With Target stores under attack late last year, other large retailers began taking action to counter additional hacks.
Like most criminals, hackers have significant tactical advantages that overwhelm their target: surprise and a complete absence of accountability. Let’s look at the most recent large retailer hack attack that struck Home Depot.
Large companies – especially publicly traded companies – move slowly compared to the hackers. Home Depot has over two thousand stores whose payment terminals – as opposed to desktop computer networks or central servers – were the focus of the hack.
New software or new systems in a headquarters building can be accomplished quickly. But implementing such a sweeping change to 80,000 credit card payment terminals is several orders of magnitude more complicated. Even a relatively minor upgrading of these terminals requires substantial evaluation and testing to ensure a smooth transition. Executives are accountable and have a fiduciary duty; hackers have no such limitations.
Like an escaping bank robber recklessly shooting at the police, hackers care nothing about the damage they cause. And like the police pursing the bank robbers who have a duty to avoid harming bystanders, corporate executives can’t just pull the plug on payment systems until the problem is identified, analyzed, and fixed months later. The company has a business to preserve while the criminals do not. This, plus the element of surprise, gives an enormous advantage to the hackers.
Concerning Trends
There is new trend with criminal hackers as well – the level of sophistication for these large breaches is increasingly high. Exercising discipline and patience, taking measured steps to avoid detection so their attacks can last months before being discovered. In fact, it seems that Home Depot was only aware of the hack after it was under attack for several months.
It isn’t just money that is at stake. Two years ago Saudi Arabia’s oil company, Saudi Aramco, was attacked with a computer virus that affected its computer systems. While that attack did not result in an oil production disruption, the next one could.
Blocking a major producer like Saudi Aramco from producing would have an immediate impact rivaling that of a naval skirmish in the Persian Gulf.
Noted cyber expert Chris Bronk asserts that this attack did not appear to be done by hacktivists, which typically employ a Distributed Denial of Service attack. Rather, he argues, the signs of such a coordinated attack point to the Iranian regime.
Combine these elements with a natural reluctance of companies to cooperate with law enforcement when they have been hacked and you have a recipe for disaster.
Most companies do not have millions of retail customers, and can often avoid public disclosure regardless of how significant the breach. They want to solve the problem at hand and get back to their business – an understandable desire when arresting the hackers and financial recovery are remote.
Another reason corporate victims of attacks shy away from involving the government is the attention that can generate, and not just a concern over bad public relations. Witness the attorneys general from several states announcing that they are opening up an investigation in the Home Depot attack. Since attributing, arresting, and convicting those responsible for the massive theft is very hard to do, these politicians are focused on the much easier target of Home Depot.
All of these factors create a climate where victims are reluctant to come forward and the perpetrators are unlikely to ever be caught or punished.
An Issue of Tradeoffs
When a retailer says they don’t need your signature for credit card purchases under $50 they are making a simple tradeoff: the amount lost to fraudulent charges in face-to-face transactions under $50 is less than the efficiency gained by speeding up the checkout lines. Such tradeoffs are typical when running a business: an assessment of risk compared to other factors.
One thing common in the cyber security discussions are security experts who claim that this policy or that technology is obviously what an industry should be doing, often criticizing leaders in the industry of “dragging their feet” due to worries about costs. Easy for them to say – it isn’t their money. While it might be nice to eagerly embrace costly new technologies to prevent hacks, companies also have a payroll to make, a board to report to, and regulators to satisfy.
However, with reports that the Target breach has cost that company at least $150 million, look for tradeoffs to begin favoring security. That – as well as the firing of the executives due to a breach – seems to be getting cyber security the attention it requires.