Is PCI Non-Compliance Legally Wrong?
What is Reasonable Computer Security for Credit Card Data?
The Federal Trade Commission should rethink the law of credit card data security applicable to merchants like TJX. As a consequence of the data security breach TJX disclosed in 2007, TJX and the FTC entered a settlement requiring TJX for the next 20 years to engage in an expensive, government-supervised data security program. The program entails the maintenance of controls and extensive paperwork reporting about those controls to the FTC.
According to FTC, the grounds for its action against the retailer were that TJX had engaged in "unfair practices" in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).
The "unfairness," according to the FTC, was that TJX collected private credit card information from consumers, but failed to use adequate security procedures to protect it. This resulted in compromise of tens of millions of credit card accounts. By declaring that TJX was "unfair," FTC
Payment Card Insecurity |
TJX Was Not Deceptive or Utterly Inattentive to Security
Note what the FTC did not allege about TJX. The FTC did not allege TJX engaged in a "deceptive trade practice" in violation of Section 5(a) of the FTC Act. An example of deception is for an enterprise (like ChoicePoint) to tell individuals it will secure their data, and then fail to do so.
Further, the FTC did not allege TJX was utterly inattentive to security. The FTC essentially said TJX was unfair because it was not secure enough . . . not secure enough to defeat the sophisticated criminal organization that broke into it. And the FTC said the remedy for this unfairness is that TJX should implement security controls, more or less like the PCI-DSS (Payment Card Industry Data Security Standard). The implication: if a merchant follows the PCI, then it has achieved "fairness."
FTC's Remedy Does Not Achieve Its Goal
Compare what FTC just said to TJX, with what happened at retailer Hannaford. Hannaford announced that 4.2 million credit card numbers were stolen from it, but Hannaford says it was PCI compliant during the time in question! Apparently the hackers tapped fiber-optic cable that "security experts had believed was secure."
Further, Okemo Mountain Resort, a Vermont merchant, says it complied with PCI, but was still broken into. Pereira, "Credit Card Security Falters," WSJ, Apr 29, 08.
The Hannaford and Okemo experiences suggest PCI compliance is not enough to defeat the talented criminal gangs assaulting the credit card system today. In other words, compliance with controls like those FTC imposed on TJX is not enough to protect credit card data.
The reality may be that it is impractical for merchants to protect credit card data from the criminals who broke into TJX and Hannaford and Okemo. If that is true, then TJX did not engage in unfairness. It was a victim of criminals who are swiftly becoming more powerful.
Why Does the FTC Ignore the Heart of the Credit Card Security Problem?
In essence FTC said TJX was an unfair bad guy because it could not keep up with the hackers. But by that standard, is not the entire credit card system "unfair?" Instead of picking on particular players like TJX, why doesn't FTC investigate the credit card systems as a whole (Visa, Mastercard, American Express et al.) and probe whether credit cards are inherently "unfair" to consumers because criminals can defeat the systems? Why doesn't FTC require each of the systems to devise better designs and controls so consumers are no longer subjected to the "unfairness" of the systems as presently designed? (See this post on alternative ways to authenticate credit card users and transactions.)
My point is that TJX was not "unfair." It was unlucky. Its defenses were similar to that of many (most) of its peers at the time. They too would have fallen had they been subjected to the same criminal blitzkrieg. And during the time in question, the PCI was vague, reltively new and subject to wide interpretation and debate. (It still is.) The same is true for the controls FTC just imposed on TJX.
FTC Is Confused
FTC is well-meaning here, but it is misdirected. By singling out TJX and chastising it with the "unfairness" "bad guy" rhetoric, FTC distracts the necessary public conversation. It implies that if we can just punish these lazy merchants enough (and force them to comply with PCI and similar controls), then credit cards will be safe. That's wrong.
The criminal warfare directed at the credit card system is more powerful than the theory behind PCI. The whole credit card system needs to change. As a society we need to focus on beating the criminals, and stop flogging victims like TJX as unfair privacy infringers.
--Benjamin Wright
(I have posted more remarks on TJX and FTC.)
