- Posts by Benjamin LambiottePrincipal
Ben has a broad and eclectic practice. Consistent with his wide range of experience in regulatory, transactional, professional responsibility and litigation matters, Ben has a broad and practical perspective on avoiding and ...
Most credit and debit cards in the U.S., and the point of sale terminals and ATMs that read them, still use “magnetic stripe” technology. Magnetic stripes are obsolete and relatively insecure, allowing fraudulent practices such as “skimming” (acquiring cardholder and account data by “reading” the strip, and then making fraudulent transactions or counterfeit cards). Magnetic stripe-based technology also does not support secure data transmission through contact or near-field contactless interfaces, which is seen as impeding the emergence of fully mobile cardless payment modes in the U.S.
Lawyers often say “bad facts make bad law”. Combine that with weak legal arguments and, well, things can get really bad, really fast. That’s precisely what happened to Wyndham yesterday when the Third Circuit affirmed a federal District Court decision that the Federal Trade Commission (“FTC”) has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act. While commentators may disagree on the result from a legal or policy perspective, one thing is for certain, it was a bad result for Wyndham. The decision rejected in no uncertain terms Wyndham's argument that the FTC lacked authority; and not kindly.
Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, shares key points from two significant survey reports analyzing trends in data security breaches during 2014 that were released this week; one from Verizon, and the other from IBM and the Poneman Institute. It should come as no surprise to anyone that once again, the hospitality industry is featured prominently in both reports. Thank you, Ben! – Greg
The Verizon report studies in depth the industry sectors most frequently targeted and affected, the nature of current threats, and causes and consequences of actual data breaches. The Poneman report focuses on costs associated with successful attacks. Both are worth a close read. Together, the reports starkly illustrate the increasing pervasiveness, complexity and costs associated with preventing and responding to data breaches. The good news is that they also provide guidance on effective preventive and cost control measures.
Here are some of our key takeaways and observations from these fascinating reports:
No Organization or Business is Immune from Attack, but Some are More Frequent Targets Than Others
- In terms of volume of security incidents by sector, the top ten (in order) were government entities, information, financial services, manufacturing, retail, hospitality, professional services, health care, and other services.
- Actual data breaches (attack succeeds; data lost or compromised) occurred most frequently (in order, by sector) in: government, financial services, manufacturing, hospitality, retail, professional services, health care, information, education, and other services.
- In certain industry sectors, cyber criminals more frequently breach smaller businesses. Smaller hospitality businesses, by far and away, ranked number one, with retail second. Financial services remains the number one large business target, followed by large retail, and health care.
- Certain industry sectors are more frequent targets of certain types of threats. For example, the hospitality industry is particularly susceptible to Point of Sale (POS) intrusions. Verizon reports that 91% of data breaches in that sector were POS intrusions. The POS credit card systems used in that industry have of late been plagued by a new breed of malware (including POSeidon) that burrows deep into the system and “scrapes” card data momentarily stored in RAM. “Insider” threats (errors and abuse of access privileges) are more prevalent in health care than other industries. Financial institutions are particularly vulnerable to “crimeware” and web application hacks. Businesses should calibrate their risk management approaches to the specific types of threats they face.
Dealing With a Data Breach is Expensive -- the More Records Compromised, the More it Costs
- Poneman predicts that the average per record mean cost of a data breach will be $201 per record, an increase over the past two years. Such costs include lost customers, and expenses of dealing with the breach. Relative costs depend on the scale of the breach. Verizon predicts that breaches of 1,000 records will result in losses between $52,000 and $87,000, and that breaches of 10 million records will result in losses of between $2.1 to $5.2 million.
- Certain industries have higher data breach costs than others, with regulated industries having a higher per capita record costs than non-regulated businesses. The highest relative per capita data breach costs (in order) are in the health care, transportation, education, energy and financial sectors.
The Most Frequent Ways Cybercriminals Gain Access is Through Dumb Stuff We Do or Don’t Do
- In order to steal or compromise sensitive data, cybercriminals have to get at it. The most common way they breach the castle continues to be “phishing” and “spearphishing.” “Phishing” involves baiting a system user to respond to an official-looking e-mail asking for a reply “verifying” a password or account number. “Spearphishing” is a variation where the e-mail also resembles a routine communication from a trusted sender, but invites the recipient to click on a web link or open an attachment whose payload is malware The stats are sobering. Fully 23% of e-mail recipients open phishing e-mails, and 11% click on the malware payload. 50% of the time, this happens within an hour after the “seafood” e-mail arrives. A phisher who sends out this kind of chum generally only has to wait 1.22 seconds before some sucker somewhere takes the bait.
- Another prevalent way cybercriminals get at sensitive data is an organization’s failure to install “patches” for known security vulnerabilities. The stats here are also depressing. In 2014, half of exploited vulnerabilities were defeated within less than a month after becoming known. But in 99% of the cases where a known vulnerability was exploited, a patch had been available for a year or more! Due to failure to implement available fixes, hackers continue to be able to exploit well-known “oldie but goodie” vulnerabilities.
- Plain old human error is another major inroad for hackers. 60% of incidents were caused by internal staff sending sensitive information to the wrong person, putting sensitive data on publicly accessible servers, or disposing of sensitive medical or personal data in insecure ways. Also, people forget or lose mobile devices containing sensitive data in an insecure environment all too frequently.
