What if someone told you that you could save your organization nearly half a billion dollars and the reputational cost associated with suffering a data breach? And that all you had to do was just recognize, in real time, the abnormal activity that is a cybercriminal at work – and then act on that knowledge using a variety of tools and techniques that could shut down the fraudster much sooner?
Two executives from the technology company Brighterion have some insight on just how to do that. Neil Jones, Director of Sales, and Dr. Thomas Rand-Nash, Director of Operations, joined MPD CEO Karen Webster in a webinar – one that also featured a couple of special guests – to discuss some of the latest and greatest ways to fight fraud on behalf of banks, retailers, acquirers and a host of leading global companies.
CYBERCRIMINALS ARE WINNING
Julie Conroy, a research director for Aite Group, kicked things off by reprising the state of play in cybercrime and some of the cost that organizations suffer for not taking essential actions in a timely enough manner.
Referring to a graphic showing the myriad data breaches that have occurred over the last couple of years, Conroy expressed her point of view that “cybercriminals are winning.”
Merchants are currently at the mercy of “bad guys,” said Conroy, who “don’t need to make a business case to iterate forward their attacks on the financial services value chain.”
Consumers, she added, are also feeling the pain of data breaches.
Even though issuers and merchants absorb a majority of the costs, consumers have to replace their credit cards and deal with a whole new set of numbers. As data compromise begets insecurity, it changes the relationship between consumers and their card issuers, leading to degradation of transactional activity.
“In a card compromise event,” remarked Conroy, “the impacted card goes to back-of-wallet.”
THE DATA BREACH GAME SHOW
Not that cybercrime is a game, but it was an interesting and effective way to make a point.
Webster engaged Jones in a mock game show dealing with the topic of data breaches, following the “Jeopardy!” model by which she provided the answers and he responded with the questions.
Q: What is the total number of data breaches that have been reported to the California Attorney General since 2012?
Webster described that number as “shocking,” especially since we don’t hear about them.
Q: How many data breaches were reported to the California Attorney General in April 2015?
Jones pointed out that number is higher than the average, and that – as far as recent incidents of data breaches go – it has “not been as quiet as everyone thinks.”
Asked by Webster how one reconciles that disconnect between what the public appears to believe and what the facts show, Jones responded that the simple answer is desensitization. But there are “pretty big names,” he said, on the list of affected companies on the California Attorney General’s website that are worth taking a look at.
A: 90 percent
Q: What is the percentage of data breaches that affect small merchants?
Jones described small merchants as being an appealingly “soft target” for data thieves because they lack the obvious security that larger companies possess.
“If you’re a small business,” he said, “a data breach could easily put you out of business.”
A: 71 percent
Q: What is the percentage of merchants that were informed by an outsider of their own data breach?
Adding that these “outsiders” could be merchant networks, their acquirers, or even law enforcement, Jones commented that it is “better to find out about [data breaches] yourself than have the local sheriff or FBI knocking on your door."
Q: What is the average cost per compromised card for the issuer?
Webster and Jones agreed that $7.99 per card is a big hit, no matter the size of the issuer.
LESSONS FROM THE HOME DEPOT BREACH
Jones walked Webster and the webinar listeners through the details of the infamous and massive breach that Home Depot suffered in 2014.
It commenced on April 1 of that year, but was not announced until Sept. 2. That’s a total of 155 days open, which falls into the average that Jones shared of 100-200 days. Once the breach finally was discovered, it was closed 10 days later, on Sept. 12.
Asked what was the event that made it discoverable, Jones replied that it was its publication in The Wall Street Journal.
Prior to that, he said, a lot of issuers “had no clue” that the breach had occurred. The news came so suddenly that, in a couple of cases, issuers weren’t even able to reissue plastic for a couple of months because the resources necessary were not in place.
Webster remarked that The Wall Street Journal is “definitely an outsider you don’t want notifying you of a problem. You don’t want to be in that headline.”
THE 5 STAGES OF A MERCHANT DATA BREACH
Referencing another graphical slide, Jones walked the listeners through the five stages of a merchant data breach:
1. Perimeter security.
As it’s the first opportunity to halt criminals when they’ve gotten into a network, Jones stated: “If you can stop them at that stage, it’s really good.”
2. Intrusion detection.
Asked Jones regarding this stage, “Do you have a solution in place that can actually spot that intrusion into your IT systems, or POS systems of your business?”
3. Endpoint security.
"They’ve gotten over the top; they’ve gotten into the system,” is how Jones described this stage. “Can you actually stop them and spot them as they’re doing bad stuff such as loading malware onto your centralized systems to be dispatched out to all of your POS [systems]?"
4. Exfiltration detection.
“This means they’ve got in,” said Jones. “They’ve got the numbers, Can you stop them extracting those card numbers, that personal information, from your system?”
