Break on Through to the Other Side

This month’s blog pertains to hacking.  The most recent victim of the Russian-Ukranian consortium of hackers, the ‘American Sanctions,’ presumably in retribution to U.S. sanctions against Russia, is Home-Depot.  With 2,200 stores as opposed to Target’s 1,800, analysts now fear that the scope of damage from the Home Depot attack may exceed that against Target last year.  P.F. Chang’s has been a recent victim; as has J.P. Morgan Chase.  The Wall Street Journal, the Business Student’s Bible, reports that Healthcare.gov, the Federal Government’s massive Affordable Care Act site, was also hacked. We appear to be powerless to guard against these attacks.  Are we?

Cyber-attacks appear on a spectrum with DDOS (Distributed Denial of Service) attacks defining one pole; and wholesale pilferage of data via cyber break-ins defining the other.  DDOS attacks are designed to mainly overwhelm the target’s servers.  Here, remote computers are commandeered by the perpetrator, sometimes thousands of them, and then on a given date and time they begin to ‘ping’ the target servers simultaneously to a point where the target becomes overwhelmed and the site is said to ‘go down.’  While this may be very disruptive to e-commerce websites such as eBay; Google; Amazon, etc. (companies that interface with retail consumers on the Internet and/or have a high volume of traffic), they are not as dangerous as the outright pilferage of consumer or credit-card data.  DDOS attacks and the outright hack of confidential data also define a chronological timeline in that DDOS appeared on the cyber landscape a decade or so before the now ubiquitous hacking of consumer and credit-card data. Where do we go from here?

Cyber-security experts have attributed some credit-card data theft to point-of-sale (POS) vulnerabilities emanating from the use of magnetic-strip credit-cards.  Credit-cards in the USA have lagged their European counterparts where embedded chips are more commonplace.  Unlike the magnetic strip, the chip does not contain either credit-card or consumer data.  The technology requires the POS terminal to communicate with the chip via encryption and the transaction is authenticated by an externally entered pin (personal identity number) that is only known to the consumer and the bank.  Therefore, there is no data, per se, that can be stolen off the credit-card via the use of black-market card readers or writers that forge the original card.  France is said to have reduced credit-card theft and forgery by up to 80% since the introduction of the chip-and-pin technology back in 1992.  

Why have we been laggards?  Because upgrading POS terminals costs money and credit-card companies and their clients have kicked the can back and forth on the issue of who pays for upgrades.  There are also cost-benefit analyses undertaken by both credit-card companies and their clients regarding the cost of making upgrades versus the financial/reputational liability that one may incur from POS data theft.  One has to wonder whether it would have been cheaper for the likes of Target and Home Depot to have upgraded their POS terminals to chip-and-pin technology in light of the operational and reputational damage incurred from the well-publicized hacks of their systems in the media. More importantly, would that have been enough?

It is important to note that not all credit-card data pilferage occurs only at the POS location.  In a time of big data and companies’ quests for learning molecular details about their consumers, their preferences, and their purchasing patterns, companies are collecting and mining more data-points and volume; making their data repositories attractive targets for hackers.  Thus, while the new Apple Watch and iphones may well facilitate more secure retail transactions via the use of Apply-Pay, which is really a variant of the chip-and-pin technology, Apple and others remain vulnerable to hacks of iCloud and server data.  Hence the recent hacks of celebrity nude photographs; Chase and Home Depot data; and the aforementioned attack on the Federal Government’s HHS site.  “The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million,” according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM (Russian Hackers Amass Over a Billion Internet Passwords, By NICOLE PERLROTH and DAVID GELLES, New York Times,  AUG. 5, 2014). We always seem a step behind the Sisyphean tenacity of hackers, be they local; Chinese; or East-European.  How can we combat this epidemic?

Part of the solution lies in unleashing technology against technology.  Hence, credit-card companies in the USA are already beginning to roll out chip-and-pin cards and related technology at long last.  2015 will see a full host of such cards enter the retail US economy and POS hacks will probably witness an immediate drop from here on.  Technologies such as Apple-Pay and others will also help combat POS theft of consumer data.  CNP (Card-Not-Present) vulnerabilities that characterize telephone, internet, and mail-order transactions are also finding relief via the use of multiple-factor techniques.  Hence, lost password requests today are more commonly handled via a one-time challenge issued by the bank or credit-card company that is sent to the consumer’s mobile phone or email address.  The consumer is then asked to respond to the challenge by inputting the unique code issued by the bank prior to being allowed to commence a password change or initiate a transaction.  Many sites do not allow for the reuse of passwords, and passwords themselves are required to be more complex requiring combinations of alphabets, numbers, and unique codes.  Data repository servers, be they proprietary or commercial in-the-cloud, are layering firewalls and deploying ‘honeypots’ to both distract and generate audit trails back to the hackers.  But hackers tend to be sophisticated and well-versed in the art of covering their trails.  So the attacks have kept coming.  What more can we do?

This is where training and education enter the frame.  Black Hat and Def Con recently concluded their annual conferences in Las Vegas.  Insights from the venues: companies do not like public disclosure of their systems’ vulnerabilities; and the need for training in the art of ethical hacking.  In other words, pay an ethical hacker to hack into your system before an unethical one gets hold of it.  A third lesson: stop treating the system as if it were a black-box.  To date most of us monitor what we input into the system; and what the system outputs us.  But we remain blissfully unaware of, and therefore, vulnerable to not knowing what happens in the ‘black box’ of the system itself.  Sancta Simplicitus! That needs to change.  And some of it is already beginning to happen.  This year Def Con ran a DefCon Kids camp that challenged children in the art of lock-picking and ethical hacking.  Universities too are getting into the act.  Cleveland State University and Case Western are among the first in the nation to explore curricula in the art of ethical hacking (see: http://lakeshorepublicmedia.org/stories/want-to-learn-cybersecurity-head-to-def-con/). 

We, at STU, should position ourselves to explore a joint program in CIS, computer science, and criminal justice to develop a unique undergraduate major that addresses the complex issues of cyber-security.  This program will train students to enter the so-called ‘black box’ of systems to explore their strengths and vulnerabilities.  It will be yet another component of the School of Business’, and the University’s, efforts to graduate students who are immediately employable.  Cyber-security concentrations in our MBA/MSM programs will help imbue graduate students with skills that are in demand (see the Beacon Council’s One Community – One Goal initiative on Information Technology).

It is time that we address cyber security from the inside.  We need to examine the very entrails of the increasingly ubiquitous systems that surround us.  Ethical hacking anyone?  With apologies to the Doors, and misquoting deliberately and in a totally different context, it is time for us to Break On Through to the Other Side.  

Let me know your thoughts. Post below. Post often. And Post copiously.

Thank you.

Som Bhattacharya
Dean & Professor of Accounting
School of Business
St. Thomas University.