2014 PRIVACY XCHANGE FORUM — Scottsdale, Ariz. — Members of some of the juiciest targets of cybercrime -- financial services, retail, media, and healthcare -- here today shared what they consider the biggest cyberthreats to their industries and how they are fighting back.
Michael Young, vice president and product team manager for financial services firm EverBank, says the biggest threat to his industry is less about direct cyberattacks on banks than it is on customer account theft, identity theft, and payment card fraud. "Account takeover is the number one threat the financial services industry" faces, Young said. "People get in and steal your user ID and password and transfer money out of your account."
Even with the recent news of the attack against JPMorgan Chase, he says, financial services firms are less likely to get hacked directly because they can at least control how they protect their systems and networks. "That seems to be where we have the most control. It's the other three [account theft, identity theft, and payment card theft] where we don't."
Young said JPMorgan's hack didn't result in the typical privacy breach of data. "There was no release of secure data" reported, he said. "Account takeover and ID theft fraud is not by hacking into bank networks."
Financial services firms aren't storing their information in the cloud, of course, but in their own secured environments where they can control it. "They're not putting it in the cloud, which is the next big thing and the next big and scary thing from a financial perspective" in security, he said.
Young noted that while banks under the FFIEC guidelines must provide multi-factor authentication for online banking, credit unions only recently have begun to do so. The problem with two-factor authentication is that some forms can be -- and have been -- bypassed by cybercriminals: "Some of the ways it's being implemented to help with that is by having something out-of-pocket, out-of-band authentication. Or tokens," he said.
Consumers have basically rebelled against tokens, though, he noted, while tokens have worked for business online banking.
A better bet for payment data or other customer information protection is tokenization, where sensitive customer information, such as payment card information or Social Security numbers, for instance. "ApplePay is one of the first implementations of tokenization," he said.
Financial services' call centers employ voice fingerprinting as one level of authentication, akin to caller ID. And online banking is increasingly using device fingerprinting, capturing the type of device and software as another form of authentication for consumers, he said.
"But there's no silver bullet in security for financial services. It's a layered approach," Young said. "We have to make it safe to bank online but not too onerous or difficult for the end user. It's a fine line."
Retailers, meanwhile, suffer both apathy about breaches and a misunderstanding about them, says Arthur Tisi, chief information officer for Natural Markets Food Group. Retailers ask why they were hit. "It doesn't resonate with them that it's an opportunistic approach to breaching systems," he said.
"When you talk to the CEO of a retailer, [he says] 'we're not a bank, why are they coming after us? We're PCI-compliant,'" he said.
The retail industry is nearing the one-year anniversary of the start of what has been dubbed The Year of the Retail Breach, with big-name big box companies such as Target, Home Depot, and Nieman Marcus, as well as food chains Dairy Queen and JimmyJohn's and others all hit with payment card hacks.
Tisi says a big challenge for retailers is internal coordination pre- and post-attack. Take the legal and communications groups: "Legal is concerned with liability. The communications group is concerned with brand equity," he said. "Typically, the general counsel is going to win. So rather than getting into the middle of managing relationships post-breach, we're finding it's important to coordinating the organizations [in advance] so we get a good balance."
Many retailers now have an incident response plan in place to react quickly after an incident, he said. "The lack of coordination and reaction at Target after its [data breach] event could have been resolved in a much more favorable way," he said.
Tisi said some retailers are running vulnerability assessment scans beyond PCI, as well as forensic scans of data and malware.
"How are we going to coordinate communications to our customers? How are we going to communicate with … the FBI or Secret Service? How quickly can we assess what actually is happening to us while it's happening and determine the impact of what's happening?" he said. "We don't want to run out the door with our hair on fire prematurely."
Most companies, and especially those in retail, don't coordinate that communications well, he said. "What are you going to say? When are you going to say it? Who do you retain to communicate?" Tisi said. "You should already be developing a relationship with your insurance carrier."
On the media side, the business model has changed with online interaction and social media, says Ali Waezzadah, vice president of information security for CBS. "We can target a specific ad to what they watch and how they watch it," he said.
Using big data to correlate how viewers interact with their viewing habits and online is the next big thing, and media firms have to protect that information.
"All breaches happen because you miss the fundamentals. It's never the fancy technology that was implemented," such as SIEM or an IPS, he said.
At CBS, both the privacy and security teams work together closely, he said. "Our privacy organization at CBIS looks at us as their front line. We figure out a privacy issue before the privacy group" finds a problem, he said.
For healthcare, the Health Insurance Portability and Accountability Act (HIPAA) is no privacy or security cure-all, Dr. Deborah Peel, founder and chair of Patient Privacy Rights, said.
A patient's health information is accessible to too many users and databases, according to Peel, whose organization has helped map out just where that data travels after a patient visits a hospital, for example.
"HIPAA doesn’t protect data privacy or security," Peele said. Most hospitals have multiple contracts with licenses that allow other organizations to "touch" that data, including insurers, pharmacies, and others.
A typical hospital can have thousands of employees with access to patient information. While some have role-based policies over who can access what, many policies are still too broad, Peele said.
"The breaches are inevitable," she said.