04 May 2018

Breach Don’t Kill My Vibe: Weathering Breach Fatigue


April breaches bring May fraud…Traditionally, it’s the flowers that bloom in Spring, however, lately it’s been the season of breaches. Companies like Under Armour, Panera Bread, and Hudson’s Bay have all fallen victim to data breaches. With their personal and financial data sitting comfortably in nefarious hands, consumers must be rioting in the streets…or at the very least violently tweeting, right? Not exactly. Interestingly, consumers seem to have undergone a phenomenon known as “data breach fatigue”. After so many reported breaches, digital security failures, and companies’ inability to protect data, affected consumers respond apathetically… Due to the sheer number of successful criminal hacking attacks that have been reported as of late, it makes sense that consumers and security teams alike feel helpless in fighting this relentless burrage.

Okay, so no vocal outrage or protest from consumers, but what of share prices? According to Bloomberg, Hudson’s Bay stock fell roughly .45% the day after its breach but has since bounced back; similarly, Under Armour’s shares fell slightly but have bounced back to pre-breach prices. Are companies at all incentivized to ensure data security? Do consumers understand the gravity of their personal data being compromised? Let’s explore what happened (and is happening) with Hudson’s Bay.

Hudson's Bay office buildingThis past April 1st, while the rest of us were playing harmless pranks on one another, Hudson’s Bay revealed the very real breach they experienced, in which 5 million customer credit and debit cards were compromised. Hudson’s Bay houses some of the most recognized brands in retail today: Saks Fifth Avenue, Lord & Taylor, and Gilt Groupe to name a few. Specifically, the compromised divisions were Saks Fifth Avenue, Lord & Taylor, and Saks OFF 5th stores.

This does not mean that 5 million cards are readily available to prey upon, quite the opposite.– So far, in fact, only 125,000 records have been sold on the dark web. Why? It’s smart. The smaller number of records available, the more difficult it is for financial institutions to detect, meaning that any fraudulent activity comes off as innocent individual transactions instead of suspicious bulk transactions. This Legaltech News article puts it best: “Unfortunately, the more sophisticated the actor is, the harder they are to detect. It doesn’t necessarily reflect back on the company. It may reflect more about the sophistication of the attack.”

Attackers We’ve Prepared for Vs Attackers We Face

Once an attacker identifies vulnerabilities and breaks into a system, he doesn’t stop at the first sign of value: like a singular data set or one way to manipulate a credit card transaction. A creative hacker looks for ways to expand his reach within the organization after the initial entrance into a system, all while creating backdoors in order to wipe his footprints and conceal that he was there.

Most security systems are designed to handle the following type of attacker:

  • Tool-centric
  • Process Oriented
  • Static, Fixed Methodology

When in fact, these are the type of attackers we face:

  • Creative and diverse
  • Persistent
  • Evolving, adapting
  • Anti-Attribution

According to this Forbes article, the Saks and Lord & Taylor stores were using EMV standard (“chip and signature”) – a compliance standard in the world of payments. However, with the rapid rate of innovation, even advancements only a few years old (EMV standard) are now seen as legacy solutions, especially now more than ever with the advent of newer payment security measures such as P2P encryption and tokenization. It is worth noting that it is unclear if Hudson’s Bay implemented either of these two.

Hudson’s Bay didn’t find this vulnerability simply because it wasn’t looking for it. The adversary was. For companies to get ahead of attackers, they need to think like a hacker. While most business and technology leaders have been trained to build, hackers have a different mindset – they think about how to break. Getting an adversarial perspective on your attack surface is critical to finding unknown vulnerabilities before an attacker can exploit them.

Take a look at the graphic below – a perfect example illustrating the creative damage a malicious hacker can cause during a simple cart checkout process, exposing perhaps otherwise obscure vulnerabilities by treating your digital systems as their own personal sandbox. Again, these types of exploitations cannot be captured via textbook compliance security measures nor any other fixed methodologies, but wearing the hat of a hacker can help retail businesses (and any industry for that matter) be more proactive in identifying security gaps.

eCommerce breach - Cart checkout vulnerabilities

This example speaks to the diversity of attacks a malicious hacker is capable of, extending beyond the simple act of stealing credit card info to include pulse-wave DDoS attacks (leading to website downtime), stealing account data (leading to refund/return fraud), and installation of POS malware (leading to stolen financial data – similar to Hudson’s Bay).

It Takes a Village…Or Better Yet, A Crowd

Now I am pretty sure the Hudson’s Bay security teams didn’t make a conscious decision to be vulnerable. They didn’t decide not to look for vulnerabilities, but they were probably challenged with lean resources and overwhelmed with relentless competing priorities. One of the greatest challenges the cybersecurity industry faces today is the lack of a competent and sufficient talent pool to defend against the growing number of attacks in recent years. Crowdsourcing these highly skilled hackers greatly offsets the talent shortage, giving every company access to the highest caliber in security researcher talent. And it can be easy to do.

So we’ve covered how crowdsourcing solves for the talent crisis, but what else does it have to offer? The answers are creativity, diversity, and scale. The different backgrounds of talented, ethical crowdsourced hackers ensures more angles, outliers, and edge cases captured while mimicking criminal attacks on your systems – all of which provide great insights into development and security priorities that can strengthen your business’s level of security preparedness. Another key advantage is the human element – getting real feedback from a hacker perspective, insights that would never come to light with legacy testing solutions. Mikhail Sosonkin, a member of our Synack Red Team, enlightened us with his thoughts on what is targeted, “Even if developers are writing good code, if there is bad communication within the company or within an industry, it can result in vulnerabilities. A few years ago, there was a thing with Amazon and Apple where they considered different parts of a credit card as personal identifiable information. As a result, it was possible to take over accounts.”

Retail, Stay Vigilant

Perhaps most frightening of all in the case of Hudson’s Bay is that we don’t know fully what to make of it – what of the remaining credit and debit card records? How will the company and the consumers be affected in the long run? Taking a breach only at face value is dangerous – Take Equifax, for example. The company is expected not only to pay over $430 million in breach-related “cleanup” costs, but they’ve lost about a quarter of their value since their September breach.

At some point, once a company or a specific product proves to be incapable at protecting consumer data, consumers and the market in general will begin to lose confidence in it. It’s time to start enforcing the idea that product security is product quality. We can’t let Breach Fatigue spread its influence. In order to offer quality products and excellent customer experiences, effective cybersecurity practices need to be woven into the core of the business. By embracing the hacker perspective and leveraging the creativity and diversity of a crowd of skilled, ethical hackers, the retail and financial industries can defend against relentless cyber attacks in a scalable and practical way.