c) Many large merchants Gartner talks with are upgrading their point-of-sale terminals to manage point to point encryption (P2PE) of the card data because they are sick and tired of hearing about the data breaches and don’t want to be the next retailer victim. P2PE affords the quickest and strongest protection to payment card data used at brick and mortar stores –hence there is strong interest in the technology that the card companies have yet to standardize on.

Chip (EMV) cards will take at least 5-7 years to become more or less ubiquitous in the U.S. and merchants can’t wait that long to protect themselves and their card data. P2PE is effective as soon as the merchants implement it. They don’t have to wait for card issuers and consumers to start using chip cards.

So what does Apple need to do to foster wider acceptance of Apple Pay?

a) Lower merchant fees, just like Square and other payment aggregators do. Apple already has experience and expertise with payment aggregation for iTunes payments which it needs to do to keep iTunes transaction costs down. If they did the same payment aggregation for merchants, they could conceivably offer lower rates then the existing payment processors and banks do today, assuming Visa and MasterCard don’t stop them from doing so.

b) Build in revenue generating and loyalty features into the Apple Pay Wallet to foster merchant sales. Apple could conceivably do this as well but this is less important than lowering the fees when it comes to building merchant acceptance.

Bottom Line – This is very exciting news and has the potential to change the payment landscape, at least in the U.S. where merchants are being breached every other day and are up to their eyeballs in security issues and expenses. Apple can certainly ride the security wave and offer merchants and consumers more secure payments. But they are still just a fraction of the shopper base and the other fraction still has to be protected. So Apple will need to offer more than just security features to gain all-important acceptance. IMHO, lower fees are key to Apple Pay success.

Google is likely to copy Apple on the security features and then will have to enlist their handset manufacturer partners to link NFC chips to the Google Wallet. Apple has it easier in this regard since they have a closed system – i.e. they manufacture the handsets and the software that runs on them. But once Google gets in the game and Android phones are enabled with more secure payments, we may actually see mobile NFC payments catch on. Better yet, we may actually see the criminals and payment card data breaches start to go away – or at least migrate to something else.

6 Comments »

Category: Uncategorized     Tags:

Big Banks hit by CyberAttacks – Alarming but not Surprising

by Avivah Litan  |  August 28, 2014  |  2 Comments

Today’s headlines report that big banks have been hit by cyberattacks, according to the FBI. While this news is alarming, it certainly is not surprising.

Hackers are always probing bank systems and even a year ago or so, law enforcement authorities and regulators put out an advisory to banks about criminals hacking into bank employee accounts to infiltrate their computer networks, and in some selected cases to steal funds.

Frankly, this isn’t new news – it’s just the culmination of old news. I imagine that the authorities and security staff never were able to eliminate the hackers from their systems. They have probably been in there for years, and there have probably been multiple actors, ranging from financial hackers to state sponsored cyberspies.

Wake Up Call

But this should serve as a loud wakeup call for bank Boards to elevate security to the top of their agenda, and to make sure their security staff (e.g. the CISO) are doing everything they can to secure the business. They also need to make sure the CISO and IT staff have the business support they need to make it all happen.

Organizational issues – as opposed to the technology issues — are generally the main impediments to successful defense of the bank’s assets. Organizations need to be aligned in order to properly defend themselves from cyber-attacks. Senior and board level management need to support security initiatives directly by getting involved, and not just leaving it to the CIO or CISO to figure out. These IT and IS executives can’t do their jobs without business support. And that has to come from the board level, given the siloed nature of these large bank organizations.

What’s the Damage?

While this is cause for alarm, in a sense we should all be prepared for this. When it comes to financial assets being stolen, the banks have strong safeguards in place and can shut down wire and money transfer systems if they need to before too much damage is done. So, for example, some unauthorized money transfers could certainly take place, but they would be limited in number if the criminals attempted a mass attack against the money transfer systems. (Of course the stock market would have an extreme negative reaction if this occurred – hopefully that would be short lived).

As far as the data – it’s safe to say we must assume all our financial information is subject to theft, as are simple credentials such as passwords. That certainly is not a good situation and banks, intel agencies and other enterprises must do a better job at protecting sensitive data. But I see a lot more money spent on preventing the USE of stolen data than I do on preventing the theft of the data itself – for simple economic reasons, i.e. the use of stolen data directly affects the company’s bottom line. The theft of data generally doesn’t have that impact unless it’s disclosed to the public since the stolen data is generally used at another enterprise.

