The day of the phone interview with IBM’s Josyula R. (JR) Rao, Director of Security Research at the Thomas J. Watson Research Center in Yorktown Heights, NY, Target retail chain announced it got hacked: The information of 40 million consumer credit cards were stolen over a three-week period.
The ‘Black Friday’ attack was a sophisticated, pervasive form of credit card skimming. It was also widespread sweeping consumer details across Target’s 2,000 stores in North America. The point-of-sales breach, likely the result of an email phishing attack on Target’s back-end system, was a big blow the store’s holiday sales and goal to increase it’s online presence, which has stagnated at 2 percent of gross sales.
Collateral damage of the Target attack includes JP Morgan Chase, which had 2 million customers—10 percent—affected by the data breach. As an extra layer of security, Chase has limited customer debit cards to $100 per day, ATM withdrawals, and $300 for debit purchases. All of Target’s bad news and Chase’s consumer restrictions come in the last week of holiday shopping. Chase isn’t the only bank involved.
Public sentiment has been downright negative to “I will never shop at Target again.”
Let’s see what Chase customers think of $100 daily limits. Try going out on town for two on that money. So who can consumers trust with their credit cards and personal information?
It appears no one.
Target’s ripple affect will go beyond the three class action lawsuits, lost revenue, and any potential regulatory fines, while the breach and negative public opinion will definitely be reflected in their stock price going into next year.
Are we losing the cyberattack, malware, and advance persistent threat war? Yes.
Then what can be done as we march inexorably toward a greater digital surface area, with more endpoints to defend against attacks? How will consumers and businesses be able to communicate in a seamless, secure, and private manner going forward? Trust is broken.
For those answers, the conversation with IBM’s JR Rao on security and privacy was timely.
IBM’s Digital Guardian Prediction
First thing I learned—there’s hope. IBM has twelve research labs around the world, including facilities in Africa, Brazil, and Australia with 3,500 researches, analysts, engineers, and scientists dedicated in carrying out a wide range of security research projects across many industries.
“We have 100 researchers doing cutting edge research on security and privacy problems,” JR Rao, Ph.D., said. “They are professionals who have built systems, products, and services with government agencies, corporations of all sizes, and institutions in academics.”
I asked, “In IBM’s year-end release of 5 in 5—five predictions in five years about technology innovation—what is the Digital Guardian all about?”
“There are domain challenges to serve consumers. Security is an unwieldy craft. It needs a refined approach with balanced services, rich tools and techniques,” Dr. Rao began to explain. “When we go shopping we are profiled by our credit cards with the likes of Visa, Amex, and Master Card holding our information. They have records on my shopping habits when I travel locally. But when I go overseas, say, to the Mid-East, the first time I use my credit card for dinner the charge is denied. That’s until I get on the phone and speak to the card company directly to verify my identity. It’s a real pain and headache for the consumer.”
The pain and headache goes deeper for those who have been hacked with Target.
“The Digital Guardian will work differently. It will learn and inform as we travel. It will see that we bought an airline ticket online, see that we purchased items at an airport in the duty free shop, pick up travel agency information we used, while know our destination using both a system of records and login transactions. When that happens, credit cards will become much more usable when we travel,” Dr. Rao said.
“Credit cards embedded with smart systems would follow our breadcrumbs?” I suggested.
“Yes, it will be a system of engagement and aggregate the user profile,” he replied. “Such a system will increase consumer confidence by connecting the dots and gaining insights.”
With IBM developing cognitive, machine-learning tools, software, and cloud analytics, a Digital Guardian in the vein Dr. Rao described and IBM predicts could very well be commercialized in five years.
From IBM’s press release:
A Digital Guardian will protect you online: Security systems will acquire a 360-degree view of an individual’s data, devices and applications. By learning about you, your context and behavior on various devices, a digital guardian will spot patterns that could be precursors to a cyber attack or a stolen identity and intervene on your behalf while maintaining the privacy of your personal information.
Behavioral Analytics as Your Go
“The service will be opt-in for the end user, with certain details kept private, with user controls, and Digital Guardian alerts,” Dr. Rao said. “It will be a system that uses your credentials, your profile, and will be enabled with the deep power of data analytics, hosted on services like the cloud.”
“What’s critical to make such a system work?” I asked.
“Security and privacy will have to be done right,” he pointed out. “The security age of rules based system has limitations, breaches occur. Hackers circumvent, get around the rules. A new model will blend a biometrics-based system delivered in a much more contextual and adaptive way.”
“Can you elaborate?”
“The Digital Guardian will be historical, situational context with behavioral analytics. There will be mobile sensors to pickup your voice, recognize it, the biometrics will authenticate you. It will be much more useful than entering a PIN or password,” Dr. Rao said.
“As we migrate away from rules based systems, which will still be in use, but only as a first line of defense, the Digital Guardian will take adaptive responses, reading attachments, limiting access to sensitive documents. It will be location with more credentials. Are users home or at the workplace,” he said.
Dr. Rao added that security being today’s reactive model—or in the case of Target trying to get ahead of a negative story—will shift to a contextual form that will respect consumers’ rights to privacy.
“Privacy is a fundamental given. We take it for granted. But there are laws on privacy,” he said, referring to tough European regulations and laws on privacy that are being debated today in the U.S. with the NSA sweeps.
This shopping season Target and Chase could have used a Digital Guardian. Consumer confidence could have used it, too.
We can hope that such a seamless, natural, usable data security and privacy guardian will come to realization in less than five years.