A topical Q&A with Mike Alford, MD of Alaric International

Q. Recently there have been many several high profile data breaches hitting international headlines.

Large and small businesses alike are under pressure to improve their security systems and provide reassurance to their customers. Aside from potentially sensationalist news reports, what actually happens during a breach?

In some of the recent high profile cases, hackers have been able to access millions of customers' debit/credit card details stored on trusted ecommerce merchants' databases.

To do this a hacker will typically exploit weaknesses in the merchant's website and database security to obtain data which should be inaccessible to persons outside the merchant itself.

In such a data breach, a hacker manages to get unauthorised access to, say, an ecommerce merchant's databases – these are the databases that sit "behind" the merchant's website and contain the most valuable information. Breaches of this kind can create a lot of costly mistrust for merchants amongst their consumers.

In other cases, such as the recent Michaels incident in the U.S., point of sale terminals in stores appear to have been tampered with, enabling fraudsters to capture card numbers and PINs in several stores across the U.S.

Q. Why might one organisation be more vulnerable to security breaches than another?

To comply with international PCI-DSS standards a merchant ought to be storing sensitive data in encrypted form so that, if the merchant's website is hacked, the hacker can only see encrypted data and can make no use of it. Typical data in an ecommerce merchant's database might include card number and card holder name and address plus other useful information e.g. demographics

However, if such a merchant happens to store sensitive data in unencrypted form then a hacker may easily be able to obtain details such as credit card numbers, names, addresses, which are all used to perpetrate fraud.

So, online merchants that store sensitive information in unencrypted form are most vulnerable in the event of a hacker attack and put their customers' security in jeopardy.

Q. Once a breach has occurred, personal and card data has been stolen, what is the likelihood of the stolen details being successfully used by fraudsters?

Quite often the hackers who breach the systems do not actually make use of the stolen data themselves. Rather they act as 'traffickers' and sell it on to other criminals. A typical cost for a set of card data ranges from £2 (for a valid card number) to £30 (for valid card details plus supplementary information such as name and address date of birth, PIN).

It often goes unreported by the media that in large scale hacking attacks involving millions of cards, it is likely that only a relatively small number of these compromised cards will actually be used by fraudsters. Furthermore, many card issuers rely on their fraud detection systems to quickly identify and block suspicious or fraudulent transactions as they are attempted by fraudsters - this avoids the cost, and customer disruption, associated with reissuing all of the compromised cards.

Of course, with this approach, some fraudulent transactions on these cards may get through the issuer's fraud screening without being detected but the card issuer would expect such losses to be outweighed by the savings through not re-issuing all compromised cards. It goes without saying that if a cardholder reads about e.g. a hacking incident and thinks that his card details may have been compromised, he/she is free to call his/her card issuer and cancel the card and ask for a new one to be issued.

Q. So, are consumers still protected even after their data has been stolen?

In the case of fraud on compromised cards, consumers are generally protected by their card issuer and will be recompensed for fraud losses. However, if a hacking attack has yielded more than just card details (e.g. name, address, date of birth, social security number, etc) then the fraudster is starting to have enough information to perpetrate identity fraud in one of its many guises. Identity fraud can be costly to resolve, both in time and money, and it may not necessarily be possible for the victim to recover all the associated costs or to get compensation for actual losses.

Q. What can businesses do to improve on their already sophisticated security and fraud prevention systems?

Online merchants and processors need to become bullet proof when it comes to fraud. To do this they must ensure that they comply with the PCI-DSS standards so that only minimal, essential data is retained in their systems and so that sensitive data is always stored in encrypted form. If they do this then, even if a hacker successfully penetrates their systems, the hacker can only see sensitive data in encrypted form, which the hacker cannot make sense of.

Card issuers can greatly improve their fraud detection rate and their customer service by introducing modern fraud detection technologies using intelligent, real time, self learning models which take into account the fact that a card previously may have been compromised in a hacking attack. Using this kind of approach, card issuers can deploy models which detect fraud very rapidly with a high degree of certainty, and which can block fraudulent transactions in real time, before a fraud loss is suffered.

About Dr Mike Alford

Mike Alford is CEO at Alaric Systems, having joined at the time of the company's first VC funding round in 2000. He has subsequently participated in multiple successful funding rounds for Alaric. Mike is a respected Chief Executive in the software industry and has diverse international market experience, principally in the U.S. and Benelux. Prior to joining Alaric, Mike was appointed Managing Director at Debis IT Services, after serving as Financial Services Director since 1998. Between 1990 and 1998 Mike was Managing Director at Helix Software Consultants Ltd, a City-based financial software subsidiary of Cray Systems Ltd (now Anite Systems). In 1995, he was also appointed Managing Director of Cray's publishing division. Earlier positions include Managing Director of the Finance Division at Software Sciences Ltd from 1984 to 1988, before becoming Managing Director of Software Sciences Inc in New York. Mike has a 1st class BSc (Hons) and D.Phil in Mathematics from Sussex University.