My wife and I got a letter in the mail a couple of weeks ago. It was from Neiman Marcus. It began with these sobering words, “We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores.”
It was all stupidity and silliness from there.
A letter from Neiman Marcus to my wife, Cecily
The store admitted to “a criminal cyber-security intrusion” first discovered January 1. It didn’t admit to much else. It forgot, for example, to mention that the breach lasted from July 16 to October 30 of last year.
Instead, the apology immediately segued into damage control mode. It said “We want you to always feel confident shopping at Neiman Marcus.” And this: “We aim to protect your personal and financial information.” And reassured us, “Your PIN was never at risk.”
Perhaps thinking ahead of a future and more devastating breach, the letter added, “The policies of [the credit cards] provide that you have zero liability.”
Phew, that’s a relief!
No Harm, No Foul: REALLY?
Well, not really. Its message of “no harm, no foul, all’s well that ends well” bordered on the ridiculous.
What was Neiman Marcus really thinking? It took Congress to find out. In sworn testimony, Michael R. Kingston, chief information officer of Neiman Marcus, said the malware used was “exceedingly sophisticated.” He added that it had a “zero percent detection rate” by antivirus software.
Let me repeat that: “Zero percent detection rate.” Its software was, quite literally, 100% useless.
We got a similar letter from Target. It included a new store card. The Target episode exposed the personal data of as many as 110 million customers. That’s more than a third of the population of the United States!
A New York Times article exposed in chilling detail how these cybercriminals pulled off the heist. It said the coding that snatched customers’ data changed according to the instructions received from its handlers, in real time.
Goliath Wins Again
The testimony Congress heard last week revealed just how dangerous the situation has become. Today’s hackers have developed Goliath-like abilities to access supposedly protected personal information. And the retailers have morphed into helpless Davids against their invasive tactics.
The experts are betting on Goliath. Listen to these snippets of Congressional testimony…
James A. Reuter, on behalf of the American Bankers Association, said “the criminals are often one step ahead as the marketplace searches for consensus.”
Mallory Duncan of the National Retail Federation declared, “Data breaches are a fact of life in the United States.”
And Michael Kingston of Neiman Marcus – the CIO of the store that sent me a letter saying “We want you to always feel confident shopping at Neiman Marcus,” argued that “once standards were made public, criminals would figure out how to get around them.”
The scary thing is, they’re probably understating the problem.
This past January alone, according to another New York Times article, “instances in which data became vulnerable include the University of California, Davis health system, Snapchat, Coca-Cola, the message boards of the Straight Dope website, Skype, the Wichcraft sandwich chain and the federal Veterans Affairs Department…”
Okay, maybe it was just one of those months. But investigators don’t think so. They believe that Target was part of a bigger campaign aimed at another half dozen major retailers. Javelin Strategy & Research says, “We’re expecting this to be a major contributor, if not the primary driver of card fraud for the next 12 months.”
By the way, kudos to the Times for staying on top of this growing epidemic. Perhaps they’re so attuned to the issue because they themselves were hacked by China in 2013.
Is There Anything That Can Be Done?
As a matter of fact, there is.
Adopting Europe’s widely used EMV technology, which is a small chip embedded in each card, makes it almost impossible to counterfeit credit cards.
But’s it’s not nearly enough. For one, the card data itself can still be taken and used for online purchases.
And it misses a huge hole in retailers’ security efforts to date. It’s not just the credit cards in your wallet that are exposing you to cybercriminals.
It’s also the smartphone in your pocket.
The majority of attacks on mobile devices? Fraudulent banking apps. Once they slip into app stores, it’s almost impossible to tell the fraudulent ones apart from the real apps. In a LinuxInsider report, Jack Walsh, mobility program manager at ICSA Labs, says, “The goal is to get these copycat apps into consumers’ hands. When the user inputs account information, instead of being transmitted to the real bank, they go to fraudulent servers.”
Another gaping vulnerability? Kevin Surace, CEO of Appvance, says it’s in the Cloud. “Every company is rapidly deploying new apps for their customers. They are increasingly hosted in the cloud and made specifically for mobile devices. The problem is, coders have limited knowledge of scalability and security. And most organizations rely on inadequate code analysis tools to reveal security issues lurking in the code and integrations.”
Who Is Stepping Up
Surace’s Appvance uses the cloud to “simulate” millions of users piling into an app simultaneously. Where “white hat” security scans end is where Appvance begins. Nobody, a major investor in the company told me, has done this before.
Appvance is just starting out. I recommended it to readers of my Startup Investor service a few weeks ago. I explained, it’s not often you get to invest in a company that is “first into a big market,” in this case, that market being app vulnerability under stress scenarios.
At The Oxford Club, we think getting in ahead of the crowd is a big deal. It’s about being an industry leader as opposed to a follower. And solidifying your credibility while other companies are solidifying their technology.
The cybercriminals may hold the advantage now. But the demand for solutions is urgent and growing. The market has taken notice. It will fill this gaping need, as software security companies are increasingly drawn into this fast-expanding space.
And, I believe, startups and young tech companies will be leading the charge.
At the moment, our Startup Investor service isn’t taking on new Members. But it will be soon. So, if you’re interested in investing in startups, stay tuned via EarlyInvesting.com. We’ll be sure to let you know when we plan on adding Members again.
View original at: Investment U
Powered by Facebook Comments
Other Posts by | RSS Feed for this author