Banks, state working to limit cyberattacks

SECURITY BLANKET: Navigant Credit Union Chief Security Officer Steve Ormerod speaks with, from left: Emily Stewart, Renee Remillard and Donna Truppi. / PBN PHOTO/MICHAEL SALERNO
SECURITY BLANKET: Navigant Credit Union Chief Security Officer Steve Ormerod speaks with, from left: Emily Stewart, Renee Remillard and Donna Truppi. / PBN PHOTO/MICHAEL SALERNO

Retailers’ data breaches constitute some of the most frustrating cyberattacks – but not the only ones – financial institutions experience, bank and credit union representatives in Rhode Island say.
At Middletown-based People’s Credit Union, replacement costs for compromised credit or debit cards range from $5 to $9 per card, and losses associated with them can be hundreds of dollars, said Amy Martel, the credit union’s executive vice president and chief operating officer. As many as 2,200 cards were potentially breached at People’s in the September Home Depot breach, she said, as some 56 million cards were compromised nationwide.
“It seems almost every week there’s another large merchant data breach,” said Martel. “And we as financial institutions are on the hook for every dollar of fraud loss and … replacement costs for the cards. The expense is enormous, and really, for us, it’s about the inconvenience to our members. We are the ones who have to have the conversation and reassure them, when it’s not us that’s been hacked.”
Data breaches and denial-of-service attacks are just some of the cybercrimes for which a “collective defense” might be the best defense, said Paul McGreevy, director of the R.I. Department of Business Regulation. In response to a call from Gov. Lincoln D. Chafee a year and a half ago, DBR, Rhode Island’s state police and the R.I. Emergency Management Agency formed a working group to address the potential for cyberattacks on the state’s financial institutions.
A handful of the 20 different banks and credit unions involved with the group have taken part in monthly meetings, along with the state’s banking and credit union associations, McGreevy said. A table-top exercise on cybercrime and how to respond to it will be taking place Dec. 17, he added.
“One of the lessons we hope we’ll get out of the exercise is how we’re communicating and get out the message: is it getting to the right people and flowing efficiently?” McGreevy said.
Point-of-sale data breaches are not the only ones that must be addressed, he added, declining to elaborate on the type of cyberattack the exercise will address. Preventative actions “can’t just be chasing after the most recent problem,” he said. “We have to develop a strategy that looks at the totality of the problem and mitigate all of those threats.”
Jamia McDonald, executive director of the R.I. Emergency Management Agency, agreed that information sharing among financial institutions and state agencies is key, particularly when done safely, securely and appropriately.
“Our goal is to have a business climate in Rhode Island that they feel secure in,” McDonald said. “The only way we’re going to be able to do that is working with them on solutions. I don’t know that we can anticipate where and how the attacks are going to come because it’s evolutionary. So, our goal is to make sure we are constantly working with each other in addressing the threats as they present themselves.”
Paul Gentile, president and CEO of the Credit Union Association of Rhode Island, said that of the three states his agency covers – Massachusetts, New Hampshire and Rhode Island – the Ocean State is the only one that has established a working group on cybersecurity.
“Communication’s a big part of this,” Gentile said, “knowing what the challenges are. I give a lot of credit to the Rhode Island regulators for establishing the working group early on. They’re ahead of the curve.”
William A. Farrell, administrator and legal counsel for the Rhode Island Bankers Association, says that participants in the working group are looking forward to sharing contact information with one another and the state agencies and state police in an effort to be better prepared, should a breach or incident occur. Individual contingency plans are necessary and important, but sharing in that planning may be another way to thwart a future bad act or at least mitigate it, he said.
R.I. State Police Sgt. John Alfred, who also leads a more broadly based State Police Cybersecurity Disruption Team that includes educational institutions and hospitals, says that banks experience denial-of-service threats “nearly every single day but have gotten good at protecting against them.” Other challenges, added John P. Sullivan, chief information officer at the Westerly based The Washington Trust Company, include malware, social-engineering attacks, phishing schemes, vendor access to nonpublic personal data and corporate-account takeover.
“The threats are dynamic and can occur at any time,” he said in an email. “Businesses as well as customers need to maintain a vigilant mindset to protect data at all times.”
Like Target before it and Staples after, Home Depot has taken well-publicized steps to counter and curtail data breaches, including “enhanced encryption of payment data in all U.S. stores,” according to a recent press release.
“The new security protection locks down payment-card data, taking raw payment-card information and scrambling it to make it unreadable and virtually useless to hackers,” said the company, which could not be reached for additional comment.
But Stephen Ormerod, chief security officer at the Smithfield-based Navigant Credit Union, believes along with Gentile, Farrell and Martel that more should be done to make the retailers liable.
“We share what we’re seeing and talk to other financial institutions … and typically we can identify these things before merchants come out and say that these things have occurred,” said Ormerod. “That helps us to be able to move to protect our debit cards from any further losses.”
Martel would like to see EMV chip-and-PIN technology in place at retailers. The embedded chip creates a unique token every time the card is swiped, authenticating the identity securely, and is already used in Canada and Europe. As of Oct. 1, 2015, merchants will be required to have terminals enabled to handle these EMV sales, she said, “so, if the merchant doesn’t have the terminal and there’s fraud the retailer will be on the hook.”
Home Depot deployed the EMV chip in Canadian stores in 2011 and launched a project for U.S. stores in January 2013.
“The project will be completed ahead of the payment industry’s deadline,” the company said. •

No posts to display