News

It seems that Humpty Dumpty has finally had his great fall. And putting him back together again will be a costly and confidence-draining exercise.

His hard landing will also inevitably result in the passing of U.S. federal legislation to mandate the reporting of data security breaches to consumers. Several bi-partisan U.S. senators have been increasingly outspoken in recent days, indicating that industry's efforts to self regulate have demonstrably failed, and that they are determined to take decisive action.

What is all the fuss about?

In what may be the biggest data security breach to date, MasterCard International has revealed that up to 40 million credit card accounts, from several of the major card companies, have been exposed to hackers. There is confusion as to when the breach occurred, and when the card companies and banks were notified. However, reports indicate that Australian Finance Minister Nick Minchin recently told Australia's parliament that several banks in the region had alerted Visa and MasterCard about the fraud in the fall of 2004, and identified the perpetrator as early as January 2005.

MasterCard has confirmed that fraudulent activity has been spotted on MasterCard accounts. It was at pains, however, to emphasize that cardholders will not be out of pocket due to zero-liability rules.

Visa has not identified any anomalies to date, but it is too early to be overly confident on that front. Visitors to the U.S. who made purchases on their credit cards over the relevant timeframe (as yet unclear) may feel the impact of the colossal breach, and would be well advised to keep a close eye on their banking statements.

As soon as the bad news broke, phishing attacks — mass e-mails purporting to be from the card companies eliciting personal data - were launched by miscreants trying to exploit the situation.

What went wrong?

CardSystems Solutions Inc., a Tucson- based company that processes card payments on behalf of financial institutions and merchants, has been identified by MasterCard as the weak link that broke the mighty chain. MasterCard is working to remediate the security vulnerabilities in the processor's systems that allowed an unauthorized individual to infiltrate their network and access the cardholder data. Sources indicate that the attack may have involved code written specifically to send transaction details back to the attackers.

CardSystems apparently passed a Visa security audit in December 2003, and was certified by Visa in June 2004, as compliant with its security rules. The card companies did not spot serious shortcomings until an independent audit was conducted at CardSystems in mid-May. The credit card companies maintain that the banks are primarily responsible for supervision of third party payment processors. However, regardless of where the responsibility for oversight lies, it seems entirely plausible at this juncture that a company that processes $15-billion in transactions each year simply fell between the cracks.

CardSystems is, however, only one of numerous private companies that process billions of dollars in payments for U.S. financial institutions each year. The birth of e-commerce saw the emergence of numerous non-bank payment processors. Although they play a significant role in maintaining the integrity of the banking infrastructure, many are unregulated, falling outside the remit of federal and even state banking regulators.

In an official MasterCard statement about the latest breach, it urged Congress to expand existing U.S. laws that protect consumer data in the financial services sector, to entities, such as third party processors, that are currently excluded.

This plea for help from the mighty card company is unlikely to fall on deaf ears.

Indeed, the mere suggestion that 40 million consumers may be fodder for international criminal gangs must send shudders down the spines of U.S. banking regulators. Incidents of this magnitude clearly have the potential to undermine public confidence in the safety and soundness of the financial services sector as a whole. The financial ramifications of the incident could also be enormous, if credit cards have to be cancelled en masse and if merchants, already suing the card companies over access fees, incur huge charge backs from the credit card companies.

The New York Times has reported that U.S. federal banking regulators have started an investigation and are speaking to all the players, including the credit card companies and banks that may be involved. International banking regulators are by no means naïve about the risks from e-banking, and reliance on third party service providers, and over the years they have issued numerous prescient warnings about the medium.

Lack of risk mitigation

Although it remains in the realm of conjecture as to how the attackers got access to CardSystems' networks, it seems clear that once in, they found a treasure trove of unencrypted data, ripe for the picking. It included sensitive credit card data that the company should not have retained in the first instance, such as data from the magnetic stripe, and the three-digit numbers on the back of cards — in clear breach of credit card company rules. These latter numbers fetch a high price on the black market, as they facilitate card-cloning operations.

However, this is not the first time that credit card company rules on data retention have been breached, and they seem to have been slow in putting a stop to it. In March 2004, a credit card database was stolen from BJ's Wholesale Club on the U.S. East coast (BJ's is the third-largest membership warehouse club, after Costco and Sam's Club). Approximately three million customer cards were exposed to international crime gangs, who produced counterfeit cards and made millions of dollars in fraudulent purchases.

Numerous East coast banks had to replace cards and increase account monitoring as a result — at an estimated cost of $10-million. BJ's has recently settled with the U.S. Federal Trade Commission — on charges that it failed to provide adequate security for its customer data; that it failed to encrypt consumer information in transit or in storage; that it kept data for up to 30 days in violation of bank security rules; and that it retained data in files that could be accessed using 'commonly known default user IDs and passwords'.

But BJ's woes are far from over. It has been sued by everyone. In August 2004, Reuters reported that Pennsylvania State Employees Credit Union had sued BJ's and its merchant bank, Fifth Third Bank, for in excess of $98,000 in costs for cancelling and reissuing over 20,000 cards. One of the charges against BJ's is that the company retained the credit cards' secret three digit code, in violation of Visa's merchant's rules. The credit card companies are also seeking reimbursement for huge losses.

BJ's is defending the various claims and has sued its technology supplier, IBM, in the hope of mitigating its losses. The Wall Street Journal has reported that retailers were unaware that their software retained the three-digit secret credit card code, and that a wide-scale retailer purge of customer credit card data is under way. It also reported that Visa has met with software suppliers to express its concern. In SEC filings as of May 2005, BJ's has reserved approximately $13-million against outstanding claims relating to the security breach.

However, even more recently, Polo Ralph Lauren was allegedly responsible for a breach that exposed the data of as many as 180,000 customers of HSBC North America, holding General Motors-branded MasterCards. HSBC has advised possible victims to replace cards, a costly undertaking. Ralph Lauren is also alleged to have stored the three digit secret code at checkout counters at 180 stores, but it also maintains that this data was retained without its knowledge. The Wall Street Journal reported that it has taken a $6.2-million charge for possible losses relating to the breach.

In light of all of the above, I anticipate a renewed appetite amongst the legal community to chase the software vendors in such scenarios. I predict that their traditional immunity from suit will start to come apart at the seams. Blue chip businesses will simply refuse to be left holding the baby, if other parties exist that conceivably contributed to their losses.

An unhappy epiphany

This latest incident also suggests the unthinkable: that despite their own commitment to sound risk management principles, the banks and regulators do not have a handle on vulnerabilities that arise from complex inter-dependencies, and that threaten to undermine the security of the entire infrastructure.

And let us reflect on the fact that the banks are at the top of the food chain, and then ask a simple question: What lies beneath them?

As it becomes clear that even the software giants, such as Cisco and Microsoft cannot protect their own crown jewels from 16 year old Swedes — in the case of the Cisco source code theft — I can guarantee you one thing: it isn't pretty.