American poet Taylor Swift noted in her classic work “Shake It Off “The haters gonna hate (hate, hate, hate, hate), and the players gonna play (play, play, play, play).” However, if she was really on top of the trends, she might also have added and the “Cyber thieves gonna steal, steal, steal consumer data, data, data, data.
Admittedly this might have made the song somewhat less catchy. And, unfortunately, unlike the haters and the players, the international cybercriminals are proving a rather difficult group to just shake off.
In the last week, the nation’s second largest health insurer, Anthem Inc, was breached, allegedly by a Chinese cyber crime ring known as “Deep Panda.” Though the full depth and breadth of the breach is unknown, as many as 80 million Americans could have had their social security numbers, email addresses, name and physical addresses compromised in the latest attack.
In the “thankful for small favors category,” no payment card details were compromised – but the errant social security numbers leave open virtual buffet of fraud options. Even if these numbers never go up for sale on the black market, which they likely will since they fetch a lot of money, this latest breach points to a problem that the industry’s foremost security experts have been talking about now for a while – cyber criminals are adaptive, like what they are doing for a living and will find new ways to ply their trade if one avenue gets shut off.
Data Breaches 1.0
The list of retailers that were breached in 2013 – 2014 is so numerous that naming them has become the payments industry equivalent of being asked to list the names of Snow White’s Seven Dwarves: Target, Michaels, P.F.Chang, Dairy Queen, Neiman Marcus, Home Depot, K-Mart – that’s the top seven and there were over 700 others.
While there were variations in exact methods, the MO was generally consistent during the year of the retail hack – cybercriminals found a backdoor method to implant malware that stole unencrypted data stored at the POS – card numbers, customer names etc.
However, if 2014 was the year of the breach, it was also the year of the security solution. Or better to say solutions, since during over the course of the year, we’ve covered any number of experts, who if they agreed on little else in payments, were in complete agreement that there is no silver bullet solution when it comes to keeping payments secure. Instead, a combination of approaches is what mitigates the risks of fraud.
The options: EMV, tokenization 3-D secure, P2PE seem to be the collective favorites within the payments ecosystem and the consensus is evolving about how to mix and match and even sequence the layers of security needed to best combat data fraud in payments. Said simply: through a variety of methods we can make it much harder to hit the POS systems and make any data that is stolen totally useless – thus making cyber attacks harder and less desirable.
But in the words of First Data’s SVP of Cybersecurity Paul Kleinschnitz, who spoke last year at The Innovation Project 2014, “Improving payments data security isn’t going to inspire a generation of cyber criminals to teach math in Belarus. If we lock the front door, they will come in through a window."
Comforting it is not.
Data Breaches 2.0
2015 is getting off to an equally rocky start with this week’s announcement of a massive data breach at Anthem.
“We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication,” Anthem said in question and answer page released about the breach. The statement further noted the company had been the victim of a “very sophisticated external cyber-attack."
In statement published on the company’s website Anthem CEO, Joseph Swedish, attempted to re-assure members and clarify exactly what types of data had been breached.
“These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
In the days since the breach was public, it has been widely speculated that the hack originated in China. Adam Meyers, vice president of intelligence at Crowdstrike, told Bloomberg that this recent breach fits the pattern of a Chinese hacking unit called “Deep Panda,” that has over the last half year or so been targeting both the healthcare industry and defense contractors. Chinese government officials strenuously denies the allegations.
On first glance this might almost look like a reason for payments and retail players to celebrate, as long as they aren’t Anthem customers that is. After all, cyberthieves didn’t get any card information this time. And, it looks like the elite Chinese hackers weren’t even really targeting it, according to Bloomberg.
That’s good, right?
Maybe not. That draft you are feeling is that open window that Kleinschnitz, forecasted at IP 2014 starting to chill the payments ecosystem.
