No Silver Bullet For Data Protection

August 25, 2014 at 8:56 am Leave a comment

On Friday, the Department of Homeland Security issued an advisory urging organizations, “regardless of size,” to “proactively check” for possible infection of their point of sale technology by a data theft virus which steals debit and credit card information as purchases are being made. The catch is that the computer virus that Homeland Security wants merchants to look for has been compromising purchases since at least October 2013 with the result that an estimated 1,000 businesses have been compromised. Brace for phone calls from concerned members and the expense of replacing cards…again!

The latest developments in the data theft wars mean that Target was just the canary in the coal mine and de facto scape goat for failing to recognize that its Point Of Sale equipment had been compromised during the holiday rush. Now, let’s hope that policy makers and industry leaders don’t make the mistake of thinking that a single technology can prevent systemic breaches from happening again. But I have my doubts.

A lot of analysts were quoted over the weekend as hoping that the latest disclosures will be the straw that broke the camel’s back and force merchants of all sizes to convert to payment processors that accept so-called EMV or chip technology. The basic idea is that chip enabled cards combined with PIN verification provide dynamic protection of payment information.  In contrast, that strip on the back of the credit and debit card contains static information and firewalls. Once it is breached, it can be used over and over again by anyone with the ability to replicate the magnetic strip.

A typical quote I read over the weekend was this one in the Times: “The weakness is the magnetic stripe,” said Avivah Litan, a security analyst for Gartner Research. “I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It’s an antiquated technology from the ’60s.”

To be sure, EMV technology is long overdue but it is no panacea in part because it has already been around so long. Magnetic cards have been around since the ‘60s, but chip technology has been around since the ‘90’s. Two decades is like a million dog years when it comes to technology. And the cracks in the wall are beginning to show. As this post for the excellent FICO blog demonstrates, cyber theft is creeping back up in Europe again after dramatically declining with the introduction of EMV technology.

In addition, card theft is just one component of cybercrime. As retail migrates to cyberspace, passwords are becoming as good as gold as I pointed out in this blog about a huge criminal operation intent on stealing as many passwords as possible.

My point is that there is no silver bullet technology. EMV technology makes sense but if it comes at the expense of another generation of merchant inaction, it’s not a price worth paying. At the risk of being redundant to my faithful readers, we need: a true national commitment to fighting cybercrime both in terms of increased government spending on a robust security infrastructure and laws that make merchants responsible for using reasonable care to prevent and deter data breaches. This standard will force merchants to change security protocols as the technology does or face the consequences.    

Entry filed under: Advocacy, General, technology.

Where is the Line Compliance Officers Must Not Cross? Is What’s Good For GM Good For Your Members?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 442 other followers

Archives