In the massive Christmas-season card-processing data breach at Target, the culprits used a service provider’s credentials to gain access to the retailer’s point-of-sale network, officials have said. We were not told whether the service provider in question was a bank, but an earlier statement from Target seems to imply that. It is also not known whether the password was guessed, stolen, or leaked, but regulators are asking banks and other businesses to check for similar vulnerabilities. If the loss of any one password can allow intruders access to unlimited transaction data, then a bank or a transaction processing system is not secure enough.
The most obvious difficulties in this connection would be server operations staff and business continuity providers. Both need broad access to the machines in a network — for server operations, you need access to all server file systems, and for business continuity, you need to be able to copy all data in near real time to a geographically distant location — but this still has to have limitations, especially considering that the people providing these services are rarely company employees. Based on the need-to-know rules of security, neither should have general access to unencrypted transaction data, yet my suspicion is that at many banks and retailers these workers and others have unlimited access to all data. The problem, of course, is that if these workers have so much access, then anyone who steals their credentials has the same access. That is something banks will need to fix immediately if they discover such a vulnerability on their networks, yet it is not the easiest thing to fix.
A related issue is access monitoring. If someone has broken into your system and is getting away with the store, this should be noticed relatively quickly, but how? Intrusions are easier to notice if accounts have limited patterns of access and someone is looking regularly at the patterns of exceptions. At many banks, most I hope, this kind of monitoring is all in a day’s work, but at some it is only an afterthought. The Target episode is a warning of the scale of damage that can be done when an intrusion goes undetected for more than a few business days.
Target customers are reminded not to rely on email messages that appear to come from Target, since customer email addresses were stolen along with other transaction information. Any such message should be verified on the Target web site.
The large number of compromised payment card accounts has banks especially skittish this month, and billions of dollars in legitimate online and in-store purchases have been blocked because of banks’ fraud concerns. Some consumers, I have heard, were able to make their purchases after a series of phone calls to the merchant and the bank, but others surely did not go to the trouble, and there must be some who reacted badly to the blocked transactions and stopped using their cards entirely. When you consider the number of cards affected by the three latest card transaction breaches — Target alone counted almost half of Americans as its customers — the scale of this month’s card clampdown is large enough to put a dent in the banking business as a whole, and possibly even in U.S. retail aggregates. Imagine the economic consequences one day when, under pressure from criminal groups, the card processing network shuts down entirely, even if just for a few days.
There were two high-level banking suicides in London early this week, both Americans, one working at JPMorgan Chase and the other recently employed at Deutsche Bank. Separately, it was revealed that the former CEO of the Co-Op Bank, which needed a hedge fund bailout last year, got his job because he scored especially well on a psychometric test. He then went on to use drugs and make a series of ill-advised decisions as bank CEO. More needs to be known about the role of drug use, job stress, and other psychological factors and how they affect the experience of banking and the way banks make decisions. It’s a subject that will be hard to find out about — the executives and senior managers who know the most have a powerful incentive not to tell what they know.
There was a bank failure in Idaho tonight. State regulators closed Syringa Bank, based in Boise, with 6 branches and $145 million in deposits. Sunwest Bank, a large regional bank, is purchasing the assets and paying a 0.75 percent premium for the assets. It is the fifth failed bank acquisition for Sunwest Bank.
Last week there were two actions on credit unions. Bagumbayan Credit Union of Chicago was liquidated. It had 44 members. Parsons Pittsburg Credit Union, in Kansas, was placed in conservatorship. It has around 1,500 members.