To security professionals in the financial services industry, every new data breach—with the high-profile coverage it generates—must seem like another knife in the back. All those resources dedicated to the area, all that time spent securing the infrastructure, never seem to be enough. Despite all the effort, some anonymous hackers somewhere are able to brazenly infiltrate the system and steal the account information of potentially millions of holiday shoppers. The Grinch was never this bad.
With the most recent debacle, the company squarely taking the hit in the court of public opinion is Target. But of course, it’s not just the retailer that’s going to suffer. The most recent information we have is that between November 27 and December 15, all consumers who swiped their credit cards at a Target store in the U.S.—perhaps as many as 40 million—had their information compromised. That includes names, both debit and credit card numbers, expiration dates and even the three-digit security codes on the back. As hacks go, this one is big, and of course it took more than just some petty thieves to get the job done. Reports indicate that a sophisticated network of cyber criminals coordinated their activities to uncover the treasure trove of private information. While no one can be sure how big the ne6twork is, it seems their haul could be in the hundreds of millions. As a result, it will end up affecting not just Target and its customers but also the credit card providers, IT companies and industry security specialists.
But there are other repercussions too. While the industry has every right to be proud of the progress made in the adoption of many new technologies, each bringing about major changes in user behavior, the painful truth is that we could be doing much better. One big reason why we haven’t is security, and each high-profile data breach like this one sets back the conversation.
Take mobile banking. The speed with which this field has progressed is nothing short of astonishing—it’s gone from fantasy outlier to mainstream adoption virtually overnight, with thousands of custom apps emerging and finding an audience in record time. But most of the action is on the consumer side; corporations are still taking it slow.
We all know how mobile capabilities have obliterated the line with between personal and business data—sensitive information now resides next to video games and personal calendars on every knowledge worker’s phone and tablet. But with banking, it’s a different story. To be sure, there are other many factors to consider. For example, the average CFO has a lot more information to deal with than the average user, and the tiny screens we love on our smartphones can be a problem.
Yet the biggest issue by far is security. New research from Capital One shines a spotlight on this unfortunate issue. In its survey of financial services professionals, only a small number of the firms those firms that haven’t yet implemented corporate mobile banking plan to do so anytime soon. Fully 66% cited security challenges as the main concern.
On a very different but unrelated front, news emerged recently that the two-factor authentication feature designed to protect online bank accounts has been greatly compromised. The practice, which entails sending an SMS message with a code that quickly expires, has been threatened by new malicious software for Android devices. In fact, there are already numerous malware suites to defeat one-time passcodes, and experts urge institutions and individuals alike not to rely on them.
On the face of it, swiping a credit card while buying a Christmas gift, implementing mobile banking at large corporations and getting a test message with a code don’t have much to do with each other. But underlying each technological advance and the behavioral change it induces is the need for security.
The reality is that people will continue to use credit cards while shopping, just as corporations will inevitably overcome their justifiable skittishness and implement mobile banking—the benefits are just too great. But how fast those practices evolve depends on how secure we can make them. Looking ahead to 2014, it would be nice to end the year without having the Christmas spirit spoiled by concerns about financial information being compromised.
*Image courtesy of digitalart - FreeDigitalPhotos.net