Most large financial institutions have spent considerable sums on fraud detection systems that prevent the use of stolen data. They are certainly not perfect, but they do catch the majority of fraud attempts. It’s the small financial institutions and their third party processors that we should be worried about because they are not securing their systems as well as they should be.

So while it makes me nervous that this is happening, I do believe the large financial services companies can protect their and our financial assets such that a massive robbery cannot take place. And as noted it’s safe to assume information is no longer confidential and we just have to compensate for that by preventing the use of stolen information for illicit purposes. It’s just the new world order.

2 Comments »

Category: Uncategorized     Tags:

Russian Gang Password heist is so much worse than Target

by Avivah Litan  |  August 6, 2014  |  3 Comments

I’m finally going to change my passwords. Frankly, I haven’t been motivated until now – even after Heartbleed and all the other heists – since I just do a quick mental calculation of my risk vs. my inconvenience. And I decided against the inconvenience.

But now the threat to me and you as consumers is real and strong. We’ve all been speaking about these phenomena for years, i.e. the criminals amassing millions of records on users, including credentials/passwords, bank account numbers, personal data and more. And it’s finally a reality – not just conjecture anymore.

The interesting thing is that most consumers think the Target breach was more serious than this one. The Target breach pales compared to this revelation. With Target and stolen cards, consumers are protected financially and the banks can stop the stolen cards from being used relatively quickly. All the card payment systems around the world interconnect virtually in real time so fixes can be applied immediately.

With the theft of passwords and other sensitive data, the criminals have access to many of our accounts where our protections are much less and where systems are much more fragmented. For example, if someone steals money from my online retirement account, I have to go through a lot of very time-consuming hoops to get my money back and may not get it back in the end if my retirement company doesn’t want to give it back to me. They can tell me it’s my fault my password was stolen. The same rules apply to many other types of bank and investment accounts.

In the meantime, there’s a lot of chatter about the motivations of the company who told the NY Times about this story. Frankly, no matter what the motivations were or are, the story is still true and it’s still ominous.

Bottom Line – change your passwords and monitor your accounts closely. And try to put your money with providers that don’t just rely on passwords for security.

3 Comments »

Category: Uncategorized     Tags:

$200 Million credit card heist reminds us how overrated Social Security Numbers are

by Avivah Litan  |  May 15, 2014  |  4 Comments

A man convicted of a $200 Million credit card bust out scheme pleaded guilty Monday in one of the largest credit card fraud schemes ever charged by the Justice Department. (See: http://www.fbi.gov/newark/press-releases/2014/new-york-man-admits-role-in-international-200-million-credit-card-fraud-conspiracy).

The scam was executed by using fake identities to take credit cards out, and incur expenses that were never paid back to the banks.

In fact this scam probably inflicted more than four times the direct fraud damage on the financial services industry than Target did. Consumers were not damaged directly, but losses for banks eventually translate into costlier financial services.

It should also remind us how overrated our Social Security Numbers are. Criminals like the ones arrested in this scam have little problem making up fictitious identities often using unassigned SSNs, or they may choose to use an existing SSN but tie it to a new identity. There are plenty of SSNs with different names attached to them in the U.S. credit bureaus, for example. A few years ago I was told that around 20 million SSNs were in this latter category. I’m not sure it’s all because of identity theft but it’s most assuredly not a good thing.

In some sense, it’s easier for the crooks to make up an identity than it is to steal one when it comes to defrauding bank lending and credit systems. (There’s no individual that’s going to report being harmed in the case of a fictitious identity). Some estimates are that almost half of new credit account fraud is incurred by extending credit to fictitious identities but there are no good official records on it.

Bottom line- I personally don’t get that worked up about my SSN. Sure I’d hate to have my identity stolen and the criminal would need my SSN to hijack my identity. But I also look at the odds of that happening and factor in the point that the bad guys can just as easily fabricate an identity. They know the SSN numbering scheme and how to make one up that works for a particular Date of Birth and State – so why would they bother stealing mine? (Famous last words…)

4 Comments »

Category: Uncategorized     Tags: