Once again, yet another data breach has made national headlines. This time, it involves the payment systems of Saks Fifth Avenue and Lord & Taylor. While the Hudson Bay Company – which owns the two department stores – has already confirmed there was a security breach, the true extent has not been divulged. According to reports, however, hackers claim they have 5 million credit and debit card numbers from these retail stores. Gemini Advisory has stated 125,000 cards have been released for sale so far and has estimated the theft of card numbers began as early as May 2017.
At this point, no one should be surprised. These events no longer cause the widespread panic and alarm they used to. For example, if you had announced just a few short years ago that someone may have stolen 5 million card numbers, it would have been reported, analyzed and discussed continuously in national, regional and local news cycles for days. But after the Target breach in late 2013, followed by Home Depot in 2014 and the massive Equifax scandal in 2017, of course you can expect people to be desensitized. Was anyone really surprised when Equifax announced nearly 148 million U.S. consumers had their personal information stolen? These larger instances have been accompanied by a continuous string of other “small” breaches. Every few weeks, there is another revelation to the point where people are asking, “Is this the new normal?”
When you are in the middle of battling fraudulent activities day after day, it can feel like the criminals are always one step ahead and that this pattern really is the new normal. While criminal behavior can never be eliminated, credit unions and their service providers are working tirelessly to mitigate the losses from these events in the future.
First, on the credit and debit card payment side, there is no question that the United States joining the worldwide EMV – or chip card – implementation system led to a significant reduction in counterfeit cards at the point of sale.
Additionally, cyber security is being taken more seriously than ever. Gartner – a leading information technology research and advisory company – expects a significant investment in information security in the coming years, with spending projected to grow to $93 billion in 2018 alone.
Finally, all the technology in the world will not matter if anyone can gain easy admission to your organizations – like posting in a break room that “password123” will allow access to your entire processing system, which used to be a common security best practice. It only takes one entry point through an employee or a vendor having a simple password to give criminals the keys to your kingdom regardless of your security investments. As such, training and safety processes are being taken much more seriously. There is now awareness at senior levels of organizations that one breach can not only mean millions of dollars in losses but also a reputational hit not easy to overcome.
While these are all positive developments, we have a long way to go. With so much personal information now available in the public domain, the threat of identity theft, application fraud and e-commerce fraud is replacing card payment scams at an alarming rate. Just like the old Hans Brinker story about the Dutch boy who saves the country by putting his finger in a leaking dike, we keep plugging the dike. But unfortunately, more leaks still appear, and there are plenty of new areas of concern. Can you say IoT?
So, what can be done now? The answer must be a holistic approach across all channels, supported by technology, good security processes, education and the power of data analytics utilization. This seems like an easy enough statement to make. But in practice, determining the right areas of focus and evaluating the accompanying costs are nowhere near as easy.
When you think about fraud across all channels, one of the weakest links today is authentication. You may have a great security process for your mobile banking experience, but what about your phone channel? It is estimated that one out of every 2,000 calls is a fraudster attempting to gather the additional information needed to authenticate and commit a scam. In every interaction, whether it is phone, web, mobile or in-person, you must think of the next generation of authentication tools that are emerging and continually look to invest in new technology that works across a wide range of channels.
As if these challenges are not difficult enough, consumers expect a friction-free transaction – regardless of whether they are using best practices on their own channels. We could stop many fraudulent activities by simply putting consumers under a spotlight and interrogating them about their security practices until they beg for mercy. You would certainly get less fraud this way but also fewer consumers using your products and services. Introducing more passive technologies into your channels, like biometrics and analytics, can help balance the need to prevent fraud with less friction for consumers.
As you think about your future investments, look to utilize technology and data analytics to create a better authentication experience while protecting all of your channels. Just remember: the fraudsters already know where you were born and that your cat’s name is Luke Skywhisker.
Jack Lynch leads PSCU’s Fraud and Risk Management Operations area. Jack has over 25 years of leadership experience delivering operational services, project management, client implementations, process re-engineering, account management, training and technology services.