-
Global Payments was considered PCI-compliant until hackers stole 1.5 million account numbers from it. So were two other breached processors. Banks may have to assume no third party is secure.
April 2
Consumers still have faith in payment cards, but Global Payments Inc.'s massive data breach will make life tougher for issuers trying to reassure audiences that all is well.
News of the event rippled across mainstream websites over the past weekend, reawakening consumer and industry concerns about the risk to millions when criminals expose sensitive data, says Mike Urban, director of financial crimes solutions at Fiserv.
"It's clear the fraud problem is not going away, and major breaches are not slowing up like we were sort of hoping," he says, referring to a lull in major data breaches that appeared to be setting in during portions of 2010 and 2011.
The payment industry over the past few years has made big strides in protecting data against major breaches after the massive Heartland Payment Systems breach in 2008, Urban notes.
"But after Heartland, last year we had the Sony breach, and now this one, which proves this problem is ongoing."
Moreover, "while really large breaches are still taking place, a lot of little data breaches have continued, and all evidence suggests those too are escalating," he says.
The consumer backlash and general corrosion of trust in payment cards is difficult to estimate, but some observers believe each major breach undermines perceptions of payment systems' integrity, which hurts adoption and use.
"This breach is not an isolated incident and will cement the idea in many consumers¹ minds that credit cards are, in some sense, untrustworthy," says Terence Spies, chief technology officer at Cupertino, Calif.-based Voltage.
Global Payments' breach is particularly "tragic," Spies says, "because most of the industry has been working hard on building security and encryption [services] that will make these kinds of breaches much, much less frequent. In this case, it looks like an attacker found a point where those measures were not being employed."
What is the risk to cardholders whose data were exposed?
Global Payments on March 31 said criminals accessed only "Track 2" magnetic stripe card data, including cardholder account numbers. Criminals did not get cardholders' names, addresses and Social Security numbers, the processor said.
In the past, "criminals have used such data to purchase (typically high-value) goods online, had them shipped to a third party, who then forwarded the shipment on to the real destination, usually in another country," says Andrew Brandt, director of threat research for Solera Networks Research Labs.
"The third-party shippers usually believe they are engaged in some sort of 'work-at-home' scheme, unaware of the criminal activity. The goods can then be sold, and the criminal pockets the proceeds," he says.
Another way criminals abuse card data is to "sign up the user for some sort of service which incurs a small monthly charge," Brandt says. "The charges are typically low enough to fall under the threshold for fraud detection for some time, but in volumes that can earn the criminals a lot of money. As cardholders begin calling banks to complain about the charges, the fraud investigation then will identify the charges, but sometimes they aren't detected for some time."
"And if physical goods or products exchange hands as a result of the fraud, the losses usually end up in the laps of the business(es) that sold the goods or products. …The retailers are the largest potential victims here," Brandt says.
The possibility also exists that criminals may not take any immediate action with stolen card data.
"The oversaturation of black markets with stolen credit cards has reduced the value of pilfered cards," says Brian Contos, customer security strategist and senior director, Vertical and Emerging Market Solutions, McAfee.
As a result, it is likely that "many cybercrime organizations are sitting on stores of stolen credit card information awaiting the improvement of market conditions before they sell them," Contos suggests.
And if an organization has not yet detected a breach, "in many of these cases, it is likely that nobody is aware that those credit cards have been compromised," he adds.
For issuers, the cost of reassuring customers and responding to potential losses will be an administrative headache, Spies says.
"Most people will be at least thinking of checking recent transactions on their credit cards in the wake of this breach," he says.
Financial institutions "generally take the brunt" of card-fraud losses, Urban notes. "They will make their customers whole, but the very broad publicity about these breaches hurts reputations," he says.