“If all of those solutions fail,” lastly, there is:
5. Fraud prevention.
Said Jones, “They’ve exfiltrated numbers; they are now selling them on the dark Web to folks that can turn them into plastic cards.”
This, he revealed, is where Brighterion’s iDetect technology fits in.
THE TECHNOLOGY OF iDETECT
At this point, Rand-Nash took over, outlining the workings of the Brighterion iDetect system, which operates with two components: a real-time risk-scoring engine and real-time merchant profiling engine.
After reviewing the technical details (all available on slides as part of the presentation), Rand-Nash stated that the ultimate goal “is to take all those transactions that we’ve scored from the scoring engine and then identify which particular branches – which merchant locations – those individual transactions correspond to, and then we’re able to identify which branches we think…the breach took place in."
Webster shared her perception that iDetect seems to exist based on the assumption that “cybercriminals are going to be smart enough to find their way into the system no matter what we do to try to keep them out."
Responded Rand-Nash: “It’s our position that it’s not a matter of if, it’s a matter of when.”
The impetus for iDetect, he said, “is to try to shorten the exposure as much as possible.”
Asked by Webster to provide details on how scoring engines and profiling engines get smarter as more transaction activity is acquired, Rand-Nash described the process of “adaptive learning."
Adaptive learning takes place in two different dimensions: one is the ability to identify behavior as soon as it starts to deviate from baseline, and the second is the ability to “learn from mistakes.” In that scenario, explained Rand-Nash, false positives are fed back into incremental learning algorithms and models get updated in real time.
THE “SHOW ME THE MONEY” MOMENT
Webster prompted Jones to show what would happen if iDetect had been in place for Home Depot when it suffered the aforementioned breach.
In the simulation study that Jones presented, the 155 days during which the breach was open became 5 days. This average, noted Jones, fits into the median range of 4-10 days that Brighterion has determined in its testing of iDetect.
He explained that iDetect is able to achieve such a drastically smaller number because it catches fraudsters during the period that they are using stolen cards to run small test transactions.
LISTENER QUESTION #1
Drawing from the listener questions coming in, Webster posed the following one to her guests:
If [iDetect] creates such a dramatic change, and reduces the cost so dramatically of a breach, why isn’t a required piece of technology or a process on the part of the merchant and the payments ecosystem?
According to Jones, Brighterion is “having discussions with acquirers and merchants about bringing the solution on board, and making some pretty rapid progress with some of each type,” as well as with issuing banks.
"If an issuer can spot that there’s a data breach at merchant X very, very early, they can do two things,” continued Jones. “Firstly, they can perhaps contact the merchant and say, ‘Hey, I think you’ve got an issue,’ and that helps everybody. The second aspect is until that breach is closed…increased sensitivity can be applied."
SPECIAL GUEST STAR
To answer Webster’s question of whether or not Brighterion is currently in discussions with merchants about making a system like iDetect a requirement, Rand-Thomas introduced a “special guest star” to the proceedings: Ian Belsham, Head of Operational Risk at Worldpay UK.
Belsham told Webster that his company is indeed currently looking into the technology. Worldpay, he said, is working with Brighterion to understand how they could implement iDetect and “push it out across [their] portfolio of merchants."
WHAT HOME DEPOT WOULD HAVE SAVED
As a follow-up to his “show me the money” moment, Jones presented further details about the results of the iDetect simulation.
It led to a 95 percent reduction in total number of cards compromised, a 98 percent reduction in estimated issuer losses (which Jones noted “absolutely destroys” the value for criminals), and a 98 percent reduction in insurer losses.
These percentages mete out the hard numbers on what Home Depot would have saved by using a system like iDetect: 53.2 million cards, $438 million for issuers, $29.4 million of the chain’s own money in Q4.
WHAT ABOUT EMV?
While acknowledging that the numbers from the iDetect simulation are impressive, Webster challenged her guests to explain the long-term value of such a system when EMV is already in place to keep cardholder credentials secure.
In response, Jones pointed out that EMV breaches have occurred – he shared an anecdote about a merchant who experienced such fraud – and stated that he expects to see a “huge spike” of similar instances following the EMV mandate deadline in October.
Additionally, Conroy pointed out that “EMV does nothing to encrypt the data after it’s been read.”
LISTENER QUESTION #2
If I’m a merchant, and iDetect is something I’m interested in, is there a requirement to provide all customer card numbers as input to the analysis engine? How does that work?
Jones fielded this question, explaining that “all we need to know is their merchant IDs,” so customer card numbers are not shared.
WRAP UP SLIDE
Wrapping up the webcast, Jones summarized the key points of iDetect.
With regards to the compression of open-breach time to 5 days, he noted that the “closest competitor is about 9 to 10 times slower.”
iDetect, said Jones, saves issuers, merchants and insurers over 90 percent of their total losses from data breaches, in addition to preventing brand damage from negative media attention and, lastly, increasing revenues for acquirers who resell the technology to merchants.
To listen to the full discussion, view the video below.