By Ian Bush
PHILADELPHIA (CBS) – Target and Neiman Marcus aren’t the only ones.
There’s word this week that other retailers recently have fallen victim to data breaches that have put more personal information in the wrong hands: Reuters is reporting at least three as-yet unnamed chains are affected. A local lawmaker is one of those on Capitol Hill leading the charge for stronger cybersecurity, but can the law really outsmart the hackers?
It appears the method of attack is a constant across these recent breaches. Criminals have deployed what’s called a RAM scraper. That’s malicious software that steals personal and payment data as it zips — unencrypted, in plain text — through a computer’s memory.
Rep. Patrick Meehan (R-Pa. 7th District) says he’s meeting this week with representatives from Target who are still working to assess the damage from the theft of sensitive information of up to 110 million customers.
“It is symptomatic of what is a tremendous vulnerability that we face as a nation and, in fact, what these systems face all across the world,” says Meehan, who’s also set to meet with members of the Secret Service on their investigation into the breach. “Target is not unique in this regard. We have watched on a daily basis the kinds of cyber threats that are facing big banks and other institutions. People are just beginning now to see it can have a devastating impact on the economy, on businesses, and on the individual who’s concerned about the safety of their own identity.”
The Republican, who chairs the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, has introduced — along with several other members of Congress from both parties — the National Cybersecurity and Critical Infrastructure Protection Act, which he says is “critical” to the fight to bolster our digital defenses.
“The cyber bill is one of the things that can be of significant assistance in terms of enabling us to work collaboratively when we identify information,” Meehan explains. “Being able to get that information to the kind of people that can, in effect, put a tourniquet on problems as they’re occurring and significantly reduce them.”
The bill, introduced last month, is scheduled to be taken up this week by the subcommittee for markup — a procedural step in preparation for consideration by the full House.
Meehan says it would organize and unite the top resources from the government and private sector in efforts to blunt the damage from cyber attacks.
Preventing one in the first place is, as Meehan says, “an ongoing battle.” Lawmakers leery about more regulation in the private sector may not be swayed even by the scope of the recent breaches, but security experts say damaging strikes will only be limited by major changes at banks, retailers, and for cardholders.
Brian Krebs, the investigative journalist who first reported breaches at Target, Neiman Marcus, and Adobe, has called for the magnetic strip on a credit card to be replaced by the encrypted chip-and-PIN system, popular in Europe.
“The data that’s stored on the magstripe is transmitted in the clear,” says Krebs. “As long as that’s OK, and as long as retailers are allowed to do that, these breaches are going to continue.”
Shifting to chip-and-PIN would help thwart credit card counterfeiters, but it’s not a panacea — and it likely wouldn’t have helped during these most recent RAM scraper attacks.
“It doesn’t prevent the bad guys from breaking into the retailer’s network and installing some piece of malicious software either on the point-of-sale device or somewhere on the network that handles payment transactions,” Krebs explains, “and then just sniffing all the transactions that go through because they’re in plain text.”
Some credit card companies and retailers also have balked at the cost to convert the US system to chip-and-PIN, from the expense of replacing card-reading equipment to the billion-plus cards themselves.