Merchants look for new and improved payment technologies.
When Target announced in December that its credit and customer records had been hacked, and news of similar breaches at other retailers followed, it was a pivotal moment for data security.
Merchants jumped to upgrade and protect their systems. Along with data security companies, payment processors and lawmakers on Capitol Hill they joined a growing chorus calling for better standards and technology to safeguard data.
Target, after acknowledging that as many as 110 million customers had personal information and card data stolen, said it would speed up its adoption of more secure payment technology. Suddenly, banks were being pressured to issue customers new cards with microchips, which have been used in Europe for more than 20 years. Congressional committees asked, with urgency, what more could be done.
Though Target’s hack may have been the impetus for the uproar, underlying the conversation is a threat that’s been growing for years: Data hackers increasingly operating like businesses, with sophisticated networks of criminals hawking a lucrative product — our identities.
“What we’ve seen in the last 10 years is a professionalism increase in the hacker community,” said Hugh Thompson, senior vice president and chief security strategist at Blue Coat, a security company whose technology is used by 86% of Fortune 500 companies.
Criminals, he said, are looking at return on investment, asking, “Where do I break into to get the maximum yield of monetizeable data?”
The answer has led hackers to the retail industry, which rings up billions of transactions a year, and collects shoppers’ information and preferences to target them with specific offers that spur more purchases.
Since last July, retailers including Walmart, Walgreens, Nordstrom, Target, Neiman Marcus and Michaels have been hacked, according to a list provided to USA TODAY by Eric Chiu, president and co-founder of security company HyTrust. Chiu compiled his list from public reports of these intrusions.
HACKERS FOCUS ON RETAIL
Crooks, experts say, focus on retailers over banks and other financial institutions with their own treasure troves of consumer info because traditionally the latter more aggressively protect that data.
“The common mentality [has been] do as little around security as they can in order to just get by,” Chiu said of retailers. Why? “Profit,” he said. “Every company is trying to do more with less.”
But retailers are beginning to realize that they can no longer accept fraud as a cost of doing business. Chiu said his company has fielded four times as many inquiries since late December as it had in the prior two months.
Banks and retailers are already in the expensive process of switching to a more secure payment method relying on credit and debit cards that work with a microchip. Payment data is stored in the chip instead of on the magnetic stripe used on current cards. The chip generates a single-use code to process only that one transaction through a merchant’s server. That makes a card nearly impossible to counterfeit because even if the data is hacked, it can’t be used again.
Visa and MasterCard have given banks and retailers an ultimatum of sorts, pushing them to adopt the terminals and cards necessary for chip technology by October 2015. After that, as a condition of using the payment systems run by the big credit card companies, whoever hasn’t adopted the new technology will be responsible for the costs of fraud if a breach occurs on their system.
Some retailers are also pushing for the adoption of personal identification numbers to authenticate transactions instead of relying on signatures, as many credit card payments do now.
“The signature is essentially worthless, because anybody can write (your name) on the back of a card or slip,” said Mallory Duncan, chief legal counsel for the National Retail Federation.
Today, the issuing bank decides whether to give a customer a PIN with their card or allow them to sign for purchases.
The transition to “chip and pin” cards has gotten the most attention, but security experts say that move alone won’t be enough to keep company networks secure and personal data out of the hands of cyber criminals.
“People are treating chip and pin as an ambrosia, and that’s completely ridiculous,” said Daimon Geopfert, national leader for security and privacy consulting at consulting firm McGladrey. “Everybody moves to new technology, and what do you think the attackers do? They just move to the new technology.”
MITIGATING THE DAMAGE
Chiu and Blue Coat’s Thompson say there is too much emphasis on trying to keep hackers out of systems when companies need to assume hackers have already gotten in, and work on mitigating the damage.
“It’s always been an escalation of arms,” Thompson said. “Attackers advance, defenders advance. I think what we’re moving to in the security industry is this idea that, yes, we’re going to continue to advance around prevention, but we’re also going to build a strong competency in being able to recover quickly if an attack does occur.”
Companies also need to closely monitor and limit employee access to company networks and make sure any sensitive data — from patient records to credit card numbers — is encrypted to make it unreadable, which most companies don’t do, Chiu said.
A more immediate step might also be to encrypt credit card data as soon as a card is swiped through a store’s card reader, a process known as point-to-point encryption. It’s an upgrade that wouldn’t cost as much or take as long to start using as chip and pin technology, Geopfert said. Today encryption typically occurs further down the line of payment processing, leaving the data unencrypted for a “nanosecond” and making it easier to steal, he said.
ASLEEP AT THE WHEEL
Some security leaders argue that businesses need to do a better job meeting the security standards they’re already required to follow — and staying on top of them. In order to accept credit and debit cards, businesses have to comply with 12 security standards set by the Payment Card Industry Security Standards Council, an organization founded in 2006 by the major card processors. The standards include changing the default passwords that initially come with security systems, encrypting data that travels across public networks and keeping anti-virus software up to date.
But companies have to report their compliance with PCI standards only once a year, and they may not necessarily remain compliant the rest of the time. In most cases, hackers steal information from companies that haven’t kept up with PCI standards year-round, said Bob Russo, general manager of the standards council.
“Ninety-nine percent of what we’re seeing is attacks with known fixes,” Russo said. “For whatever reason, the ball got dropped.”
A report out this month from Verizon finds that many businesses fail to stay compliant 100% of the time.
“Criminals only need one chink in your company’s armor to get in,” the Verizon report says. “Some companies still treat compliance as a one-off annual scramble. … But if you don’t work at compliance, just one new uncontrolled Wi-Fi access point, unprotected admin account or unencrypted drive could take you out of compliance.”
THE END OF CREDIT CARDS?
The retail federation’s Duncan even suggests that cards as a payment option could become useless if banks and retailers can’t agree on the best way to adopt the chip-based cards and readers.
A group of merchants including Walmart, Target, Gap and Sears are collaborating on a mobile payments network called MCX, for Merchant Customer Exchange, that would rely on mobile phones instead of plastic cards to complete transactions.
“No one is going to spend money on systems that don’t protect their customers,” Duncan said. “Realistically, they’re going to look for other alternatives, like mobile, that will protect their customers and reduce fraud, and the card systems will make themselves irrelevant.”
Some shoppers have cut back on their card use already, opting to pay with cash for smaller purchases, while others have become more diligent in monitoring financial accounts.
Levi Zimmer, 27, wasn’t directly affected by the Target data breach, but had family members who were. Since then, he’s started using cash for groceries, restaurants, bars and drugstore purchases — generally for anything that costs less than $200.
“I know it only takes one breach at one store, but if I can limit the times I use plastic, maybe I can be spared,” said Zimmer, who lives in North Mankato, Minn. “I will probably continue carrying cash until that time I get punched and robbed with $200 in my pocket. One way or another, thieves are going to steal.”