3 Reasons That Retail Data Breaches Keep Happening

And one big change that security experts say will help.

Jan 15, 2014 at 10:00AM

If you worry about identity theft and credit card fraud, this week's news has been troubling. Target (NYSE:TGT) revised upward the number of customer accounts compromised by hackers from 40 million to 110 million. Neiman Marcus disclosed that some of its in-store customers' credit card data was stolen, and Reuters reported that three as-yet-unnamed mall retailers were hacked in 2013 as well. Even for shoppers whose data hasn't been breached — yet — there's that nagging sense that it could happen at just about any time. And it looks like until U.S. retailers make some big changes, consumers should get used to being extra vigilant about their bank statements and credit reports.

The Motley Fool asked security blogger Brian Krebs — who was the first to report the Target and Neiman Marcus breaches — why these thefts keep happening, why the number of affected Target accounts has grown, and what might stop or reduce the attacks. Right now, there are three glaring problems with retail data safety.

Credit Cards

Magnetic card stripes are a magnet for data thieves. Photo: US Navy

1. Hacked retailers often don't even know when they've been robbed until someone else clues them in.

"In a shocking number of cases, as with both Target and Neiman Marcus," Krebs said, "the victim organization doesn't discover the breach internally, but is instead notified by an outside party — either law enforcement organizations, security firms, or banks that are seeing fraud on their cards and have traced the common point of purchase on the compromised cards back to the merchant."

2. It takes time to discover the extent of the damage.

Once they know they've been attacked, retailers often want to keep quiet until they understand exactly what happened — but that can take weeks or even months of investigation, while banks, shoppers, and the public may be kept in the dark. That was the case with the three mall merchants whose names haven't been released.

"Companies tend to rely on outside forensics firms, which don't exactly get the entire view of what's going on right away, and very often only gradually discover how far the breach extends and uncover new areas of compromise that weren't immediately obvious," Krebs said. And when information does come out early, revisions are often necessary. "Everyone wants answers yesterday — especially when consumer data is at risk — even when the victim organization doesn't yet know the whole story or see the whole picture. That is part of the reason why victim organizations tend to resist putting out specifics about the attack until much later."

In Target's case, the thefts were first thought to affect only in-store shoppers during the holiday season. But now Target says past customers' data may have been stolen, too. The company is offering a free year of credit monitoring to all its store shoppers as part of its recovery plan.

3. Magnetic stripe cards are cheap but easy to hack.

"Mag stripe data is where this memory-scraping POS [point of sale] malware gets its information from. Until mag stripe is completely gone, unless retailers move to encrypting the card data that's flowing across their internal networks, they will continue to be a target for cybercrooks," Krebs said.

So if data breaches cost companies millions of dollars in security, liability, and lost customer goodwill, why haven't retailers adopted a more secure system? Cost.

The chip and PIN cards that are popular in Europe have cut point-of-sale fraud dramatically. The cards use a two-step verification process rather than the swipe-and-sign technology we use here. And the cards have no magnetic stripe data to steal.

Chip and PIN technology, also called EMV, was developed by Europay, MasterCard (NYSE:MA), and Visa (NYSE:V) and is already used in some 80 countries. After the U.K. adopted the chip and PIN system, bank card fraud fell 23% in the first half of 2009. But chip-embedded cards cost 7 to 10 times as much to make as their magnetic stripe analogs and require merchants to buy and install new point-of-sale terminals.

One big change than can cut point of sale data theft

Chip and PIN is coming to the U.S., although it may take a while before it reduces fraud here.

"Chip and PIN will help, but the benefit will be gradual," Krebs said. "By October 2015, all retailers will need to have hardware to support chip and PIN cards, or else they will assume all responsibility and risk for fraud in which chip and PIN cards are presented. Ideally, those new terminals will only accept chip cards. But probably mag stripe cards will be with us for several more years, and as long as that's the case, we'll continue to see attacks involving POS malware."

