Major U.S. retailers at Senate hearing: hackers have upper hand
CFO of Target John Mulligan (L) and CIO Michael Kingston told a panel on Capitol Hill that hackers had found ways to penetrate their best security practices.
"I think what we've learned ... is that just having the tools and technology isn't enough in this day and age," Neiman Marcus CIO told the panel. "These attackers again are very, very sophisticated and they've figured out ways around that."
Target CFO John Mulligan said his company was "deeply sorry" for a cyber breach over the holiday shopping period in which about 40 million credit and debit card records were stolen, along with 70 million other records with personal customer data.
CIO of Neiman Marcus Michael Kingston said "Despite significant investment in multiple layers of detection that we had in our systems, we did not."
They suggested an accelerated move to a new type of payment cards known as "chip-and-PIN". These cards store customer information on computer chips and require users to type in personal identification numbers to make further breaches less likely, and have been used in Europe for a number of years.
They have met with much less enthusiasm in the United States, in part because losses to fraud - 5 cents for every $100 spent via plastic - have been manageable for merchants and their banks. "Anything that strengthens the security of data is a good thing," said the Justice Department's acting assistant attorney general, Mythili Raman.
But she cautioned: "Malware adapts every day, botnets adapt every day, criminal hackers are early adopters of almost every kind of technology and our challenge is to stay ahead of them."
One of the pieces of the puzzle is security awareness training, because 91% of successful data breaches start with a spear-phishing attack. Execs testifying for the house and senate might be helpful to focus more resources on security.
There are some observations regarding this story though. First, Target was breached because apparently they gave full access to one of their vendors, an HVAC company which was breached first and allowed hackers into the Target network. That's basically a "DUH" and does not require 100 million to change the Target credit card infrastructure. Second, "chip-and-PIN" is not the panacea it is claimed to be. Does it make fraud harder? Yes. Will it prevent fraud completely? No, as in the U.K. last year credit card fraud was a Billion dollars. Yes, that's a capital B, and that's with "chip-and-PIN" cards.
More at News.Yahoo.com