Heartland Breach -- What it Means to Banking Institutions: James Van Dyke, Javelin Strategy & Research
The Heartland Payment Systems data breach - it's the first major security incident of 2009. But how big is it really? What are the key takeaways for banking institutions left explaining this breach to their customers?
In an exclusive interview, James Van Dyke, Founder and President of Javelin Strategy & Research, discusses the implications of the Heartland case, offering insight on:
Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.
Van Dyke has presented before the US House of Representatives and numerous industry events, and his viewpoints reach over 30 million individuals each year through print and broadcast media around the globe. He has been a thought leader in electronic commerce since 1984.
Van Dyke has held key management assignments in strategic planning, market research, product management, market analysis, product and service launches, communications, technology evaluation, alliance and partner management, and distribution channel development with organizations ranging from start-ups to Fortune 100.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is the Heartland Payment Systems breach and I'm talking with James Van Dyke, Founder and President of Javelin Strategy and Research.
Jim, thanks so much for taking the time to join me today.
JAMES VAN DYKE: Glad to be here Tom.
FIELD: So Heartland Payment Systems, from what you have seen and what you have read, what do you think happened here?
VAN DYKE: Well, you know, the details are still unfolding. It is really hard to know what the pattern is of the data exposure, and the two things we uniquely look at are data exposure and fraud incidents, and of course we still have to wait even longer to determine what pattern of potential fraud or privacy violations will come out of this.
But it looks like, from the scattered pieces of information that are coming out, that this could be an organized attack; it probably is. The largest scale breaches tend to have that component to them. And certainly people are going after data, so that there could be a remote aspect to these as well, but we really just have to wait for more information.
FIELD: Now last week I kind of rolled my eyes a little bit, and you probably did too, because immediately after the news -- it was slow news week outside of the inauguration and everybody picks this up, and they are saying potentially the biggest breach sine TJX, the biggest breach ever, the biggest breach in recorded history. With some perspective, how bad is this really?
VAN DYKE: You know again, the details are just coming out right now, and so we have to wait for those details to emerge. And in the case of TJX, it actually wasn't known for several months. We actually created a timeline on this, one of our researchers, Mary Monahan, did, that showed and connected all the different pieces of information as they came out that were reliable because there is so much speculation that you have to wade through.
Two things: One is the facts are not present yet, and they will take months to come out as people literally do forensics on systems. It is certainly very large, but is it the largest? No one knows that yet. I mean, if anyone says they know -- unless they work for the organization itself, Heartland, they are probably just speculating, so I don't really want to go there.
But we have got to organize the information, and here at Javelin we will probably put that into a timeline just like we did for clients with TJX to try to understand how you can prevent, detect and resolve fraud, and that is just what we are going to do.
FIELD: So, we have already got banks and credit unions that are being made aware that their customers' information might have been a part of this. What would you say are the key takeaways for banking institutions now that are hearing from Visa and MasterCard?
VAN DYKE: Banks, issuers, or even d/b/a groups, have got to step up the process and make sure they are going full steam ahead and in looking for patterns where cards would have been used in the past compared to where they are being used fraudulently now. I mean, they really need to be right on top of this and working doubly overtime on top of looking for common patterns and fraud usage because that is what will help them to know which cards were exposed and things like that. So that is a process that we have got to go through, but we just can't wait, so issuers have to stay on top of that and put in the extra hours.
We also need to make sure we are educating the other victim in these fraud cases. There are always two victims in ID fraud cases, and there are always two crimes. And what those two crimes are: The stealing of the data and the using of the data fraudulently. The two victims are the individual account holder, in this case a card holder, and then generally the financial institution as well as of course the network and the merchant, so companies and individuals.
Simplifying what I just said, we've got to make sure we are educating individuals on what to do. Don't do it so boldly that we scare them, but inform people to monitor their statements, remembering that one out of every two cases of fraudulent transactions are actually detected by the account holder and not an issuer and not a network and not somebody else.
FIELD: Well, that's a good point. Jim, we've got a new administration in right now, and certainly people are talking about new regulatory measures. Is there something on that level you think we can expect to see? Maybe not to prevent such breaches, but maybe to put in more regulatory bite in some of the non-banking institutions that are handling critical data.
VAN DYKE: You know, boy, it's such a tough one, and the major brands, you know Visa and the others, I think they have done a really good job in trying to push forward PCI standards and so forth and where we have seen most of the emphasis, the suggestion by the new administration, the Obama administration talking about regulation, going back to early parts of their campaign efforts, we are really talking more about transparency.
