With the recent news that Atlanta-based credit card processing company Global Payments Inc. suffered a massive data breach, fraud and security concerns are back in the headlines -- never a good thing for financial institutions.
Initial reports said that 10 million MasterCard and Visa accounts could have been affected in the breach. However, this week Global Payments said the "unauthorized access to its processing system," which occurred in early March, affected no more than 1.5 million card accounts. The company said it believes that the affected portion of its processing system is confined to North America and that only Track 2 card data -- which includes account numbers -- was compromised, but that cardholder names, addresses and social security numbers were not obtained by the fraudsters.
While this particular data breach was not directed at a bank itself, experts say there are many lessons banks can learn from this and similar attacks.
One thing banks have been forced to become increasingly aware of in recent years is cyber attacks against third-party entities that aren't financial institutions but store account data, says Ben Knieff, senior director, head of fraud product management for New York-based NICE Actimize. Data attacks such as the recent Global Payments one, or last year's data breach of Sony PlayStation's online network, "is certainly not something confined to the traditional financial services ecosystem," he notes.
Knieff notes that there are increasingly less attacks directly perpetrated against financial institutions, with fraudsters instead targeting these third parties that are perceived to less-stringent security measures.
"Financial institutions tend to have extremely robust network intrusion security," Knieff notes.
Though fraudsters have been targeting third-party vendors with increasing alacrity, Knieff notes that banks have made a concerted effort to work with vendor partners to stem attacks. "Financial institutions have gotten very good at extending their controls and protections to vendors and auditing them," he says.
However, the problem is that "in the U.S. in particular, the chain of payments is substantially more complex and there are more parties involved," Knieff notes. Though initiatives like PCI compliance help somewhat, it is not a cure-all.
And though financial institutions and their partners have become more sophisticated in repelling attacks, criminals have in turn become more sophisticated in perpetrating them, says Mike Urban, director of financial crime solutions at Fiserv.
[Check out The Top 9 Most Costly Financial Services Data Breaches by Wall Street & Technology.]
"The level of cybercrime going on is very high," he says. "All of these organizations are getting hit by attacks constantly and most are repelled. But every day there are automated attacks criminals have going out just pinging to see where a weakness is or if a defense mechanism has adjusted or changed."
Another problem banks face in fighting fraud is attacks against merchants, Urban notes. Unlike the vendors banks work with, merchants, especially small business, may be easier to hack. For this reason, most financial institutions deploy "around-the-clock" monitoring for potential point of sale fraud and are often successful using tactics such as employing data analytics to identify transaction risk based on a person's past purchasing behavior.
But banks can only do so much, says Urban. "They have people constantly monitoring and identifying any kind of breach so they can take action on those accounts as quickly as possible," he says. "But it's sort of like trying to find a needle in a haystack."