3 Reasons That Retail Data Breaches Keep Happening

If you worry about identity theft and credit card fraud, this week's news has been troubling. Target (NYSE: TGT  ) revised upward the number of customer accounts compromised by hackers from 40 million to 110 million. Neiman Marcus disclosed that some of its in-store customers' credit card data was stolen, and Reuters reported that three as-yet-unnamed mall retailers were hacked in 2013 as well. Even for shoppers whose data hasn't been breached — yet — there's that nagging sense that it could happen at just about any time. And it looks like until U.S. retailers make some big changes, consumers should get used to being extra vigilant about their bank statements and credit reports.

The Motley Fool asked security blogger Brian Krebs — who was the first to report the Target and Neiman Marcus breaches — why these thefts keep happening, why the number of affected Target accounts has grown, and what might stop or reduce the attacks. Right now, there are three glaring problems with retail data safety.

Magnetic card stripes are a magnet for data thieves. Photo: US Navy

1. Hacked retailers often don't even know when they've been robbed until someone else clues them in.

"In a shocking number of cases, as with both Target and Neiman Marcus," Krebs said, "the victim organization doesn't discover the breach internally, but is instead notified by an outside party — either law enforcement organizations, security firms, or banks that are seeing fraud on their cards and have traced the common point of purchase on the compromised cards back to the merchant."

2. It takes time to discover the extent of the damage.

Once they know they've been attacked, retailers often want to keep quiet until they understand exactly what happened — but that can take weeks or even months of investigation, while banks, shoppers, and the public may be kept in the dark. That was the case with the three mall merchants whose names haven't been released.

"Companies tend to rely on outside forensics firms, which don't exactly get the entire view of what's going on right away, and very often only gradually discover how far the breach extends and uncover new areas of compromise that weren't immediately obvious," Krebs said. And when information does come out early, revisions are often necessary. "Everyone wants answers yesterday — especially when consumer data is at risk — even when the victim organization doesn't yet know the whole story or see the whole picture. That is part of the reason why victim organizations tend to resist putting out specifics about the attack until much later."

In Target's case, the thefts were first thought to affect only in-store shoppers during the holiday season. But now Target says past customers' data may have been stolen, too. The company is offering a free year of credit monitoring to all its store shoppers as part of its recovery plan.

3. Magnetic stripe cards are cheap but easy to hack.

"Mag stripe data is where this memory-scraping POS [point of sale] malware gets its information from. Until mag stripe is completely gone, unless retailers move to encrypting the card data that's flowing across their internal networks, they will continue to be a target for cybercrooks," Krebs said.

So if data breaches cost companies millions of dollars in security, liability, and lost customer goodwill, why haven't retailers adopted a more secure system? Cost.

The chip and PIN cards that are popular in Europe have cut point-of-sale fraud dramatically. The cards use a two-step verification process rather than the swipe-and-sign technology we use here. And the cards have no magnetic stripe data to steal.

Chip and PIN technology, also called EMV, was developed by Europay, MasterCard (NYSE: MA  ) , and Visa (NYSE: V  ) and is already used in some 80 countries. After the U.K. adopted the chip and PIN system, bank card fraud fell 23% in the first half of 2009. But chip-embedded cards cost 7 to 10 times as much to make as their magnetic stripe analogs and require merchants to buy and install new point-of-sale terminals.

One big change than can cut point of sale data theft

Chip and PIN is coming to the U.S., although it may take a while before it reduces fraud here.

"Chip and PIN will help, but the benefit will be gradual," Krebs said. "By October 2015, all retailers will need to have hardware to support chip and PIN cards, or else they will assume all responsibility and risk for fraud in which chip and PIN cards are presented. Ideally, those new terminals will only accept chip cards. But probably mag stripe cards will be with us for several more years, and as long as that's the case, we'll continue to see attacks involving POS malware."

And if you're hoping you can relax your credit vigilance once the chip and PIN system is up and running here, think again. While point-of-sale fraud has fallen in countries already using chip and PIN, thieves aren't giving up. According to Wired magazine, during the time that card fraud dropped so dramatically in the U.K., phishing rose 26% and online bank fraud skyrocketed 55%.

What you can do

Right now, even if you had one of the few chip and PIN cards available in the U.S., it wouldn't do you much good here because merchants don't have chip terminals yet. Short of paying for everything with cash, you really need to monitor your bank and credit card statements for unauthorized charges, report any as soon as you find them, and sign up for a credit-monitoring service to alert you if data thieves try to open accounts in your name.

The next step

Want to figure out how to profit on business analysis like this? The key is to learn how to turn business insights into portfolio gold by taking your first steps as an investor. Those who wait on the sidelines are missing out on huge gains and putting their financial futures in jeopardy. In our brand-new special report, "Your Essential Guide to Start Investing Today," The Motley Fool's personal-finance experts show you what you need to get started, and even gives you access to some stocks to buy first. Click here to get your copy today -- it's absolutely free.


Read/Post Comments (3) | Recommend This Article (3)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On January 15, 2014, at 11:03 AM, alexf wrote:

    Good and accurate article. I worked in IT at one of the major credit card companies in the early 2000's. We could not get the merchants to switch to chip cards due to cost. The Target's of this world said they were not interested in spending tens of millions in installing new terminals in every store and every point of sale. So for the US with it's huge installed and obsolete base, it was always a no-go. That is unfortunate. Hopefully now they started seeing the light and that what we told them over and over years ago was important and true.

    Another issue is their lax internal data security rules. I am not in the know in any of the retailers but I can guarantee you many (most) of them do not keep customer information in encrypted form in their databases, and I am not surprised at how easily external hackers can penetrate their networks. Scary.

    Do check your statements, always. Use credit cards, not debit and pin. This gives you insurance against malicious charges. With debit, your bank account can be cleaned out before you say cheese!

    Although widespread use of chip cards, and getting rid of the 1960's technology in use (mag strips) will improve security do not think that it will make the system immune. It will do nothing to stop phishing and internet fraud. People are still lax and easy to con.

  • Report this Comment On January 15, 2014, at 12:40 PM, jdmeck wrote:

    The cc companies are still partially to blame. Why should any information be stored on the strip at all, other than what is needed to contact the companies for verification?

  • Report this Comment On January 15, 2014, at 6:59 PM, neamakri wrote:

    Excellent article and excellent comments.

    (1)Why did Target keep PINs? Besides being unnecessary it was a disaster waiting to happen.

    (2) Is there an anti malware app that can find these bugs? Otherwise that is a new software opportunity.

    (3) I sympathize with alexfsx in IT. So Target would not spend tens of millions. Instead they saddled their customers with a ton of pain plus gave themselves a PR migraine. Being cheap in the short term can cost big in the long term.

Add your comment.

Sponsored Links

Leaked: Apple's Next Smart Device
(Warning, it may shock you)
The secret is out... experts are predicting 458 million of these types of devices will be sold per year. 1 hyper-growth company stands to rake in maximum profit - and it's NOT Apple. Show me Apple's new smart gizmo!

DocumentId: 2795879, ~/Articles/ArticleHandler.aspx, 12/18/2014 9:38:31 AM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement