How the Global Payments Data Breach Affects Banks
With yet another high-profile attack against a third party, banks are reminded that security vigilance extends well past their own walls. By Bryan Yurcan April 04, 2012 URL:
With the recent news that Atlanta-based credit card processing company Global Payments Inc. suffered a massive data breach, fraud and security concerns are back in the headlines -- never a good thing for financial institutions.
Initial reports said that 10 million MasterCard and Visa accounts could have been affected in the breach. However, this week Global Payments said the "unauthorized access to its processing system," which occurred in early March, affected no more than 1.5 million card accounts. The company said it believes that the affected portion of its processing system is confined to North America and that only Track 2 card data -- which includes account numbers -- was compromised, but that cardholder names, addresses and social security numbers were not obtained by the fraudsters.
While this particular data breach was not directed at a bank itself, experts say there are many lessons banks can learn from this and similar attacks.
One thing banks have been forced to become increasingly aware of in recent years is cyber attacks against third-party entities that aren't financial institutions but store account data, says Ben Knieff, senior director, head of fraud product management for New York-based NICE Actimize. Data attacks such as the recent Global Payments one, or last year's data breach of Sony PlayStation's online network, "is certainly not something confined to the traditional financial services ecosystem," he notes.
Knieff notes that there are increasingly less attacks directly perpetrated against financial institutions, with fraudsters instead targeting these third parties that are perceived to less-stringent security measures.
"Financial institutions tend to have extremely robust network intrusion security," Knieff notes.
Though fraudsters have been targeting third-party vendors with increasing alacrity, Knieff notes that banks have made a concerted effort to work with vendor partners to stem attacks. "Financial institutions have gotten very good at extending their controls and protections to vendors and auditing them," he says.
However, the problem is that "in the U.S. in particular, the chain of payments is substantially more complex and there are more parties involved," Knieff notes. Though initiatives like PCI compliance help somewhat, it is not a cure-all.
And though financial institutions and their partners have become more sophisticated in repelling attacks, criminals have in turn become more sophisticated in perpetrating them, says Mike Urban, director of financial crime solutions at Fiserv.
"The level of cybercrime going on is very high," he says. "All of these organizations are getting hit by attacks constantly and most are repelled. But every day there are automated attacks criminals have going out just pinging to see where a weakness is or if a defense mechanism has adjusted or changed."
Another problem banks face in fighting fraud is attacks against merchants, Urban notes. Unlike the vendors banks work with, merchants, especially small business, may be easier to hack. For this reason, most financial institutions deploy "around-the-clock" monitoring for potential point of sale fraud and are often successful using tactics such as employing data analytics to identify transaction risk based on a person's past purchasing behavior.
But banks can only do so much, says Urban. "They have people constantly monitoring and identifying any kind of breach so they can take action on those accounts as quickly as possible," he says. "But it's sort of like trying to find a needle in a haystack."
EMV the Key?
Both Urban and Knieff agree that point-of-sale fraud and cases where criminals make counterfeit cards from stolen information could be nearly eliminated when or if the U.S. adopts EMV-based cards and terminals. EMV, the global standard for credit and debit card payments named after its original developers -- Europay, MasterCard and Visa -- features cards with embedded microprocessor chips that store and protect encrypted account user data.
Knieff says that after the U.K. adopted EMV cards there was an "incredibly dramatic reduction" in POS fraud there. "EMV is inherently more secure," he adds.
Both Visa and MasterCard had announced separate roadmaps to institute EMV fully in the U.S. by 2015. Knieff admits the cost to not only card issuers but merchants who have to replace their old terminals may be a hindrance to adoption, but in the long run he believes business will be better off.
"It depends on who you talk to, but some people say the ROI from a common good perspective could be 12 to 18 months or as high as 5 to 8 years," he says. "But even on the high side, 5-8 years is really not all that bad considering we'd be making a massive change to our payments infrastructure."