Last night on 60 Minutes there was a segment on credit card fraud in America. The news segment included interviews with some interesting industry professionals. The first interview was with Dave Dewalt, CEO of FireEye. Mr. Dewalt said that 97% of companies experience security breaches. I don’t believe that the security breaches Mr. Dewalt is talking about in this statistic are solely financial in nature. However it does make one stop and think about securing card holder data. Breaches of this variety cary penalties in the millions, and also represents a significant financial burden to card issuing banks as well. Mr. Dewalt also confirms a statement by the interviewer, Bill Whitaker, that the average time between infection and detection of malicious software on company networks is 229 days! FireEye is an interesting cyber security company worth checking out; if even only for the live Cyber Threat Map on their homepage. (www.fireeye.com)
Brian Kerbs was also interviewed for the segment. He writes a cyber security blog read by many professionals within the financial arena. (www.kerbsonsecurity.com) A part of what Mr. Kerbs does is search the dark corners of the internet where batches of credit card data called “dumps" are available for purchase. He often is the first one aware of security breaches and has alerted many companies to breaches that had gone undetected. Using these dumps and some fairly accessible card stock, and printing/encoding hardware, a person with some intermediate computer skills would have all they need to start swiping and signing on a victim's account.
Another interesting contributor to the segment was Mallory Duncan, Sr. VP and General Council, at the National Retail Federation. (www.nrf.com) His comments went right to the heart of the problem for retail merchants and issuing banks. He can be quoted as saying that our current magnetic stripe cards are the “underlying problem,” and that they are “fundamentally fraud prone.” The light at the end of the tunnel for banks and merchants is the EMV chip card. Finally, because of newer cryptography methods, and the inclusion of a more secure card holder verification method; it will be nearly impossible for cyber thieves to breach networks and steal usable data to the extent they are now. The biggest benefit to the bank that issued the card is that updates can be sent to the chip on the card every time it is inserted into a terminal. The ability to update user’s cards in this fashion does away with the financial and logistical hardship of having to send out new magnetic stripe cards every time a possible breach occurs.
We have seen what implementing EMV in other regions of the world has done to fight fraud. This time next year it will be interesting to see how the number of fraudulent transactions and breaches involving stolen credit card data stacks up against 2014’s numbers.
The entire 60 Minutes segment and transcript can be viewed here.