James: It seems like online fraud is increasing. Is it safe to say that once EMV becomes common place in the U.S. fraud will just shift to digital?
But that's a good example of usability/security. CVV codes can be used for online transactions but many (most?) online retailers do not ask for that as it increases abandonment rates.
Robert: I think what you're talking about is multi-factor auth at the point of sale. So, your phone acts as a second credential for a transaction. The thought being that both the phone and the card have to be present in order to make a purchase.
That's right, Robert. Digital transactions (with exceptions) still mostly rely on the 16-digit-number on the front of your card.
Would need consumers to have EMV PoS tech with their computers to verify the card is present in the transaction.
One key thing about EMV, however, is that it probably would not have prevented what happened at Target. It would prevent someone from cloning a card from stolen data.
While EMV may offer some consumer protections for Card Present transactions as PoS (the chip is hard to clone), it doesn't solve the online commerce problem.
That... And EMV alone wouldn't have stopped the Target breach... That has more to do with the security inside retailer's systems...
Did we go over what POS means? I might have missed it.
EMV is the chip-card technology used basically everywhere but the U.S. Consumers insert their chip card into the POS reader and it validates the card is authentic. The U.S. is in the process of switching over, but it will take new POS terminals at merchants, new cards from issuers and a change to the way consumers buy at stores. So it's going to take some time.
James' comment about alerts is a great example of how a balance between security and customer value (annoyance) is constantly evaluated. In the golden age of spam, email alerts were largely seen as an annoyance. That feeling still prevails, limiting some proactive outreach to customers except in the most obvious of circumstances.
James: Talk about EMV... What is it? And why will it help... And why isn't it a complete answer to transaction fraud.
That's why we're now seeing hybrid opt-in approach. Facebook, google, twitter, world of warcraft, etc, all allow for Multi-Factor Authentication, but do not require it.
That's a great question, Sean and will be important for the next round after EMV is implemented: online fraud. We talk ad nauseum about "eliminating friction" online, but sometimes friction is good. It's ok if that extra step of putting in your CVV code (the 3-digit code on the back of your credit card) protects you. Informing consumers that sometimes the extra step is for their protection might be a good idea.
So they were allowing their users to go unprotected, because protecting them may negatively affect their business.
There are many good-guy "white hat hackers" (versus the "black hat" bad guys) who do a lot of good trying to proactively discover vulnerabilities, or quickly investigate new ones. Knowing the threats is a key component to protecting against them.
Most public facing companies (banks, especially) are first and foremost vehicles of customer service ...
For consumers who are concerned about their private data, I'd reiterate that there are a lot of tools that banks provide to consumers that alert them to when their accounts are being used. Use those tools. Sign up for text or app alerts. And if Target offers you credit monitoring, take them up on it.
Jason, James, Robert... Talk about that, the balance between usability and security...
Do you have any direct examples? :)
Good point, DBDude, many companies skimp on security in order to offer better customer experience.. Dangerous.
And to Robert's point, there is a growing sense that the US move to EMV (and hopefully other technologies) is going to make that a harder business to be in....
Jason: Re: your response on a reactive stance... Aren't some companies trying to hack back and buy exploits?
They treat it as a real business, and are out flanking the corporate security controls.
Another contributing factor is the players who are monetizing the breach. It's now a professional career track to be involved with this sort of organized crime.
Regarding company responses Most companies are realizing that a reactive stance is almost always more expensive and less effective than a proactive one, or at least a process and structure that facilitates investigation. If someone can't answer at least, "what happened to who, where and how much" quickly after discovering an issue, it's going to be a difficult road.
That's a great point, Jason... The fact is that these companies (banks, hospitals, etc...) are under constant siege.
On the frequency, it's easy to perceive the breaches as increasing. After all, how often do you hear that an intrusion was prevented?
Because of this, consumers now care when a company is breached.
But the vulnerabilities have remained the same, correct...
I'm not sure that we are seeing more breaches, especially given the shift we've seen to electronic payments. Across all electronic payment types, we still measure fraud in basis points. It's something around $7 billion even though we have $17 trillion spent.
There are more companies offering online services to consumers.
Robert, Jason, James... Feel free... I don't think the incidences of breaches have increased, just the number of people they impact. That's a result of the way these companies store data, and the fact that we are now increasingly living our lives online.
So... At this point, I think it might be good to clarify the perception that these breaches are in some way increasing... Anyone feel free to sound off...
Robert: To be clear, your last response is aimed at the number of vendors (processors, payment networks and service providers) that businesses work with in order to sell or be online, right?
Yes. And these incidents could affect their privacy directly, security indirectly. In the case of the initial compromise, all the data shared with that site is compromised. If the username/password database is compromised, and the user uses the same password at other sites, then their security on the other sites is also compromised.
This is to anyone who is interested in answering this question: "What is the protocol that most companies follow after a breach? There had to be a since of the vulnerability, or someone is not paying attention to penetration test results etc. and how do companies ignore vulnerabilities at high volume periods such as the holidays?"
Let's take some time and just examine the number of vendors any one company deals with to do business online... If any one of those vendors has a weakness, that company runs the risk of losing customer data. Do you agree (Robert, James, Jason)?
Any site you share your PII with could potentially be compromised. It just so happens that healthcare.gov in particular has not had a great track record with secure coding/implementation.
Robert: That's an excellent point. Every system is vulnerable to exploits.
Potentially yes; but that's not unique to healthcare.gov