Brian Krebs: An Uncommon Interview
The world first heard about the Target security breach this December because of Brian Krebs. At the height of the Christmas shopping season, his work led to the disclosure that the retailing giant’s POS system had been hacked and had been feeding the payment-card information of millions of Target shoppers to cybercriminals for months. After following up the Target story by breaking the news that luxury retailer Neiman Marcus also had been penetrated, Krebs was named as the source in just about every early story concerning the breaches. He was first on these stories and his ensuing coverage detailing the hows and whys has been comprehensive.
The investigative journalist has been on the Internet- and network-security beat for a decade, with the Washington Post and on his own. Even before his December scoop, his KrebsOnSecurity blog had become an indispensable source for the timeliest and most accurate information on cybercrime and the threats it presents to consumers and businesses.
With interest concerning security—and the role it plays in card-not-present fraud—running extremely hot, securing Krebs as a keynote speaker at the CNP Expo in Orlando, Fla. this May was a coup. As a preview, D.J. Murphy, the editor-in-chief of CardNotPresent.com, sat down with him recently and had him answer some questions instead of asking them. Our conversation ranged from Target and the lessons learned—or not learned—by retailers facing the threat of more breaches, to the differences between being compliant and being secure, and more.
Q&A with Brian Krebs: The First Word in Security
CardNotPresent.com : You occupy an unusual space in journalism. Coming from a mass media outlet, you moved to a very specialized one that provides real intel for security professionals, but that also informs consumers concerned about the security of their personal information. Who benefits more from your writing, consumers or business professionals?
Brian Krebs : It’s a mix of both and I strive to create a balance. Even if I did nothing but these merchant breach stories, these are stories that affect merchants and they affect businesses. But, everybody carries credit cards and everybody shops at retailers. Sometime the message for consumers seems like a broken record: don’t reuse passwords, try to use your credit card instead of your debit card, keep an eye on your credit report. But, you really can’t talk about it enough.
CardNotPresent.com : I know you’ve broken big stories in the past. But, do you consider the Target breach the most significant story you’ve broken?
BK : It’s not a unique story. We’ve seen these big retail breaches before and we’ve seen the fallout from it. In the past, nothing really changed. Somebody got fined, somebody paid a lot of money. But, I think the Target story has gotten legs for a number of reasons. The biggest is, there are a lot of people in law enforcement, in the response community and in the intelligence community who are getting all kinds of indicators that this is not a single incident. There are multiple groups perpetrating these breaches and they have hit a ridiculous number of merchants.
CardNotPresent.com: In the aftermath of Target and Neiman Marcus, Congress has begun to discuss a national standard for breach disclosure requirements. In the absence of that, and given the patchwork of state disclosure regulations, how many will we really know about?
BK: People think merchants have an obligation to disclose, but I guarantee if these merchants can legally keep it under wraps they will. It’s an open question how many of these are going to actually become public. I’ve reached out to several that I’m pretty sure are breached and they’re pretty much ignoring me. But [the outcry is waning]. I guess people are just feeling fatigued. The rest of the world has moved on, to pushing fraud somewhere else with Chip-and-PIN.
CardNotPresent.com: From the perspective of a publication that focuses on the card-not-present space, that’s a big issue. With the EMV migration ongoing and deadlines coming, our industry is bracing for the wave of e-commerce fraud that follows. How would you describe the state of security around e-commerce, and are companies prepared for when the actual liability shift happens?
BK: After the shift, there’s no question criminals will focus on card-not-present fraud. That’s what happened in Europe. That’s exactly what will happen here. Whether they’re ready for that I have no idea. Most retailers are not organized around security. They’re organized into other units with responsibility for security [fragmented]. In the case of Target, it’s remarkable to see the different silos and the number of people they had in security in each of them. But, it was obvious there was not a lot of cooperation and communication between and among those units. And there didn’t seem to be anyone ultimately in charge of all of that. Look at the leadership page on Target’s Website, do you see a security person on there?
CardNotPresent.com: Given the effect this has had on Target from a PR and sales perspective (customer traffic in January was its lowest in three years), has the retail industry responded appropriately?
BK: They’re not moving nearly fast enough to change their ways. I keep hearing that they are circling the wagons and everybody’s afraid of a phone call from Brian Krebs. In the meantime, what are you doing so this doesn’t happen to you? Prior to the security breach becoming public you heard that [Target] was a company that had spent a lot of money on security. Spending a lot of money on security does not equal security. Whatever the organization tries to accomplish as a whole, security is a part of that.
CardNotPresent.com : Compliance with PCI-DSS standards is supposed to provide baseline security. But, is it a technique that offers any protection whatever?
BK: There’s a whole industry of companies that will give you the PCI stamp of approval. But, do merchants want to get the seal of approval or do they really want to be secure? If they want to be secure, it requires a full security audit. It doesn’t happen in two days. But you have companies that will certify a company PCI-compliant within a short time with a small amount of work. I don’t really see how you can have a robust standard, how PCI can prove anything, until there are standards for companies that can give out PCI checkmarks. There’s a huge amount of variety there.
CardNotPresent.com: Merchants feel it’s something they have to do. You’re PCI compliant until you’re breached. Then you’re not. It’s something they spend money on for no apparent reason.
BK: That’s the problem with compliance. Most organizations spend a ridiculous amount of their security dollars on compliance. Whatever is left over, maybe they’ll actually spend it on security. PCI is an industry-enforced regulation but it might as well be in the law. You can’t do business without it.
CardNotPresent.com: Much of the cybercrime threat is coming out of Eastern Europe and other areas that may not have extradition treaties with us. What is the cooperation between the U.S. and countries like that as far as trying to choke this off at the source?
BK: I wish we had better things to report about cooperation overseas. The individuals responsible for this are in Eastern Europe, specifically Russia and Ukraine. As long as they stay there, they don’t really have a lot to worry about. Maybe, with the change going on in Ukraine, if they continue a more pro -European tilt, maybe that will change things. Law enforcement has a tough job.