What data breach? Are you talking about the one that happened at Heartland in 2009? Or, maybe the Fidelity one from 2011? Again, no?
Oh, you’re referring to the latest one that led to the arrests in New York of several people who fraudulently withdrew $45M from several ATMs.
By now, it should be obvious what’s different about the latest breach. If not, read on.
High-profile breaches in the past, like the ones that hit Heartland Payment Systems and Fidelity National Information Services, involved theft of payment card information. The current one has gone further and has actually resulted in the loss of money. It’s accordingly known as “$45M ATM heist” than data breach.
Like other past breaches into payment information, this one also began as breaking and entering into the databases of several payment processors – including ElectraCard Services and EnStage – who hold sensitive card information of banking customers. The first B&E into ElectraCard Services happened in December 2012 and the second one involving EnStage, in February 2013. At the time, there was little publicity about these breaches, at least nothing that caught my eye. The real media frenzy began only when the scamsters who used the stolen information to withdraw money from ATMs were apprehended in NYC two weeks ago. In other words, this is one of the rare cases of a high-profile data breach that is directly linked to financial losses.
Like an onion peel, details of the present incident are unraveling day by day. I hope we’ll eventually get answers to the following questions:
- Where were the PIN and magstripe data stolen from? (According to its statement, it was not from ElectraCard Services)
- Was the data stolen from inhouse data centers of the payment processors? Or was it located on a “cloud” provided by some third party cloud services companies? Although this might seem irrelevant for a common man, it’s necessary to get into these details so that security professionals can plug the right holes.
- Between the time the security breaches reportedly happened in December 2012 / February 2013 and the ATM heists occurred earlier this month, did the banks involved – National Bank of Ras Al-Khaimah PSC and Bank of Muscat – reach out to all the affected cardholders and ask them to change their ATM PIN numbers?
- How soon were the withdrawal frequencies and limits reset to their original – and correct – values?
I also hope this incident makes it amply clear to regulators that large scale frauds happen as a result of breaches into payment processors’ systems, and not when individual cardholders are shopping online and putting through one-off transactions. Keeping this in mind, they should revisit their present approach of trying to prevent fraud by insisting on cumbersome two-factor authentication for all values of online and mobile payment transactions. Such a procedure adds friction and causes heavy shopping cart abandonment (more on that here) while proving futile when payment information comes under an attack where it’s found in bulk. Instead, regulators should shift their focus to ensuring that payment card information is encrypted and stored absolutely safely. In this context, the CEO of Heartland Payment Systems set the tone by accepting that, when it comes to security levels to be maintained by payment processors, PCI certification is necessary but not sufficient.