The security breach that affected millions of Black Friday customers at Target in the U.S. is a terrible tragedy. Not just because of the money it potentially involves, but because it has denied the IT security industry the opportunity to give the usual lecture.
When these kind of incidents occur, all the anti-virus companies and managed security vendors love to come out of the woodwork and pontificate about the need to use the kinds of products and services they offer. In this case, however, that sort of “I told you so” analysis seems largely out of place.
Target’s systems are reportedly compliant with the Payment Card Industry (PCI) security standards. There’s no evidence so far of sophisticated hackers. The kind of theft involved allowed the perpetrators to create phony credit cards, not necessarily use PIN numbers for debit purchases. So far, the whole thing seems to be a strictly offline affair, with the e-commerce side of Target’s operation looking much more secure than its in-store experience.
"Given that Target has instituted so many security controls, I’d be very surprised if the breach occurred because malware was installed on POS devices (like cash registers) or in local store systems,” wrote Avivah Litan, an analyst with Stamford, Conn.-based research firm Gartner Inc. in a note immediately following the news. “My guess is that the data was stolen from Target’s switching system for authorization and settlement.” This is something that might be as easy as putting information on a USB key and walking out the door.
These are the kinds of criminal activities that make it increasingly challenging for legal authorities to catch up. A few weeks ago I listened to a presentation by Ritesh Kotak, who works in a program called Operation Reboot with the Toronto Police Service. His group is part of a service-wide initiative addressing social media, open source, technology procurement and cyber-related threats and opportunities. It’s a broad area -- maybe too broad.
“One of the things we’re looking at is a common definition of cybercrime,” he said. “We had someone walk into the front desk at a division and say that a neighbour hacked into his Wi-Fi. For him, that was a cybercrime, akin to a traditional break-and-enter. For some people, they’ll equate cyber-crime with child exploitation. If you move to the financial industry, cybercrime is about a transaction. We need a consensus on what it is.”
I’d suggest cybercrime is about data, whereas traditional crime is largely about physical interactions of some kind. The target breach involves a little of both, which is part of what makes it so difficult to investigate. You could argue that this sort of thing could largely be avoided if more U.S. banks got on board with the whole chip card thing, but there’s more to it than that. The only financial transaction that doesn’t involve data is cash, and our move to an increasingly cashless society will only open up the risk.
On the flip side, I remember covering the early days of e-commerce, when the biggest barrier was the fear over handing over credit card numbers online. When you see what happened at Target, that kind of attitude seems ridiculous.
Although transactions involving data create risks, they at least offer a sort of digital paper trail that doesn’t exist if cash gets taken from your wallet. Strange as it sounds, incidents like the Target breach may one day lead us to trust in e-commerce over anything else.