3 Reasons That Retail Data Breaches Keep Happening

If you worry about identity theft and credit card fraud, this week's news has been troubling. Target (TGT -0.71%) revised upward the number of customer accounts compromised by hackers from 40 million to 110 million. Neiman Marcus disclosed that some of its in-store customers' credit card data was stolen, and Reuters reported that three as-yet-unnamed mall retailers were hacked in 2013 as well. Even for shoppers whose data hasn't been breached — yet — there's that nagging sense that it could happen at just about any time. And it looks like until U.S. retailers make some big changes, consumers should get used to being extra vigilant about their bank statements and credit reports.

The Motley Fool asked security blogger Brian Krebs — who was the first to report the Target and Neiman Marcus breaches — why these thefts keep happening, why the number of affected Target accounts has grown, and what might stop or reduce the attacks. Right now, there are three glaring problems with retail data safety.

Magnetic card stripes are a magnet for data thieves. Photo: US Navy

1. Hacked retailers often don't even know when they've been robbed until someone else clues them in.

"In a shocking number of cases, as with both Target and Neiman Marcus," Krebs said, "the victim organization doesn't discover the breach internally, but is instead notified by an outside party — either law enforcement organizations, security firms, or banks that are seeing fraud on their cards and have traced the common point of purchase on the compromised cards back to the merchant."

2. It takes time to discover the extent of the damage.

Once they know they've been attacked, retailers often want to keep quiet until they understand exactly what happened — but that can take weeks or even months of investigation, while banks, shoppers, and the public may be kept in the dark. That was the case with the three mall merchants whose names haven't been released.

"Companies tend to rely on outside forensics firms, which don't exactly get the entire view of what's going on right away, and very often only gradually discover how far the breach extends and uncover new areas of compromise that weren't immediately obvious," Krebs said. And when information does come out early, revisions are often necessary. "Everyone wants answers yesterday — especially when consumer data is at risk — even when the victim organization doesn't yet know the whole story or see the whole picture. That is part of the reason why victim organizations tend to resist putting out specifics about the attack until much later."

In Target's case, the thefts were first thought to affect only in-store shoppers during the holiday season. But now Target says past customers' data may have been stolen, too. The company is offering a free year of credit monitoring to all its store shoppers as part of its recovery plan.

3. Magnetic stripe cards are cheap but easy to hack.

"Mag stripe data is where this memory-scraping POS [point of sale] malware gets its information from. Until mag stripe is completely gone, unless retailers move to encrypting the card data that's flowing across their internal networks, they will continue to be a target for cybercrooks," Krebs said.

So if data breaches cost companies millions of dollars in security, liability, and lost customer goodwill, why haven't retailers adopted a more secure system? Cost.

The chip and PIN cards that are popular in Europe have cut point-of-sale fraud dramatically. The cards use a two-step verification process rather than the swipe-and-sign technology we use here. And the cards have no magnetic stripe data to steal.

Chip and PIN technology, also called EMV, was developed by Europay, MasterCard (MA 0.30%), and Visa (V 0.95%) and is already used in some 80 countries. After the U.K. adopted the chip and PIN system, bank card fraud fell 23% in the first half of 2009. But chip-embedded cards cost 7 to 10 times as much to make as their magnetic stripe analogs and require merchants to buy and install new point-of-sale terminals.

One big change than can cut point of sale data theft

Chip and PIN is coming to the U.S., although it may take a while before it reduces fraud here.

"Chip and PIN will help, but the benefit will be gradual," Krebs said. "By October 2015, all retailers will need to have hardware to support chip and PIN cards, or else they will assume all responsibility and risk for fraud in which chip and PIN cards are presented. Ideally, those new terminals will only accept chip cards. But probably mag stripe cards will be with us for several more years, and as long as that's the case, we'll continue to see attacks involving POS malware."

And if you're hoping you can relax your credit vigilance once the chip and PIN system is up and running here, think again. While point-of-sale fraud has fallen in countries already using chip and PIN, thieves aren't giving up. According to Wired magazine, during the time that card fraud dropped so dramatically in the U.K., phishing rose 26% and online bank fraud skyrocketed 55%.