Why reported breaches are the tip of the iceberg

According to the Identity Theft Resource Center (ITRC), 1,244 data breaches were reported in 2018 that compromised over 446 million records containing consumers’ personally identifiable information (PII). The key word in the last sentence is “reported.” Assuming every hacked business reports a breach, like they are supposed to do, we can look at 1,244 breaches as the number of times a hacker got caught…. and believe me, hackers don’t like to get caught.

This means the 1,244 reported breaches are just the tip of the iceberg. Thousands of additional businesses are breached every day, but just don’t know it. Many times, the company is small and doesn’t have a full-time network security administrator, or the number of payment cards they expose daily isn’t significant enough to be flagged by bank networks and breach researchers.

While each small, unreported breach might only have a few hundred cards, taken together the number of total cards breached can be quite staggering.

The dark economy

I invited Stephen W. Orfei, former general manager of the PCI Security Standards Council, to speak at a recent Bluefin Summit. His presentation shined a light on the dark economy, how it mirrors the real economy and how it is proliferating. He cited a direct quote from Dr. Michael McGuire’s alarming study, into the Web of Profit: Understanding the Growth of the Cybercrime Economy:

“Though it constitutes a relatively new criminal economy, cybercrime is already generating at least $1.5 trillion in revenues every year. A conservative estimate based only on data drawn from five of the highest profile and lucrative varieties of revenue-generating cybercrimes.”

To put that in perspective, $1.5 trillion is larger than the 2018 GDP of Spain, Australia or Mexico.

I study ITRC’s breach statistics monthly and the attack vectors hackers employ as published annually by Verizon’s Data Breach Investigations Report (DBIR), and I know about the impact and costs of breaches from studying Ponemon Institute’s annual report. Their data builds a strong picture of what happens when things go wrong and has been very helpful in raising the alarm for many unprepared merchants.

However, the problem is much more severe. I believe that many more businesses than most would guess are breached every day as hackers know how to leak just enough card data from each business to stay under the radar. I also believe the dark economy that is supported by breaches and fraud is alive and well.

As important as it is to understand what happens when things go wrong, it may be even more important to study what happens when we don’t know that things are wrong. The only place we can get a good understanding of that is by looking into the success, size and scope of the dark economy that lives and thrives on stolen data.

Decreasing payment card fraud increases authorizations

I’ve heard that decreasing fraud increases payment authorizations. An authorization, of course, means that a payment transaction is approved and a sale happens. Moreover, any time a sale occurs, everyone is happy: the cardholder, the card issuing bank, and the acquiring bank that processes the transaction.

Fraudsters buy compromised card data from the dark web and attempt to use the information to buy goods or services. Anti-fraud tools abound in the industry to weed out such fraudulent transactions. These anti-fraud tools are often quite sophisticated and include neural network, artificial intelligence (AI), fraud scoring, 3D Secure and many other tools.

Sometimes good transactions are flagged as bad, and a good sale doesn’t happen. This is a frustrating pattern for the cardholder and banks. Also, the card can then be flagged as compromised, meaning that the cardholder can’t use it at all until a new one arrives in the mail, all of which results in a decrease in authorizations and in cardholder satisfaction.

While I support the philosophy that decreasing fraud increases authorizations, focusing on this understanding alone misses a much more significant point. Fighting fraud is like fighting a cold. Viruses will always be lurking around the corner, and there is a vast industry of cold-fighting medicines and supplements. However, what if you could not catch a cold in the first place? Wouldn’t that be better? In other words, fighting symptoms is a never-ending fight. Why not stop the cold at the source?

Preventive care is a growing segment that does just this by building up the immune system, making sure you drink plenty of water, take supplements, and wash your hands often. The truth is that many people are too lazy to take preventive care seriously and would rather deal with a cold when they get one. It’s similar to the relationship between breaches and fraud. Hundreds of fraud-fighting tools help merchants keep the fraudsters from using stolen data at their place of business. What if a technology could stop hackers from compromising the card data in the first place? No compromised data, no fraud.

Decreasing compromises eliminates exposed payment card data

Let’s extend that understanding to better encompass the fraud lifecycle: decreasing compromises decreases fraud, which in turn increases authorizations. Overall, this is great for everyone in the payments ecosystem: cardholders, issuing banks and acquiring banks. If the compromise doesn’t happen in the first place, the hackers don’t get valuable cardholder data so they can’t conduct fraud.

Data devaluation technologies like tokenization and point-to-point encryption (P2PE) do this by devaluing the card data so that in the event of a breach, the card data is not compromised. It is rendered valueless to the hacker and can’t be sold on the dark web to fraudsters. These technologies stop the fraud at the source by removing the raw material fraudsters need to commit fraud: card data.

Small merchants don’t know or often don’t care about data devaluation technologies because they are optional and the merchants see their biggest threat as going out of business, not compromising card data. I think that will change.

Notice that I’m using the word “compromise” instead of “breach.” There is a key difference between these terms, and it goes to the heart of the data devaluation value proposition. If card data is properly devalued with P2PE and tokenization, then even if a breach happens, the data is not compromised. In truth, we should be looking out for compromises more than just breaches. Don’t let hackers breach your defenses, but if they do get in, then you better have devalued the data so they can’t compromise anything of value.

Is EMV an anti-fraud feature or a data security feature?

EMV (Europay, Mastercard, VISA), the chip cards that most of us now have in our wallet, is an anti-fraud feature and not a data security feature. To prove this to myself, I placed a card into a dip reader and watched the full 16-digit card number come out of the device and into our test application. There is no encryption requirement for EMV chip cards. Something called a “cryptogram” acts as a hash of sorts to enforce uniqueness among chip reads, but it is not encrypted card data.

If the card data is not encrypted and transmitted in clear text, I don’t consider EMV a data security feature. It is, however, an excellent anti-counterfeit card feature. Fraudsters can’t practically imitate the chip on the card, so they can’t use the compromised data to conduct card present fraud with hacked chip card data. This makes EMV far superior to the easily imitated magnetic stripe on the back of cards.

The fraudster can use stolen chip card data only to conduct card-not-present fraud such as internet, mail order, telephone order or by asking the merchant to key in the card number in person instead of dipping the card. EMV is great at one thing: thwarting counterfeit chip cards at card-present locations.

If P2PE is not used to encrypt it, then the full 16-digit EMV card number can be hacked from the merchant’s network and sold on the dark web to fraudsters who want to use it for card-not-present e-commerce or telephone order fraud.

As with anything in life, you want to use the right tool for the job. EMV is a great way to stop card-present counterfeit fraud. It wasn’t meant to replace data security tools like tokenization and P2PE.