With social security numbers, email addresses, name, address, phone numbers, medical ID numbers, birthday, and income data they actually didn’t have to. Those clever thieves have all they need to create new identities and open up brand new accounts that they can use without ever having to get their hands dirty with hacking into the merchant POS. As of right now, there’s no evidence that the data stolen in the Anthem breach has been used in such a way. But that it could be used that way is undeniable.
And problematic since unlike a credit or debit card, or even a stolen mobile phone – a social security number, sort of like a fingerprint, is not changeable, or at least not easily. Once it is compromised it can only be monitored for the rest of its lifetime, not changed or cancelled.
More worrisome, however, than what was taken in the breach, is why that data was so easy to steal in the first place.
According to reporting in The Wall Street Journal, Anthem stored the Social Security numbers of 80 million customers completely unencrypted. This made it readily readable once accessed by cybercriminals, who got into the database by the use of a stolen employee password.
Scrambling the data might have prevented the theft by making simply making it too difficult to be profitable. So why not scramble?
Encryption also makes it harder for Anthem to track health care trends or share data with states and health providers. What’s more, they aren’t required to under the Federal Health Insurance Portability and Accountability Act (HIPAA) to encrypt data. HIPAA only requires that health insurers “address” encryption in their operations, scrambling data is not required if they determine doing so would impose an “unreasonable burden,” the likelihood of disclosure is low and they have implemented “alternative security measures."
Anthem affirmed that though it does encrypt its data when it’s transmitted, it does not encrypt it to store it.
“We use other measures, including elevated user credentials, to limit access to the data when it is residing in a database,” an Anthem spokesperson said.
Unfortunately, it seems, hackers found a way around those “elevated user credentials” by stealing a password. And while it might be easy to pile onto Anthem as the latest data breach victim – particularly when it is unknown exactly how many of the 80 million or so possibly breached social security numbers (~25 percent of the U.S. population) were actually breached, this new breach actually points to a bigger and more serious problem.
“The healthcare environment is in an unfortunate position: It didn’t expect to be a high, heavy target five years ago, so they didn’t prepare,” said Orion Hindawi co-founder and chief technology officer for Tanium Inc., a Berkeley, California-based security firm that is used by banks, healthcare and other companies. “They didn’t expect to have advanced threats from nation-state actors targeting them."
And so presents the eternal problem of the securing any information – payments, personal or otherwise – from persistent thieves: when the front door is locked, a smart burglar finds an unlocked window. It seems that the only choices are to resign oneself to being robbed, or to find a way to make some big changes to how data is secured.
Good news, you don’t have to resign yourself to being robbed.
It’s an issue that’ve we thought about a lot at PYMNTS. Cybercrime is a business and business operators are in it to make money. Tackling fraud at the POS is only a very small part of the much bigger picture that we face as an industry. The Anthem breach is a stark reminder, as is the flag being raised by many over the risks of distributing identity and other consumer credentials across the many devices that represent our future as the Internet of Things evolves and consumer’s identities, not just their card credentials are made more and more distributed.
The question of “what should we do differently” is one of the conversations we are teed up to have at The Innovation Project 2015 this year. We’ve asked the man who had to think deeply about this problem in the aftermath of 9/11 as the Director of NSA and the U.S. Cyber Security Command, General Keith Alexander. He and some of the keenest minds on this topic, including the COO of the company who was quoted in the Wall Street Journal article as being called in to help Anthem – Kevin Mandia from FireEye, will debate how to stay one step ahead in the “From Authentication to Identity” discussion planned for March 19th.
“We had no way to connect the dots,” Alexander famously said told a reporter from The New Yorker last year when he was asked to describe a key failing of the U.S. government’s security efforts in preventing 9/11.
When it comes to cyber security however, the payments ecosystem is getting much sharper at connecting those dots.
At last year’s Innovation Project, we predicted this year’s problem. This year we’d like to think that we can use the collective wisdom of our panel and our delegates and help solve next year’s problem.