- While technological countermeasures are necessary, a focus on human factors – the loose nut behind the keyboard – is at least as important. Training and awareness, and practices designed to mitigate our natural tendencies to make the type of mistakes that frequently give hackers keys to the castle, are a key part of any data breach risk management strategy.
Certain Specific Measures Can Reduce the Cost of a Data Breach When it Occurs
- The Poneman report documents that certain types of expenditures can reduce the overall cost of data breach. Having in place before the breach a strong security posture, a Chief Information Security Officer with responsibility for data protection, and a defined incident response plan all reduce the per capita record cost of a breach. It makes sense that planning and investing resources before an incident occurs can save money when it happens.
How secure is the data on your office copier? Today's post from Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer's D.C. office, outlines the data security risks associated with office machines, as well as the warning signs and steps that you can take to reduce those risks. Thank you, Ben! - Greg
Current generation multifunction printer/scanner/copier devices are convenient, inexpensive, and very popular. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.
- Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
- Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
- Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
- Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
- Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
- Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.
The Report identified several signs indicating that the security of such a device may be compromised:
- Display malfunctions or shows incorrect information;
- Materials (ink, paper, or other supplies) run out faster than usual;
- Increased number of failed or timed-out jobs;
- Unexplained/unauthorized changes in configuration settings;
- Device completes processes slower than expected;
- Device uses more network time/bandwidth than usual;
- Time stamps do not align or make logical sense;
- Communications with unknown IP or email addresses increase; and
- Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:
- At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
- At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
- During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
- During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
- When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.
The NIST report is available here.
Thank you to Benjamin Lambiotte, technology and transportation attorney at Garvey Schubert Barer, for providing our readers with the latest and greatest on mobile payment technology and its uses in the travel and tourism industry. - Greg
As e-commerce continues its evolution to mobile or “m-commerce,” the travel and hospitality industry is at the center of a clash of mobile payment titans. Pack leaders in “near field communications” (NFC)-based mobile payment solutions at present include Google Wallet and Isis, a joint venture among major mobile carriers like AT&T, Verizon and T-Mobile. Generally, NFC technology enables the user to store customer and credit card account information and effect wireless monetary transactions and data transfers between two devices, eliminating the need to carry or present a credit card or fill out lengthy forms online. The potential for the travel industry as an alternative or adjunct to physical credit card transactions is clear and obvious. Every mobile device essentially becomes a point of sale and a transaction can be charged to a credit card account with a simple wave of the device.
Amid considerable fanfare, Travelocity announced that it will integrate Google Wallet into its booking application for the Android platform. Google has announced that Alaska Air has integrated Google Wallet Objects API (which permits loyalty and coupon programs to be integrated into a vendor’s mobile commerce app). Both Priceline and Alaska Air participated in demos at Google’s annual developer conference this month. One advantage of the Google solution is that it is integrated into and able to leverage the broader Google “ecosystem,” including maps and Google+.
The travel industry presents distinct challenges along with this tremendous potential. Coupons, loyalty and reward programs are ubiquitous, and most frequent travelers participate in many such programs, often represented by multiple cards or accounts. One problem mobile payment providers are wrestling with at present is “banking in” means of transferring, recording and tracking multiple coupon and loyalty program “credits and debits.”
Another major obstacle is that, at present, Google Wallet will not work on Verizon and T-Mobile devices. Those carriers, along with AT&T, are backing a competing digital wallet technology known as Isis, which is currently available for use only on a pilot basis in two US cities. There have been proceedings at the FCC about the legality of Verizon’s efforts to block Google apps, and these are likely to continue and eventually spill into the courts. In 2012, Verizon agreed not to block downloading of most apps (with some exceptions) in a consent decree with the FCC in a case involving Google Play gaming application. Verizon’s blocking of Google Wallets has been challenged before the FCC as a violation of that consent decree. According to the position Verizon has taken before the FCC, Google Wallet uses the "secure element" on devices to store a user's Google ID which is again, according to Verizon, a secure and proprietary piece of hardware distinct from the device itself. Verizon denies that its participation and support for the Isis solution is the reason why Google Wallet will not work on its devices, but many are skeptical of Verizon’s motives.
Also, the airline industry has been grappling with convenience and security issues presented by certain applications of NFC technology, including payment and boarding passes. The IATA has formed a task force that is expected to complete its review of NFC technology and propose standards to its 240 airline members in October 2013. IATA is examining six major uses for NFC: to enable passengers to tap NFC mobile devices at check-in, security checkpoints and gates; to drop off bags and enter lounges; and to make payments for on-board meals and ground transportation. It issued a joint report with a mobile device industry trade group in 2011 that was viewed as favoring security provided by SIM chips on the devices themselves, as opposed to other means such as dedicated chips, tag reading and peer to peer. The goal is to enable single “tap and go” processing, with no data entry or keystrokes. It remains to be seen whether the final “Fast Travel” task force standards will continue to express a pro-SIM security bias.
Despite technological challenges, some degree of uncertainty and legal wrangling, it is clear that major players in the travel and hospitality industry are positioning themselves to take advantage of the m-commerce environment. Observers continue to debate how transformational m-commerce technology will be in the industry, and who the winners and losers will be, but no one doubts that major changes driven by emerging mobile transaction processing solutions and standards are coming soon.
Greg Duff founded and chairs Foster Garvey’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.