Data Assurance - A Question of Best Practices In the Wake of TJX Companies Intrusion Event

In May, the American Banking Association will hold its Information Security conference in Arizona. Security officers from every bank of consequence will gather under the warming desert sun eager to share, discuss and examine their security concerns for the coming year. What do you suppose the hot topic will be? We are willing to bet that the TJX Companies database breach debacle will be center stage in their discussions and provide the fodder for intense scrutiny of a security plan gone terribly wrong.

If you haven t heard about the TJX cybercrime, search the archives of Forbes, The Wall Street Journal, or InformationWeek. There is plenty to read and discuss. The attackers were in this case

were gutsy, organized and technologically savvy. They perpetrated the perfect cybercrime a grape attack. Much like the shopper who steals a couple grapes off the fruit stand at the market, no one notices until the stalk is bare. In this case, no one noticed until an untold number of credit card accounts were stolen and pilfered for a few hundred dollars each. Most of the transactions were in relatively small amounts, so to fly under the alerting radar. When and if these perpetrators are caught they probably should be rewarded for once again shaking the cybersecurity tree and waking up the occupants.

The ramifications of this cybercrime will be discussed and felt for

several years to come. The discussion will move from What happened? to How bad was it? to What in the world do we do now? It is the last question that should concern us most. The Us in this case refers to consumers, banks, and retailers. Should we be concerned? Yes. Who is to blame? It doesn t matter. Despite whoever is to blame this time, it will be someone else next time. What we need to do is eliminate the NEXT time.

Keep in mind, these criminals are smart. Their success confirms what many of us in the information security industry know a complete

cyber security solution does not exist. Anyone who claims otherwise should be jailed with these hackers for misleading the general public. That being said, certain actions can be taken to protect individuals and make the prospect of cybercrime so arduous and so unrewarding that the risk may outweigh the return.

Eliminate the storage of credit/banking information

Smart retailers, virtual or brick and mortar, should adopt one policy immediately. Do NOT save credit card information. There is no need for it. If someone can come up with a good explanation as to why this information has to be retained, we would like to hear it. We all would.

We understand that retailers are looking for ways to make our

shopping experience easy (read impulsive) but it just got a little too easy. The only way to absolutely insure that this proprietary information is not stolen is to not store it in the first place. In reality, there is no good reason why any retailer should store full credit information pertaining to anyone other than holders of the company s own credit cards. Moreover it would behoove retailers to look into personal identification number (PIN) based systems and the split storage of account number, consumer information and PINs. The compromise of one database system should not yield a complete dataset.

Consumers should cringe when a website asks to keep credit card information online and immediately reply in

the negative. One can only hope every other retailer who is storing credit card information immediately instructs their staff to delete it all!

Note to Congress: Please make the storage of credit information for non-retailer accounts illegal and be done with this issue once and for all.

Adopt widespread use of alias accounts

Repeat after us, PayPal got it right.

Much like the necessity to store credit card information, the need to actually use any credit card linked to a bank account is essentially flawed. The whole idea of a credit card was to have a source of funding that did NOT rely on a bank balance. Debit cards, and the ability to use them

like a credit card (i.e. without a PIN) should have been seen as having a very high probability of risk but instead it was embraced. The allure of increased buying power and the resulting transaction fees clearly outweighed the clear possibility of fraud. The monster that has been created is a current buying culture that can t live without them and one that places the onus of fraud responsibility on the fiscal institutions.

Industry, at every level, needs to take the next step into alias accounts with consumer controlled funding. By giving every consumer a card without a number but rather with an alias, perhaps an alphanumeric, and a PIN/Password the direct link to personal accounts and data

is obviated. This type of card is not linked to a bank account but a holding account, an account that a bank customer can transfer money into ONLY. In order to use the card, funds must be transferred into the holding account by either physical or electronic transfer. These transfers would not be allowed without the direct input of the customers unique PIN/password.

Why an alias? An alias account will protect more than a consumer s money, it will protect their identity.

If this is too much effort, we recommend a visit to your local drugstore. Buy a prepaid and rechargeable Master Card or VISA and use it as much as you wish.

Banks, Blue Dye & Your

Data

File this under the heading of long-term deterrence. How do banks and credit companies stop the widespread looting of electronic data while still allowing normal transactions to continue and without causing their customers any inconvenience? By taking preemptive measures directly focused at making these cyber-thieves the target can financial institutions turn the tide. If banks and credit card companies were to include false and traceable account information within customer data, hacker intrusions would not only be exposed sooner but direct paths could be followed to capture the hackers, Akin to blue dye packs in bank bags, as word of this successful deterrence spreads, data thieves would be more wary of stealing this information.

From a hacker s

standpoint, they would be unable to know whether the data they were using and the money they had stolen would result in a knock on the door or not. This type of data marking would also allow financial institutions to track the source before attackers realized leading to a greater chance of catching them in the act. Word spreads quickly through hacker channels. It would only take a few arrests to turn the tide.

Full Cycle Purchase Authorization

One of the biggest problems with credit cards, in any form, is the ability to use it both remotely and in person. With in-person transactions the issue of fraud is somewhat lessened as other forms of identification may be requested

to verify the user and owner. The real problem however lies in the use of credit remotely. If credit card information is stolen and used to make electronic purchases, how does the vendor, owner or credit card company really know? Today, they do not. All remote transactions are approved based upon the history of the card-owner and the notation of a transaction record. These transactions unfortunately mirror in-person purchases but do not require additional security verifications.

In order to provide a real and consistent level of security, the buyer must be virtually present. This can be achieved by requiring that any purchases made remotely be authorized by the original owner via phone or email

before the transaction is approved and completed. If a credit card owner were to get an inquiry about a purchase they did not make, then that purchase would be cancelled. All remote transactions would remain pending until authorized by the owner. This approach will clearly protect the establishment, the buyer, and the credit company.

Closure

Ultimately consumers and institutions can only hope that at the ABA security meetings in Arizona, the credit and banking industry will act quickly and through a variety of means to more steadfastly safeguard the financial and personal data of us all. Unfortunately none of these suggested approaches are easy to implement without significant work, validation, and consumer training. Efforts ALL worthwhile for our

financial security.

The good news is there is plenty of incentive to make these changes. Banks, credit card companies, and insurers have plenty of reasons to quickly adopt new measures. Not to act would be ruinous as they would surely endure more theft, incur diminished customer confidence and face escalating insurance rates. For financial institutions the prime motivator for change is the bottom-line. Decreases in profit margins are always prime movers. For consumers the prime motivator should be in protection their finances and their identities from misuse and fraud. The only remaining question is whether consumers will see the truth of it and be willing to change their habits in order to protect their bank accounts and

their ability to consume.

Savant Protection is the industry pioneer in preemptive malware spread mitigation and containment technology for all business environments.

Ken Steinberg is the founder and CEO of Savant Protection. He brings a track record of over two decades in computing and high technology. As founder of the company in 2004, Steinberg has responsibility for its day-to-day operations, overall direction, as well as its technological and business strategies. Prior to Savant, he held senior positions with DEC, Hughes, Hitachi, Softbank and at the John Von Neumann Super Computing Center for the National Science Foundation.

James Hickey is Vice President & General Manager for Savant Protection. He is responsible for the company s marketing and strategic partnering strategies. With over 25

years in sales, marketing, and business development, Hickey is directly responsible for the global introduction and launch of Savant technology.