Sharing the burden of online credit card fraud – part one

Given the recent CISCO Canada study, I thought I’d move in the direction of what both companies and customers need to do to protect their data. For this two part series I will talk about retailers, given the recent penetrations and malware installation.

Retailers hoping to reduce face-to-face based transactions and increase online sales using credit card numbers are facing two problems.

The first is how to duplicate the online trust often envisioned between client and employee at the check out counter, and the second, equally a difficult task and rapidly emerging as a top priority security concern, is to ensure full proof protection of client credit card data.

Card not present fraud (CNP) is costly to retailers storing your data, but could have devastating consequences for you. The recent news over major security breaches has left more doubt in an already fickle consumer mind.

What’s not to be fickle about?

In late 2013, the giant American retailer Target, which operates 1,784 stores in the U.S, and 124 stores and expanding in Canada, reported in November of 2013 that it had suffered a malware-installed attack at its point of sale system. The concealed and vicious malware grabbed credit card data, including PINs, of 70 million of its U.S. customers. That number was pushed to 100 million by early January 2014, which included Canadian customers.

Target reported its stock dipped 1.7 per cent in U.S. trading. The retailer predicted that with the widely publicized breach sales that would be down from two to six percent in the fourth quarter of 2013 compared to a year earlier and would be at least 2.5 percent lower than previously forecast. This projection, according to the company, was directly related to consumers traditionally slow to forgive the data breach.

Not that target was the only mega-retailer affected.

Dallas-based Neiman Marcus, a luxury specialty department store, also suffered a malware-installed attack at its point of sale system reporting that 1.1 million customers may have had their information compromised during the a 2013 November Black Friday hack.

Just how large is this problem?

The global price tag of consumer cybercrime is now topping US$113 billion annually according to a large-scale 2013 report commissioned by Symantec. The cost per cybercrime victim has shot up to $298, a whopping 50 percent increase over 2012. The number of victims of these crimes is 378 million per year, or an average of 1 million plus per day, or a stunning 12 victims per second.

In Canada, incidents of credit card crime continue to climb. In 2011, fraudsters towed in $436.6 million from Canadian credit card accounts, up more than 19 percent from a year earlier.

Dispelling a myth

The likelihood of someone intercepting card numbers during an online sales transaction is extremely small. Most companies that sell online use secure communication channels (SSL) when sensitive data is transmitted between the consumer and the web site. The greatest risk, as we discussed, is theft of credit card data and information – your information – from storage points on a company’s website. Why this is happening is simple. These breaches occur when company sites employ weak security measures that in the hands of experienced hackers is easy to penetrate. Once in, they can be lurking and hiding in the system for years looking for holes until one morning a company CEO wakes up to the dreaded phone call that the network has been breached.

What organizations can do?

Organizations need to take a holistic approach. This means data and identity protection and in the event of a breach, disaster recovery.

One step is to hold true to the Payment Card Industry (PCI) compliance standards. Most card companies demand that retailers pass rigid security audits before they can utilize their cards at point-of-sale. I say, “hold true” because companies who have been hacked often point out they were in compliance.

Along with Target and Neiman Marcus, Hannaford Brothers WorldPay and Heartland Payment Systems made the grade, but were hacked months later. While PCI sets the standard, it isn’t a panacea nor does it guarantee network security.

Security begins behind the desk.

Employees need to be educated on what to look for when dealing with networks. Social engineering scams, fake emails, downloading pirated software and non-stop clicking through pop up windows, may all seem harmless, but a network breach could be one click away. Once a fraudster is in the network he will let loose but conceal malware that will weave its way through the network finding holes and then, one day, the phone call comes.

Budgets

The top priority remains, as it was in the past, is adequate allocation of company budgets to data protection. CEOs traditionally are not willing to budget accordingly when it comes to data protection. They believe the threat is real or they think their systems cannot be penetrated.

But the numbers tell a different story.

The cost of the average data breach per lost record is $136 according to a 2013 Global Data Breach report by Symantec Corp. and the Ponemon Institute. With the average number of records lost per breach reported at $23,647, the average cost of each breach crests over $3.2 million, more than just an annoying dent in small and medium size companies. The problems continue. The damage to brand reputation can sink a company if disaster recovery isn’t immediate, an ad-hoc reaction that could costs millions.

(parts of this article appeared in Money Mag, October 2014)