The Rise of a New and Dangerous Breed of Hackers
My wife and I got a letter in the mail a couple of weeks ago. It was from Neiman Marcus. It began with these sobering words, “We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores.”
It was all stupidity and silliness from there.
A letter from Neiman Marcus to my wife, Cecily
The store admitted to “a criminal cyber-security intrusion” first discovered January 1. It didn’t admit to much else. It forgot, for example, to mention that the breach lasted from July 16 to October 30 of last year.
Instead, the apology immediately segued into damage control mode. It said “We want you to always feel confident shopping at Neiman Marcus.” And this: “We aim to protect your personal and financial information.” And reassured us, “Your PIN was never at risk.”
Perhaps thinking ahead of a future and more devastating breach, the letter added, “The policies of [the credit cards] provide that you have zero liability.”
Phew, that’s a relief!
No Harm, No Foul: REALLY?
Well, not really. Its message of “no harm, no foul, all’s well that ends well” bordered on the ridiculous.
What was Neiman Marcus really thinking? It took Congress to find out. In sworn testimony, Michael R. Kingston, chief information officer of Neiman Marcus, said the malware used was “exceedingly sophisticated.” He added that it had a “zero percent detection rate” by antivirus software.
Let me repeat that: “Zero percent detection rate.” Its software was, quite literally, 100% useless.
We got a similar letter from Target. It included a new store card. The Target episode exposed the personal data of as many as 110 million customers. That’s more than a third of the population of the United States!
A New York Times article exposed in chilling detail how these cybercriminals pulled off the heist. It said the coding that snatched customers’ data changed according to the instructions received from its handlers, in real time.
Goliath Wins Again
The testimony Congress heard last week revealed just how dangerous the situation has become. Today’s hackers have developed Goliath-like abilities to access supposedly protected personal information. And the retailers have morphed into helpless Davids against their invasive tactics.
The experts are betting on Goliath. Listen to these snippets of Congressional testimony…
James A. Reuter, on behalf of the American Bankers Association, said “the criminals are often one step ahead as the marketplace searches for consensus.”
Mallory Duncan of the National Retail Federation declared, “Data breaches are a fact of life in the United States.”
And Michael Kingston of Neiman Marcus – the CIO of the store that sent me a letter saying “We want you to always feel confident shopping at Neiman Marcus,” argued that “once standards were made public, criminals would figure out how to get around them.”
The scary thing is, they’re probably understating the problem.
This past January alone, according to another New York Times article, “instances in which data became vulnerable include the University of California, Davis health system, Snapchat, Coca-Cola, the message boards of the Straight Dope website, Skype, the Wichcraft sandwich chain and the federal Veterans Affairs Department…”
Okay, maybe it was just one of those months. But investigators don’t think so. They believe that Target was part of a bigger campaign aimed at another half dozen major retailers. Javelin Strategy & Research says, “We’re expecting this to be a major contributor, if not the primary driver of card fraud for the next 12 months.”
By the way, kudos to the Times for staying on top of this growing epidemic. Perhaps they’re so attuned to the issue because they themselves were hacked by China in 2013.
Is There Anything That Can Be Done?
As a matter of fact, there is.
Adopting Europe’s widely used EMV technology, which is a small chip embedded in each card, makes it almost impossible to counterfeit credit cards.
But’s it’s not nearly enough. For one, the card data itself can still be taken and used for online purchases.
And it misses a huge hole in retailers’ security efforts to date. It’s not just the credit cards in your wallet that are exposing you to cybercriminals.
It’s also the smartphone in your pocket.
The majority of attacks on mobile devices? Fraudulent banking apps. Once they slip into app stores, it’s almost impossible to tell the fraudulent ones apart from the real apps. In a LinuxInsider report, Jack Walsh, mobility program manager at ICSA Labs, says, “The goal is to get these copycat apps into consumers’ hands. When the user inputs account information, instead of being transmitted to the real bank, they go to fraudulent servers.”
Another gaping vulnerability? Kevin Surace, CEO of Appvance, says it’s in the Cloud. “Every company is rapidly deploying new apps for their customers. They are increasingly hosted in the cloud and made specifically for mobile devices. The problem is, coders have limited knowledge of scalability and security. And most organizations rely on inadequate code analysis tools to reveal security issues lurking in the code and integrations.”
Who Is Stepping Up
Surace’s Appvance uses the cloud to “simulate” millions of users piling into an app simultaneously. Where “white hat” security scans end is where Appvance begins. Nobody, a major investor in the company told me, has done this before.
Appvance is just starting out. But it’s not often you get to invest in a company that is “first into a big market,” in this case, that market being app vulnerability under stress scenarios.
At Investment U, we think getting in ahead of the crowd is a big deal. It’s about being an industry leader as opposed to a follower. And solidifying your credibility while other companies are solidifying their technology.
The cybercriminals may hold the advantage now. But the demand for solutions is urgent and growing. The market has taken notice. It will fill this gaping need, as software security companies are increasingly drawn into this fast-expanding space.
And, I believe, startups and young tech companies will be leading the charge.
About Andy Gordon
Andy has three decades of experience in the private and public sectors as an entrepreneur and advisor. The CIA, former Maryland Governor William Donald Schaefer, and Fortune 500 companies such as Lockheed Martin and Dow Chemical have all trusted his advice. Andy founded and ran an international trade and finance company based in Asia. Upon returning to the U.S., he joined a Florida investment advisory service that quickly gained a reputation for recommending companies with outstanding value and fundamentals. Andy has taught marketing and finance courses at local Maryland universities and has written a half-dozen books on global business, published by McGraw-Hill, Frost & Sullivan and others. He now regularly shares his worldly knowledge about investing in startups, cryptocurrency and cannabis with everyday investors in the free daily e-letter, Early Investing.