Steven Elefant knows a thing or two about data theft.
He was hired in 2009 to pick up the pieces at Heartland Payment Systems after hackers swiped 130 million credit and debit card numbers from the company's computer database. It was the largest data breach in history.
While Heartland is back on firmer footing, data theft around the globe remains rampant, said Elefant, the chief information officer for the nation's fifth-largest payment processor handling 250,000 stores from mom-and-pops to 7-Eleven. Even the 2010 conviction of 28-year-old Miami hacker Albert Gonzalez in connection with the Heartland breach and earlier thefts at TJMaxx, Sweetbay Supermarket and other Florida retailers did little to improve the situation.
A member of the FBI and U.S. Secret Service electronic crimes task forces, Elefant, 52, recently talked with the St. Petersburg Times about how cyber criminals work, card security and what retailers and card-carrying customers should know.
Records lost to data breaches declined in 2009 from 360 million to 143 million, but that was still the third-highest total ever, while the number of reported breaches rose by a third. Most were through retail, hotel and restaurant systems. With hacker Albert Gonzalez in prison, how serious is the threat?
As serious as ever, if not more so. Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece.
U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there. We discovered after we were hacked that competitors and law enforcement had specific knowledge about our case before we did.
Gonzalez was also working as a U.S. government informant. (At least now) U.S. law enforcement, card issuers and other payment processors are talking and sharing information about threats.
How does a hacker convert a stolen card and expiration number to cash?
The bad guys sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise.
This is bank robbery in the 21st century, only they are doing it from an easy-boy recliner on their home PC in the Ukraine. The system should never have made small retailers who don't know a firewall from a fire extinguisher responsible for losses. We're seeing more small breaches. I've seen restaurants put out of business by $500,000 penalties from data breaches.
Hackers sitting in vans in store parking lots tapped into the national wireless card database through transmissions emanating from Sweetbay and TJMaxx stores. How did they get in your secure card databank?
After a great many persistent attacks, they were able to find a way in through our corporate website. We picked up the breach of the card database immediately, but didn't realize for months they had inserted malware that compromised millions of card numbers.
People confuse data theft with identity theft. What's the difference?
With identity theft, the bad guys are trying to duplicate a person's identity. Data theft is mostly stealing card numbers and expiration dates to convert them to cash. People are concerned about identity theft from stolen cards, but you cannot get a passport with a credit card number. You need things like a driver's license or a Social Security number.
Heartland paid $141 million in industry-levied fines and settlement costs for the 2009 hack even though your system, like Sweetbay's, was certified to what the industry calls PCI compliance. What does that say about PCI standards?
That you are compliant until you have an issue. Then you aren't.
PCI is a good way to get people thinking about security. But it's checklist, not security. About 70 percent of the big chains and 20 percent of the small ones today are PCI complaint. We developed a system to regain our PCI compliance in six weeks. We asked former CIA and Mossad experts to break it, and they couldn't. In this day and age, there is no silver bullet, but we're pretty close.
The bad guys are smart and bold. In one Florida supermarket, somebody even installed a phony check stand terminal after the store closed to steal data. So our system automatically wipes out all the security keys if the check stand is tampered with. We're confident enough to guarantee to pay 100 percent of any fines or settlements assessed to a retailer for a breach.
What do retailers, who can be liable for losses from data in their possession, need?
Layers of security. First, end-to-end encryption from the moment a card is scanned in at the check stand to the end user. We call it reverse Rumpelstiltskin: We turn the gold into straw. That makes whatever data the bad guys get unusable.
Next is tokenization. That's assigning random numbers to each transaction … so retailers can retrieve information for refunds or returns. That leaves no real card data in the retailer's possession. Third, you need firewalls and passwords for a more tamper-proof system.
Did your clients bolt after the breach?
We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption. It's the gold standard we think will eventually be adopted by a majority.
To make card checkout faster, some card issuers recently dropped a security step: A clerk no longer looks at the card or signature. Is that wise?
We have to balance speed with security. I think you soon will see the answer in cards with a tiny computer chip embedded to replace the signature card. They're common in the rest of the world.
Has your credit card number been stolen?
Oh, yeah. I was in a meeting at Visa International headquarters in San Francisco when I got a call from my card issuer that someone was trying to use my Visa in Albuquerque, N.M. Of course, consumer losses from a data breach are usually totally covered by a card issuer or limited to $50 on a credit card. But there's a hassle factor to getting a new card, plus I had a lot of automatic payments to notify.
Mark Albright can be reached at [email protected] or (727) 893-8252.