Update: I explain how August 2008 indictments of TJX hackers put FTC's treatment of TJX into perspective.
Update: Many of TJX's peers did, apparently, fall victim to the same blitzkrieg as TJX. Prosecutors say the gang that broke into TJX also broke into 8 other large retailers, though some of those retailers cannot confirm their defenses were breached. Pereira et al., "Some Stores Quiet Over Card Breach," WSJ, Aug 11, 08, B1.
Further Update: September 2008 prosecutors say the TJX hackers broke into "numerous other businesses" in addition to the 8 previously disclosed. Ross Kerber, "Hacker pleads guilty in breach," Boston Globe, Sept. 12, 2008. Therefore, TJX was not unusual; TJX was no weaker at the time in question than was standard and common in the retail industry. Query whether FTC will open investigations of all these other retailers and claim they were "unfair" also.
Update March 2009: Heartland Payment Systems maintains that an auditor confirmed it was PCI compliant a mere month before hackers broke into the company and stole credit card data. Visa investigated after-the-fact, and Visa has tried to say that Heatland was not PCI compliant. But PCI expert David Taylor observes that if the goal of an investigation is to determine that an organization is not in compliance, then the goal is easy to achieve. Perfect data security never exists in practice.
Side comment. I'd have a hard time putting Hannaford and TJX in the same boat. TJX problems began by continued use of an encryption scheme that was known to be broken since 2001. They knew they had issues.
ReplyDeleteBelieving a physical fiber channel link is secure is a lot higher on the resonableness scale.
>>I'd have a hard time putting Hannaford and TJX in the same boat.<<
ReplyDeleteThey were both subjected to highly organized, state-of-the-art attacks. By 20th Century standards, those two attacks would have qualified as paramilitary bank heists.
>>TJX problems began by continued use of an encryption scheme that was known to be broken since 2001. They knew they had issues.<<
Show me a retail merchant that is not going to have "issues" and mistakes come to light when it is the target of a paramilitary bank heist.
>>Believing a physical fiber channel link is secure is a lot higher on the resonableness scale.<<
But it was known that fiber and lots of other aspects of Hannnaford's defenses could have been breached.
Inevitably, when the experts look back at Hannaford, they'll say, "Oh, it's obvious Hannaford should have done this and should have done that." 20/20 hindsight is easy.
There is one big difference between the TJX incident and the Hannaford incident. TJX happened 2005-2006, whereas Hannaford happened 2008. Those are two different times in technology history. First, the standard industry practice among retailers in 2008 is to have invested a lot more in security than was standard practice in 2005. Second, the criminals are stronger (more technologically advanced and, thanks to better communications, better organized and better able to tap talent around the world) today than they were three years ago.
When state-of-the-art criminals attack mere merchants, the criminals are going to win sometimes. It is a fact. It is a fact given the present design and mechanics of the credit card system.
Both TJX and Hannaford were informed, aware, thinking and making good-faith judgment calls using the technology of the day. FTC is wrong to label good-faith judgments as "unfair". At least, it is wrong unless FTC is willing to hold all aspects of credit card design and mechanics to the same standard.
Also to the first commenter above: I appreciate the thoughtful and relevant input! Thank you. --Ben
ReplyDeleteAnd concerning the FTC: The FTC clearly desires to advance the public's best interests. The agency is working hard in this new information age and should be commended. But I believe FTC would be wise to re-evaluate its approach to credit cards. --Ben
ReplyDeleteBen,
ReplyDeleteI'm glad I ran into this article. We are seeing a phenomenon where we spend more time punishing one of the victims and ignoring the increasingly sophisticated criminals behind the problem.
We need to look at the problem as a whole, which would entail looking at the entire payment card industry. I'm all for an outside entity doing this instead of the industry, itself.
As long as everybody keeps going after each other instead of the criminals, the costs are going to rack up and we will all pay for it in the end.
It never ceases to amaze me that just about any security we come up can be defeated if the someone is motivated enough to do it.
Thanks for the great read and forward thinking!