So it is our expectation at Javelin that we are probably going to--whatever regulation we see, we believe will be mostly about transparency and what you do with selective and complicated application of interest rate charges so that we keep individuals whole and that, therefore, there won't be much left over regulatory interest in the area of data breaches. Because as soon as that conversation comes up, if it does come up on Capitol Hill, wise regulators will probably say 'Well, let's first explore the connection between data breaches and actual cases of fraud.'
And the thing is that it is not that strong of a correlation. There certainly were breakout cases of fraud coming out of TJX, but that was because people didn't know that a breach had happened for so long. This one is now known.
FIELD: You make a good point. Jim, let me ask you about PCI because that has come up a lot in the conversations, and I guess I that I counter with PCI is a standard, but it is not necessarily a regulation, so is it going to be effective?
VAN DYKE: Yes, it's a really interesting question about that. It is a standard and not a regulation, and I add on to that something more about the trend. One thing we saw Visa do followed by MasterCard and then American Express and I believe Discover, if I am not mistaken in that order, was that when there was the Card Services breach we saw interesting self-regulation, building on your question, where essentially Visa regulated Card Services out of business.
I had a couple of regulators take exception to me saying that, and I think that is because they might see that as a threatening comment, like hey, by you calling this effective self-regulation you are going to put us out of a job. But that is the point. That all of this is so complicated, and "this" meaning the connection between data and exposure and fraudulent transactions, those two separate crimes doing system forensics and the rapidly changing nature of fraud mitigation technology where we have to stay one step ahead of criminals.
It is kind of like a Check 21 and other new emerging payments regulations. They are probably going to be at their best when they are pretty darn big, therefore it is really up to the industry to solve this one.
FIELD: Now interestingly, I got your reports at the start of the year. You and your team put together really I thought a fine set of predictions for what might happen in banking and in finance in 2009, and interestingly enough this breach sort of makes you look like Nostradamus.
VAN DYKE: Well, we would like to thank you for the compliment. The only thing we do differently is work with lots of quantitative data, and there is not a whole lot of research going on to connect the pattern of data exposure and fraudulent data usage, and I wish we could take credit for being really smart. We just work with a whole lot of data that looks at that, and we are going to have some upcoming results fairly soon because of some of the latest fraud numbers and I think there will be some surprises in there as well.
FIELD: Jim, what do you think are some of the biggest fraud threats that banking institutions need to look out for now?
VAN DYKE: Boy, it's getting more multi-channel all the time, fraud, and that is what makes it so difficult. So therefore you, you know, last year for example in the ID fraud report that came out in the spring, what was really interesting there was that the degree to which criminals were going after a then relatively unprotected channel of the telephone. It was crazy. I mean, through all measures of looking at phone-based crimes, wireless, landline or whatever, new phone applications, phone crime was up left and right, and we were so busy protecting the new channels that criminals were going out after the old channel. And I think that the account holders themselves, or the identity holders in the case of new account fraud, weren't thinking to protect the old-fashioned channels.
So our message is very much a multi-channel message and will continue to be that because criminals don't have a bias to either new technology or old technology. They are happy to use them all and they are just waiting to see where the gaps are.
So for individuals, what we have got to do better, both individuals as risk and fraud experts and account holders or identity holders, on both sides we have got to get those individuals to be viewing fraud more as a multi-channel problem. And one in which they study the data on the trends between, and I sound like a broken record, but the connection between data exposure and fraudulent data usage and then engage the customer in the crime. There is just no excuse for a big data breach, period. And it's when you get that dramatic event, when you get that letter in the mail--I got one a couple of months ago myself--saying your data has been exposed, there is no excuse for that kind of thing these days, and generally there is just some sloppy practices that lead to it. However, unfortunately they are going to keep happening, and the sooner we can engage accountholders and multi-channel focus risk and fraud specialists in the crime, the sooner we will bring some of these crimes to a halt.
FIELD: Jim, great insight. I appreciate your time today, and I look forward to speaking to you both when we learn more about the Heartland Payment Systems breach and when you've got some new research coming out.
VAN DYKE: Sounds great, Tom. I'm looking forward to it. Thank you.
FIELD: We've been talking with James Van Dyke, Founder and President of Javelin Strategy and Research. For Information Security Media Group, I'm Tom Field. Thank you very much.