A Secret Service witness told a congressional committee Monday that a lack of local cooperation, especially with foreign authorities, delays the apprehension of criminals responsible for data security breaches.
The “Safeguarding Consumers’ Financial Data” hearing was the first data security hearing in Congress since the Target security breach.
“Due to the inherent challenges in investigating transnational crime, particularly the lack of cooperation of some countries with law enforcement investigations, occasionally it takes years to finally apprehend the top tier criminals responsible,” said William Noonan, deputy special agent in charge at the Secret Service, in written testimony before the Senate Subcommittee on National Security and International Trade and Finance.
As an example, Noonan pointed to Dmitriy Smilianets and Vladimir Drinkman, who were arrested in June 2012 as part of a multi-year Secret Service investigation. The Secret Service was able to nab the criminals while they were traveling in the Netherlands thanks to the assistance of Dutch law enforcement, he said.
“The alleged total fraud loss from their cyber crimes exceeded $105 million,” Noonan said.
If law enforcement in a foreign country does not cooperate with the U.S., he said some foreigners who steal Americans' information are never brought to justice.
According to Noonan’s testimony, the Secret Service currently exhausts significant resources improving investigative techniques, training law enforcement partners and raising public awareness.
“The Secret Service will continue to be innovative in its approach to cyber crime and cyber security and is pleased that the Committee recognizes the magnitude of these issues and the evolving nature of these crimes,” he added.
Under questioning from Senator Jon Tester (D-Mont.), Noonan would not give any details of the Target data breach since it is an ongoing investigation.
However, Noonan said there is currently no federal requirement for a retailer to notify law enforcement about a potential security breach.
Jessica Rich, director of the Bureau of Consumer Protection at the Federal Trade Commission, told the committee that a notification requirement is necessary.
Troy Leach, chief technology officer at the PCI Security Standards Council, said in his testimony that small merchants often do not change passwords on point of sale applications and devices. He said the council has updated requirements to stress that default passwords should never be used.
“All passwords must be regularly changed and not continually repeated, should never be shared, and must always be of appropriate strength. Beyond promulgating appropriate standards, we have taken steps through training and public outreach to educate the merchant community on the importance of following proper password protocols,” wrote Leach in his testimony.
“Recognizing the need for a multilayer approach, in addition to the PCI DSS, the Council and community have developed standards that cover payment applications and point of sale devices,” he added.
The PCI Security Standards Council is also currently developing standards and guidance on tokenization and point-to-point encryption, which remove or render payment card information useless to cyber criminals, he said.
Both technologies “work in concert with other PCI Standards to offer additional protection to payment card data,” said Leach.