Assuming a copper or fiber wired network connection is secure is a mistake. Although intuitively an optical fiber connection seems secure from intrusion, physically tapping and capturing information is quite simple with inexpensive, off-the-shelf hardware. Here is a link to a $400 Netoptics fiber tap on ebay - http://cgi.ebay.com/NEW-NetOptics-Gigabit-Fiber-Tap-96042-G-20-62-5um_W0QQitemZ270179293290QQihZ017QQcategoryZ11175QQrdZ1QQssPageNameZWD1VQQ_trksidZp1638.m118.l1247QQcmdZViewItem. Copper equivalents are even less expensive and usually built into telecom equipment.
ReplyDeleteFiber taps are often advertised as "passive" and "unobtrusive". Passive means no power is required so it can be placed anywhere there is a fiber interconnect - a patch panel or splice for example. Unobtrusive means there is virtually no impact on the signal level on the fiber itself so that the tap can be detected only with extremely sensitive equipment that is too expensive for the vast majority of telecom budgets to support.
Once the tap is installed anything traversing that piece of fiber also goes out another set of fiber ports on the tap. Capturing the network traffic is the next step. The cheapest way to do that is to use freeware on a PC, maybe a cheap laptop with a decent battery, and spool the data to disk. You won't get all the traffic on a busy network but most network connections are not fully utilized so you can easily get enough to do damage. Let's take it one more simple step and remotely control the laptop connected to the tap from another laptop in the bad guy's car in the parking lot. Now the captured data can be copied to the laptop in the car and wiped off the laptop inside the building so it takes more time to conduct the forensics to figure out exactly what was stolen.
This is an unsophisticated but very feasible scenario executable for under $2,000. Double or triple that investment and you could either tap multiple connections the same way or use purpose-built technology that does a better job of capturing more of the network traffic. The only way to be certain you are preventing this kind of theft is either to encrypt the network traffic or encrypt the stored data before sending it through an unencrypted network. Either solution is less expensive than getting your name in the paper after a breach.
- Steve
TJX was negligent in using a wireless protocol that could be hacked by a 6 year old child - hardly a "state of the art" attack. And, their internal IT deparment had reported that it was insecure and nothing was done. This falls way outside the realm of "due diligence" and is actionable both by regulatory and judicial entities. I do agree that A) the credit card industry needs to be monitored better, as it is so critical to the American economy and B) the FTC is not equipped to do it. To implicate that the FTC is doing a good job, to me (as a person who has worked in IT security for a long time, and in light of the number of security breaches that continue to occur daily) is naive. I have never read the real report of what happened at Hannaford - but the last I heard was that malware was placed on internal servers - I heard nothing about a fiber optic tap. Again, this falls outside the realm of due diligence, as there are many ways now to detect malware as long as you sysadmins & security professionals are alert, not overworked and allowed to do their jobs.
ReplyDeleteNellwal's on track.
ReplyDeleteWEP was cracked in 2001. The store was still running WEP in 2005. By 2005, WEP was not considered a valid form of encryption by anyone, anywhere.
If a retailer was running WEP on point of sales terminals in 2005, they clearly and obviously were negligent, if not in a legal sense, then for certain in a moral sense. If a retailer, in 2005, had designed a network such that a POS hack could propagate up stream, unchecked, to the core of the corporate network, the retailer clearly and obviously was either negligent or incompetent.
That's not a 'paramilitary bank heist'. That's only slightly above script kiddie skills.
They (TJX) took personal and financial information of mine, they stored it far longer than necessary to complete my transactions, they did barely trivial security, they allowed criminals access to the data for 18 months, and during the 18 months they had absolutely no clue it was happening.
TSX should have suffered some form of severe penalty for that level on incompetence (or negligence). Whether or not the FTC is where that should happen or not I don't know (or care). If capitalism worked, they be long gone. the market would have 'corrected' them. That probably would have been more appropriate than a minor fine.
Michael and I expand this good discussion in comments on his blog. See http://lastinfirstout.blogspot.com/2008/06/verizon-2008-data-breach-investigations.html#comments
ReplyDeletehelpful
ReplyDelete