Ahead of a huge influx of in-store and online transactions expected on Valentine’s day, retailers and restaurants need to be especially vigilant when it comes to protecting consumer data.
Delving into this topic, Ruston Miles, chief strategy officer at Bluefin, explains ecommerce firms and retailers in general can avoid a Valentine’s data breach with tactics like de-identifying consumer payments information. Miles has over 20 years of payment security expertise, including point-to-point encryption, end-to-end encryption, tokenization and EMV.
Digital Journal: How significant are cyber-threats and data privacy issues for the typical Internet user?
Ruston Miles: Large-scale breaches are constantly making headlines in the news, and have been for the past decade. And reported breaches are just the tip of the iceberg. For every large company that makes the headlines with a breach, there are thousands that go uncovered or worse, undiscovered. Personally identifiable information (PII), personal health information (PHI) and payment card information (PCI) are very valuable to hackers because the data can be sold on the dark web to fraudsters who go on to perform identify theft or to use the information to make purchases, take out loans or conduct all manner of fraud. This can be very costly and disruptive for breached consumers.
DJ: Where do most of these threats come from?
Miles: Most of these threats are coming from places around the world like Russia, China, Africa, and South America. And once the data is compromised, it is being sold on the dark web internationally. The Internet is a global connector, which is one of its greatest strengths. However, the web makes it that much easier for hackers to access users and computers around the world as well.
DJ: What are hackers trying to target the most?
Miles: In the dark economy, the hackers are the suppliers and the fraudsters are the buyers. Hackers want to monetize the data they compromise as quickly and as easily as possible. Not only does it mean they get to the money faster, but it also lowers their own risk of getting caught with the data. For this reason, hackers often go for credit and debit card information, also known as payment card information. This is because card data can be easily sold on the dark web to fraudsters. This compromised card data is generally sold for between $40 and $80 per record. With this information, a fraudster can purchase goods on the web with average price points of $500 to $1,000.
There are, however, fraudsters that specialize in going well beyond buying card numbers and making large purchases. Specialized fraudsters will buy personal health information and personal financial information to steal the identity of an unsuspecting victim. These records can sell for $350 or more on the dark web and the fraudsters use them to make extremely large sums of money.
DJ: What types of tactics are hackers using?
Miles: Hackers will use man-in-the-middle attacks (MITM), Malware attacks and the recently popular Magecart or card-skimming attacks to take data from unsuspecting consumers directly. However, most of the large-scale breaches of consumer data have come not from directly attacking consumers, but from attacking a company that has a great deal of this information aggregated in one spot. Aggregators include financial and healthcare institutions, universities, retailers, merchants, hotels, restaurant chains, and even federal, state and city governments.
DJ: What technologies can businesses use to help protect consumers?
Miles: At a very minimum, businesses should protect sensitive consumer data with encryption as they move the data around their systems to support the purchasing process and tokenization if they have a business need to store it after the sale is complete. Specifically, the encryption I’m talking about here is PCI-validated P2PE (point-to-point encryption) or data level encryption. P2PE encrypts payment card data in firmware at the point of entry. This protects that data from any apps, networks or systems it comes in contact with along its journey that may be compromised by a hacker.
Many businesses think it’s enough to simply encrypt the communication with TLS/SSL and digital certificates. However, hackers often compromise the data before it reaches the network communication level or after it has been communicated on the receiving side. I would bet that 95% of all of the major breaches that have occurred over the past 10 years had communication encryption like TLS/SSL in place. However, I can also bet that absolutely none of them had PCI P2PE in place to encrypt the data in firmware. After breaches, there are many expert websites out there that profile what and how the breach took place. It is a recurring theme in both the articles and the comments that P2PE should have been in place but wasn’t.
DJ: What can consumers do in terms of seeking better online safety?
Miles: The power to make online transactions secure lies more so with merchants than consumers. This is because most of the breaches happen to the businesses that provide the consumers online and in-person services. There have been industry guidelines and compliance standards in place for more than a decade. For example, the PCI SSC (Security Standards Council) has had a major impact in increasing the security for businesses that accept credit cards and their customers.
In order to better protect consumers, the EU has enacted the GDPR. This provides a very big stick to push businesses to a higher level of security and protection. That stick is, of course, fines. Under GDPR, Marriott faces a $123 million fine, British Airways’ fine comes in at $230 million and Google got slapped with a $57 million fine.
The US is now creating data protection regulations, the first of which is coming in the form of the CCPA. In February, CCPA posted a class action lawsuit against Salesforce and Hanna Andersson company for a recent data breach.
What comes of this, we will see. However, through a combination of industry compliance standards and government regulations, businesses are being forced to adopt a stronger data security stance in the protection of consumer privacy and personal information.
