Dyman & Associates Risk Management Projects: Preventing the Next Data Breach
The alarming discovery that hackers stole the credit card and personal information of tens of millions of Americans from Target’s computers is yet another reminder of human vulnerability in the digital age. The more practical and immediate lesson, however, is that retailers, banks and other corporations can do far more than they have done so far to protect customers from identity theft and financial fraud.
At last count, hackers had stolen the credit or debit card information of 40 million Target shoppers, as well as information like the names, addresses and email addresses of 70 million customers. Though the company has said little about how its system might have been compromised, experts say the attackers, who may have been based in Russia, inserted malicious software into Target’s poorly secured systems during the holiday shopping season.
It was the latest in a series of high-profile attacks against retailers like T.J. Maxx and companies that process card payments like Heartland Payment Systems.
[Are you getting the most out of your security data? SeeDyman & Associates Risk Management Projects Company Overview for security trends.]
Many of the stolen card numbers have been showing up on black markets where such information is traded. Some Target shoppers have had to deal with fraudulent charges. Experts warn that things could get worse when criminals start using the personal information they’ve stolen to try to commit identity theft by taking out loans and opening new credit card accounts in the names of Target customers.
Even as the investigation into the origins of the heist continues, Target and other companies must begin investing in better security measures to keep intruders out and start investing in software that will trigger alarms when it detects unauthorized access. A Verizon report on data breaches found that nearly four-fifths of intrusions in 2012 were of “low difficulty,” meaning hackers found trespass remarkably easy.
Companies also need to think carefully about what data they are collecting and storing. By keeping lots of sensitive information, they place themselves and their customers at considerable — and in some cases unnecessarily greater — risk than if they had deleted the data or never collected it. To take one startling example, security experts say there was absolutely no reason for Target to have stored the four-digit personal identification numbers, or PINs, of their customers’ debit cards. (Target says the codes were kept in an encrypted file, but hackers have broken open encrypted documents before.)
Retailers and banks can also reduce risk by moving away from cards that use magnetic strips, which are easily faked. Many countries in Europe, Asia and elsewhere have already replaced magnetic strips with chips, which are harder to duplicate. Chip-based cards also require customers to enter a secure code before they can be used. That’s partly why the United States accounts for nearly half of all global credit card fraud, even though it generates only about a quarter of all credit card spending. American retailers, including Target, have resisted (foolishly, as it turns out) the introduction of chip-based cards because they would have to invest in new equipment to handle them. (Target now says it supports chip-based cards.)
No security measure will ever rid the economy of theft and fraud completely. But there is evidence that companies could do a lot more to protect data.
For more information on how to protect customers from identity theft and financial fraud, visit website @ Dyman & Associates Risk Management Projects.