Posted by: David Schneier
Add new tag, ATM, Audit, compliance, GLBA, PCI, regulation, regulations, regulatory, Regulatory Compliance, Security
Two weeks ago news broke about a huge, massive leak of credit card information from a processor called Global Payments and I braced for a firestorm of media coverage that was sure to follow. Two weeks hence and it’s pretty much a non-event. A few days ago the State of Utah reported a breach of nearly one million social security numbers and again I waited for this to hit the front page. It was a blurb for about an hour and then disappeared only to be found by using search engines.
Doesn’t anyone remember the great Heartland breach of 2009? Seriously, anyone?
I’ve never tried to quantify what percentage of the work we do within the regulatory compliance domain is focused on the safeguarding of customer data but off the top of my head I’m thinking it’s high. And when you factor in that there’s an entire industry focused exclusively on protecting credit card information (PCI) you’d think that not only are breaches getting harder to pull off but that we’re becoming less tolerant as a society in accepting them. But there’s a general lack of outrage exhibited when these incidents occur, the media doesn’t much care to cover it properly and really in the end they wind up being something of a non-issue. And as I learned recently when my own bank card was compromised, the banking industry seems to simply accept that these things are going to happen. Instead of getting better at preventing breaches they’ve instead managed to streamline the process where they shut down the accounts in question and reissue new ones.
You often hear that any security solution is only as good as its weakest link. It seems to me that financial institutions are no closer to figuring how to truly lock everything down and with the constant evolution of technology where we’re always adjusting to new exposures, new threats and new challenges we’ll never actually get there. There’s never a point where an infrastructure is truly hardened and where the weakest link is something so obscure as to not even present a credible threat. Despite regulatory and industry requirements and sometimes intense scrutiny we’ve reached a point where the only thing that’s improved is in how quickly we repair the damage. PCI hasn’t stopped things from happening (it hasn’t and don’t debate me on its merits because every time there’s an issue with a PCI-certified company there’s an excuse). GLBA hasn’t stopped things from happening (too many moving parts and not enough pressure applied from the enforcement divisions). It’s just not getting better and I can’t see that improving anytime soon.
I’ve long ago decided that vigilance on my part is my only true defense against identity theft. I’ve written previously on how I check every physical detail of every ATM I ever use to make sure the equipment is legitimate, that there’s no hidden cameras recording my PIN and that I never use the privately leased machines you find all over the place. I also double-check gas pumps to make sure a portable device isn’t scanning my credit card (I get strange looks all the time when I wiggle the card scanner to see if it’s loose). And I’ve turned on every email alert possible to track activity on my checking account (much to my wife’s chagrin). I almost never use a smartphone app or web-based solution to conduct my banking because I don’t completely trust the technologies (or rather the people who can exploit them). And to be clear, none of my concerns stem from what I see while doing my day-to-day fieldwork. It’s all based on what I know happens out in the real world.
Until breaches are treated as a true threat to our personal security and receives the scrutiny it so richly deserves none of this is going to get better. When a breach of over one million credit card accounts is prefaced with the word “only” and that’s perfectly acceptable to all involved we’re still obviously a long way off from solving the problem.