3 Reasons That Retail Data Breaches Keep Happening

And one big change that security experts say will help.

Jan 15, 2014 at 10:00AM

If you worry about identity theft and credit card fraud, this week's news has been troubling. Target (NYSE:TGT) revised upward the number of customer accounts compromised by hackers from 40 million to 110 million. Neiman Marcus disclosed that some of its in-store customers' credit card data was stolen, and Reuters reported that three as-yet-unnamed mall retailers were hacked in 2013 as well. Even for shoppers whose data hasn't been breached — yet — there's that nagging sense that it could happen at just about any time. And it looks like until U.S. retailers make some big changes, consumers should get used to being extra vigilant about their bank statements and credit reports.

The Motley Fool asked security blogger Brian Krebs — who was the first to report the Target and Neiman Marcus breaches — why these thefts keep happening, why the number of affected Target accounts has grown, and what might stop or reduce the attacks. Right now, there are three glaring problems with retail data safety.

Credit Cards

Magnetic card stripes are a magnet for data thieves. Photo: US Navy

1. Hacked retailers often don't even know when they've been robbed until someone else clues them in.

"In a shocking number of cases, as with both Target and Neiman Marcus," Krebs said, "the victim organization doesn't discover the breach internally, but is instead notified by an outside party — either law enforcement organizations, security firms, or banks that are seeing fraud on their cards and have traced the common point of purchase on the compromised cards back to the merchant."

2. It takes time to discover the extent of the damage.

Once they know they've been attacked, retailers often want to keep quiet until they understand exactly what happened — but that can take weeks or even months of investigation, while banks, shoppers, and the public may be kept in the dark. That was the case with the three mall merchants whose names haven't been released.

"Companies tend to rely on outside forensics firms, which don't exactly get the entire view of what's going on right away, and very often only gradually discover how far the breach extends and uncover new areas of compromise that weren't immediately obvious," Krebs said. And when information does come out early, revisions are often necessary. "Everyone wants answers yesterday — especially when consumer data is at risk — even when the victim organization doesn't yet know the whole story or see the whole picture. That is part of the reason why victim organizations tend to resist putting out specifics about the attack until much later."

In Target's case, the thefts were first thought to affect only in-store shoppers during the holiday season. But now Target says past customers' data may have been stolen, too. The company is offering a free year of credit monitoring to all its store shoppers as part of its recovery plan.

3. Magnetic stripe cards are cheap but easy to hack.

"Mag stripe data is where this memory-scraping POS [point of sale] malware gets its information from. Until mag stripe is completely gone, unless retailers move to encrypting the card data that's flowing across their internal networks, they will continue to be a target for cybercrooks," Krebs said.

So if data breaches cost companies millions of dollars in security, liability, and lost customer goodwill, why haven't retailers adopted a more secure system? Cost.

The chip and PIN cards that are popular in Europe have cut point-of-sale fraud dramatically. The cards use a two-step verification process rather than the swipe-and-sign technology we use here. And the cards have no magnetic stripe data to steal.

Chip and PIN technology, also called EMV, was developed by Europay, MasterCard (NYSE:MA), and Visa (NYSE:V) and is already used in some 80 countries. After the U.K. adopted the chip and PIN system, bank card fraud fell 23% in the first half of 2009. But chip-embedded cards cost 7 to 10 times as much to make as their magnetic stripe analogs and require merchants to buy and install new point-of-sale terminals.

One big change than can cut point of sale data theft

Chip and PIN is coming to the U.S., although it may take a while before it reduces fraud here.

"Chip and PIN will help, but the benefit will be gradual," Krebs said. "By October 2015, all retailers will need to have hardware to support chip and PIN cards, or else they will assume all responsibility and risk for fraud in which chip and PIN cards are presented. Ideally, those new terminals will only accept chip cards. But probably mag stripe cards will be with us for several more years, and as long as that's the case, we'll continue to see attacks involving POS malware."

And if you're hoping you can relax your credit vigilance once the chip and PIN system is up and running here, think again. While point-of-sale fraud has fallen in countries already using chip and PIN, thieves aren't giving up. According to Wired magazine, during the time that card fraud dropped so dramatically in the U.K., phishing rose 26% and online bank fraud skyrocketed 55%.

What you can do

Right now, even if you had one of the few chip and PIN cards available in the U.S., it wouldn't do you much good here because merchants don't have chip terminals yet. Short of paying for everything with cash, you really need to monitor your bank and credit card statements for unauthorized charges, report any as soon as you find them, and sign up for a credit-monitoring service to alert you if data thieves try to open accounts in your name.

The next step

Want to figure out how to profit on business analysis like this? The key is to learn how to turn business insights into portfolio gold by taking your first steps as an investor. Those who wait on the sidelines are missing out on huge gains and putting their financial futures in jeopardy. In our brand-new special report, "Your Essential Guide to Start Investing Today," The Motley Fool's personal-finance experts show you what you need to get started, and even gives you access to some stocks to buy first. Click here to get your copy today -- it's absolutely free.

Fool contributor Casey Kelly Barton has no position in any stocks mentioned. The Motley Fool recommends MasterCard and Visa. The Motley Fool owns shares of MasterCard and Visa. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

4 in 5 Americans Are Ignoring Buffett's Warning

Don't be one of them.

Jun 12, 2015 at 5:01PM

Admitting fear is difficult.

So you can imagine how shocked I was to find out Warren Buffett recently told a select number of investors about the cutting-edge technology that's keeping him awake at night.

This past May, The Motley Fool sent 8 of its best stock analysts to Omaha, Nebraska to attend the Berkshire Hathaway annual shareholder meeting. CEO Warren Buffett and Vice Chairman Charlie Munger fielded questions for nearly 6 hours.
The catch was: Attendees weren't allowed to record any of it. No audio. No video. 

Our team of analysts wrote down every single word Buffett and Munger uttered. Over 16,000 words. But only two words stood out to me as I read the detailed transcript of the event: "Real threat."

That's how Buffett responded when asked about this emerging market that is already expected to be worth more than $2 trillion in the U.S. alone. Google has already put some of its best engineers behind the technology powering this trend. 

The amazing thing is, while Buffett may be nervous, the rest of us can invest in this new industry BEFORE the old money realizes what hit them.

KPMG advises we're "on the cusp of revolutionary change" coming much "sooner than you think."

Even one legendary MIT professor had to recant his position that the technology was "beyond the capability of computer science." (He recently confessed to The Wall Street Journal that he's now a believer and amazed "how quickly this technology caught on.")

Yet according to one J.D. Power and Associates survey, only 1 in 5 Americans are even interested in this technology, much less ready to invest in it. Needless to say, you haven't missed your window of opportunity. 

Think about how many amazing technologies you've watched soar to new heights while you kick yourself thinking, "I knew about that technology before everyone was talking about it, but I just sat on my hands." 

Don't let that happen again. This time, it should be your family telling you, "I can't believe you knew about and invested in that technology so early on."

That's why I hope you take just a few minutes to access the exclusive research our team of analysts has put together on this industry and the one stock positioned to capitalize on this major shift.

Click here to learn about this incredible technology before Buffett stops being scared and starts buying!

David Hanson owns shares of Berkshire Hathaway and American Express. The Motley Fool recommends and owns shares of Berkshire Hathaway, Google, and Coca-Cola.We Fools don't all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

©1995-2014 The Motley Fool. All rights reserved. | Privacy/Legal Information