The revelation of another data breach in the banking and financial services sector should come as no surprise. That this newest breach — courtesy of Heartland Payment Systems — is potentially the largest such incident to date is definitely troublesome. But in reading about the breach, there are two other nuggets of information that I found to be even more of a concern.
1. The plain and simple truth is that hackers are usually one step ahead of their targets. With the Heartland breach, however, hackers may have taken a quantum leap forward. The software used by the hackers to steal credit card numbers, expiration dates, and other data stored on magnetic stripes is “light years more sophisticated” than what was previously available, Robert Baldwin, Heartland’s president and chief financial officer, told the Wall Street Journal. Always playing from behind is never a good rule of thumb. But now it seems as though the banking industry is playing the role of Charlie Brown, never to get an opportunity to kick the football. Good grief, indeed.
2. During the majority of the payment transaction process, all the data is encrypted, making it harder to mis-use if stolen. But, according to Baldwin, there are still points in the process where the data must be unencrypted. How is this still possible in 2009? (I’ll save the question of why I’m still using a magnetic stripe card for another day.)
The cold, hard truth is that hackers will always target banks and financial services companies. That’s where the money is. That some brilliant hacker or group of hackers devised a new and innovative means of intercepting data is allowable. Transmitting unecrypted data, however, seems inexcusable. How is that still allowed? How many hundreds of millions of records have to be compromised before something is done? Granted, the banking industry is in the midst of a credit and liquidity crisis. That crisis has eroded much of the inherent trust placed with banks by their customers. Breaches like these only make banks’ jobs harder.
The one conclusion I walk away from after reading several articles about the breach is that hackers are working to continue improving their techniques. The same can not be said for the banking industry.