How Banks Are Reacting In the Wake of the Home Depot Disaster. How Breaches Affect Consumers. And What Was Learned from Target’s Response?
Natural disasters such as tornadoes, hurricanes and earthquakes or man-made disasters like major data breaches share one thing. When they’re over, somebody has to clean up the mess and attempt to put things right. In her thoughtful and far-ranging piece on forbes.com, Paula Rosenblum explores how it’s believed the Home Depot breach was carried out, what was learned from the Target breach experience that might be applied to this latest breach, how banks and consumers are reacting and much more. The following has been excerpted from Rosenblum’s article and edited to fit our format. You may find the complete story by clicking on this link.
The technique [the cybercriminals] used to grab the data was similar to, but not identical to the one used at Target. It’s called “skimming,” and can take several forms. In earlier days, thieves would place a hardware chip inside payment terminals and capture the keystrokes entered during every transaction. Now, they’ve written software to grab the data as it comes in. We know how the thieves got into Target’s main systems in the first place. Thus far, the technique they used to get into Home Depot’s network has not been exposed, nor have the techniques they used to exfiltrate (remove) the data from Home Depot’s systems been revealed.
The bad guys got there first
Sadly, Home Depot had already started taking steps to mask (or encrypt) the data as it passed through these credit card terminals, but the crooks beat them to the punch. This is a familiar story…institutions improve security methods, but criminals evolve faster.
Target — not a good role model
The question being asked now is “What will consumer response be?” By all accounts, Target handled its data breach badly. Rather than replace potentially compromised co-branded “Red” debit and credit cards, it opted to put dollar limits on suspect debit cards in the middle of the shopping season. Shoppers often learned this as they were checking out of another store, preparing to pay for holiday gifts.
This was the worst possible response given the time of year. The enmity against Target can still be seen in the comments section of any piece that discusses data security, or even mentions the word “Target.” So what’s the right approach?
A better approach
I spoke with Jon Delano, a reporter for …CBS affiliate KDKA [who said] a small regional bank, Dollar Bank, acted quickly to replace all the potentially affected customer cards. The [Wall Street Journal] reports that J.P. Morgan Chase and Capital One have already started replacing cards as well.
Pick your poison
In truth, in times like these, a consumer and a bank have to pick their poisons. It costs banks money to replace cards. And when you’re talking about 36 MILLION cards, you’re talking about a lot of money. And it’s not all that much fun for consumers to replace their cards either.
Mr. Delano observed how inconvenient it is for consumers when their credit card numbers are changed. One of the ironies of today’s “omni-channel world” is that consumers have credit numbers on file at all kinds of institutions, for all kinds of payments. From electric companies, to retailers like Amazon.com, consumers are exhorted to “go paperless,” “pay electronically,” anything that will insure payments come in on time and that they won’t have to look up credit card information every time they make a purchase.
While Dollar Bank has opted to pick the inconvenience, Mr. Delano reports the PNC Bank…is taking a “wait and see” approach….
This is the decision banks have to make now: issue new cards which will be costly and create an inconvenience for customers, or wait and see, and risk serious consumer backlash.
Uh-oh, are we talking conspiracy theory?
Meanwhile, the timing of this breach is interesting, because it comes just after the introduction of Apple Pay. Suddenly, with this breach, the notion of not exposing credit card information to individual retailers, regardless how large, starts to seem appealing to shoppers.
Banks are certainly lining up behind the initiative. Since roll-out, Chase, Bank of America, Citi and others have all thrown their full support behind Apple Pay. While banks may be ambivalent about their response to credit card theft, they’re very un-ambivalent about Apple Pay. After all, just like the use of debit cards has eliminated a boatload of paper check processing, the use of mobile payment technologies has the potential to eliminate a lot of plastic. A cardless world seems more interesting by the day.
But that’s the future. Today, we’re dealing with a real data security problem. At the end of the day, the consumer will cast the final vote. Some banks are taking calculated risks. Others are just paying the money, replacing cards and carrying on.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.