And if you're hoping you can relax your credit vigilance once the chip and PIN system is up and running here, think again. While point-of-sale fraud has fallen in countries already using chip and PIN, thieves aren't giving up. According to Wired magazine, during the time that card fraud dropped so dramatically in the U.K., phishing rose 26% and online bank fraud skyrocketed 55%.

What you can do

Right now, even if you had one of the few chip and PIN cards available in the U.S., it wouldn't do you much good here because merchants don't have chip terminals yet. Short of paying for everything with cash, you really need to monitor your bank and credit card statements for unauthorized charges, report any as soon as you find them, and sign up for a credit-monitoring service to alert you if data thieves try to open accounts in your name.

The next step

Want to figure out how to profit on business analysis like this? The key is to learn how to turn business insights into portfolio gold by taking your first steps as an investor. Those who wait on the sidelines are missing out on huge gains and putting their financial futures in jeopardy. In our brand-new special report, "Your Essential Guide to Start Investing Today," The Motley Fool's personal-finance experts show you what you need to get started, and even gives you access to some stocks to buy first. Click here to get your copy today -- it's absolutely free.

Fool contributor Casey Kelly Barton has no position in any stocks mentioned. The Motley Fool recommends MasterCard and Visa. The Motley Fool owns shares of MasterCard and Visa. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

Money to your ears - A great FREE investing resource for you

The best way to get your regular dose of market and money insights is our suite of free podcasts ... what we like to think of as “binge-worthy finance.”

Feb 1, 2016 at 5:03PM

Whether we're in the midst of earnings season or riding out the market's lulls, you want to know the best strategies for your money.

And you'll want to go beyond the hype of screaming TV personalities, fear-mongering ads, and "analysis" from people who might have your email address ... but no track record of success.

In short, you want a voice of reason you can count on.

A 2015 Business Insider article titled, "11 websites to bookmark if you want to get rich," rated The Motley Fool as the #1 place online to get smarter about investing.

And one of the easiest, most enjoyable, most valuable ways to get your regular dose of market and money insights is our suite of free podcasts ... what we like to think of as "binge-worthy finance."

Whether you make it part of your daily commute or you save up and listen to a handful of episodes for your 50-mile bike rides or long soaks in a bubble bath (or both!), the podcasts make sense of your money.

And unlike so many who want to make the subjects of personal finance and investing complicated and scary, our podcasts are clear, insightful, and (yes, it's true) fun.

Our free suite of podcasts

Motley Fool Money features a team of our analysts discussing the week's top business and investing stories, interviews, and an inside look at the stocks on our radar. The show is also heard weekly on dozens of radio stations across the country.

The hosts of Motley Fool Answers challenge the conventional wisdom on life's biggest financial issues to reveal what you really need to know to make smart money moves.

David Gardner, co-founder of The Motley Fool, is among the most respected and trusted sources on investing. And he's the host of Rule Breaker Investing, in which he shares his insights into today's most innovative and disruptive companies ... and how to profit from them.

Market Foolery is our daily look at stocks in the news, as well as the top business and investing stories.

And Industry Focus offers a deeper dive into a specific industry and the stories making headlines. Healthcare, technology, energy, consumer goods, and other industries take turns in the spotlight.

They're all informative, entertaining, and eminently listenable. Rule Breaker Investing and Answers are timeless, so it's worth going back to and listening from the very start; the other three are focused more on today's events, so listen to the most recent first.

All are available for free at www.fool.com/podcasts.

If you're looking for a friendly voice ... with great advice on how to make the most of your money ... from a business with a lengthy track record of success ... in clear, compelling language ... I encourage you to give a listen to our free podcasts.

Head to www.fool.com/podcasts, give them a spin, and you can subscribe there (at iTunes, Stitcher, or our other partners) if you want to receive them regularly.

It's money to your ears.


Compare Brokers