Friday, January 17, 2014

Real Advice for Retailers

The media is now very focused on Target, and the names of the criminals behind the breach. And while that's interesting, I have a great deal of confidence in Federal law enforcement in these cases, and believe that over time the criminals will be caught, the code name for the malware will become a verb, and then the media will lose interest and move on to the next story. Sometimes, the media is doing more harm that good with this story, with continued mis-information, bad advice, and incorrect focus (along with some really bad analogies and comparisons).

At the same time, shoppers are wondering who to trust (and voting with their feet), and merchants are wondering if they are next. That's what I've been focused on, giving a 30 minute on camera interview to CBS News that was edited down to 30 seconds. So I will reprint that advice here.

There needs to be much more informed public discussion, focusing on the three key things every retailer must do now to avoid being next, and the two things every customer should be doing now to prevent losing even more to this theft.


1) Proactive Incident Response: As Target and Niemens just found out (along with every victim before them), the time to plan your response is not the second after you get the call, but in the time before the attack. That way, you can build a plan, involve all the right people (tech, security, privacy, legal, comms, exec, compliance, board, business, partners, supply chain, etc), and craft your response perfectly. By doing this advance planning, you also get to line up your response team, and get them trained and ready to go, so they are responding within two hours of your call. Advance planning and having access to the trained team where and when you need them, are the to critical success factors in every incident response I've ever been part of over the past 20 years.

2) Layer in End to End (E2E) encryption and Tokenization into your existing payment processing systems now. Avoid recommendations from vendors that say "just add encryption" or "get PCI compliant", or "wait for EMV chip cards", as they are too simplistic and won't solve your problem today. By adding in true E2E encryption (meaning that the head itself encrypts when the mag stripe is swiped), the payment card track data in never in your possession, so it's not yours to lose. You can have all the memory scraping malware you want, but you can't lose what your don't have. But E2E on it's own won't work in most retail stores, due to their heavy reliance on back office data analytics engines that rely on that track data to do their analysis. That's why it's critical to also add in Tokenization, which converts the encrypted track data into forms and formats that have all the characteristics of card data, except has no value at all outside of your analytics engines. That way, retailers can have their cake and eat it too. Never have the data to lose, still get paid, and still perform all the analytics they need. And as opposed to waiting for EMV, retailers can implement this today, for a tiny fraction of EMV, and without waiting for the entire population to get new cards, and for every other store and processor to agree to pay for it.

3) Targeted Sweeps: While Advanced Persistent Threats are new to the retail sector, they are not all that new. I've been dealing with them for over 5 years now, at Government, Defense contractors, and financial service clients. In fact, while most commercial products won't find this type of advanced malware, it is possible using tools, techniques, and talent that has been there and done just that, we can usually find the tell tale signs on an advanced threat well before it does it's damage. And, since we know how bad guys think, we are able to aim it at specific targeted bits of your enterprise, thus getting the results you need in days instead of months.


1) Call your bank, and get a new credit/debit card right now. Do not wait for your free credit report, but go directly to your bank and get a new card. Your old card is being offered for sale on hundreds of 'TOR' boards right now, and crooks around the world are buying them like hotcakes. There are boards that sell them for BitCoins, and others that will trade nefarious services in return for your card. Even terrorists are buying them to by their weapons. So the sooner you call your bank and order a new card, the better you and the planet will be. Run, do not walk, to your bank and get this done now.

2) Beware the scams. They are coming. While the information that was taken can be found in the phone book (or Google) and embossed on the front of your credit card (which by now you've replaced!), you will now be on what is known as the 'suckers list' for years to come. That means you've got to amp up your bull meter, and suspect everything you get in email. Remember, email scams no longer look like mis-spelled hodge-podges from Nigerian princes, but will look and feel like the real thing. So don't do what they say. It's not really from the FBI/USSS/Police asking you to do something... it's scammers that bought your name off the suckers list. It's not really the store that needs you to enter your info into this 'special' victims website... it's scammers that bought your name off the suckers list. If you really feel like you must comply, remember to never click on any link in the email. Instead, open a fresh browser window and type in the URL for the store or agency that you think sent you the email. If it's legit, there will be a message on their site that is more trustworthy.

So retailers-- find out if you're next and put a stop to it, and shoppers, change your cards and raise your guards. Oh, and major media, focus some time on helping solve the problem. You can learn a lot from Brian Krebs!

No comments: