Until 2013, the data breach that affected millions of T.J. Maxx and Marshalls shoppers almost a decade ago reigned supreme in the annals of retail hacking.
The holiday-season attack on Target, the nation’s third-largest retailer, made that episode seem almost trifling by comparison. From Thanksgiving week into December, the year’s busiest buying period, personal information of up to 110 million Target customers was stolen — and the repercussions for the company, for consumers, and for the retailing industry are likely to persist for months, if not years.
If Americans had been unaware of the potential perils of buying with credit cards before the Target attack, it and the recently disclosed breach at Nieman Marcus were a wake-up call.
“The Target hacking was an earthquake in comparison with previous ones,” said Eugene Fram, professor emeritus of marketing with Rochester Institute of Technology’s Saunders College of Business.
Villanova School of Business marketing and business law Prof. Ronald Hill says, “It shows that no firm fully controls the data that they store on their customers. It shows how much data they keep that is potentially dangerous for their customers. It shows that they are unable to resolve the problem without inconveniencing and forcing their customers to resolve it on their own.”
And the worst almost certainly is yet to come, the FBI maintains.
In a recent confidential report to retailers, the agency warned of the spread of malicious software — malware — that can clandestinely penetrate so-called point-of-sale systems, the means by which retailers conduct transactions. Credit-card swiping machines, which connect to a company’s computer network, typically through the Internet, are a common POS device.
“We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it,” the FBI wrote in its report “Recent Cyber Intrusion Events Directed Toward Retail Firms.” The Reuters news agency published a story on Jan. 23 after viewing the report.
“The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors,” the FBI said.
Most troubling about the Target breach, said Patrick Peterson, founder and chief executive officer of California-based cybersecurity company Agari, is not data on the estimated 40 million credit and debit card accounts that were stolen.
It’s the personal information — personally identifiable information, or PII in industry jargon — on an additional 70 million customers the criminals also accessed. This includes names, mailing addresses, phone mail or email addresses.
“Cybercriminals just served up a one-two punch on 110 million shoppers at Target’s expense,” Peterson said. “The 40 million credit-card jab hurt — but it’s really the 110 million personal information-record cross that’s going to put us down for the count.”
Peterson noted that card holders are afforded a degree of protection from card companies, payment processors and banks.
“Like it or not, our credit card numbers circulate across the Internet, in restaurants and bars and in taxicabs. The payment industry protects consumers from unauthorized charges and has a massive anti-fraud network. Consumers can always get a new credit card. An unauthorized charge is a bad thing, but a new credit card isn’t the end of the world.”
Personal information, however, is like a glistening gem in the hands of criminals who can leverage it to conduct identity theft, which can be a far worse nightmare than credit-card fraud.
“Criminal possession of [that] has no easy solution,” Peterson said. “Change your home address? Abandon a long-term email address and stop corresponding with the world? Neither are options, and yet criminals will bring a multitude of attacks with the PII — phishing attacks, identity theft, creating bank accounts in your name. These attacks could start now or years from now.”
“There are only two kinds of companies: those who have been breached and those who will be breached.”
So asserts Cynthia James, author of “Stop Cybercrime from Ruining Your Life” and director of business development for Kaspersky Lab, a leading antivirus and Internet security firm, headquartered in Moscow.
In the wake of the Target attack, James says, retailing in general will pay a steep premium.
“The sheer costs of this breach, including the loss of brand and the expected lawsuits, will make retailing more expensive. Companies will spend more on security — at least they should if they are calculating return on investment — because better security is cheaper, to a point, than having this happen. They will have to pass these costs along to customers also, or take lower profits.”
James pointed to the Data Security Act, introduced last month by Senators Tom Carper, D-Delaware, and Republican Roy Blunt of Missouri. The legislation would require retailers, banks, government agencies and others to protect personal information and notify people when there is risk of identity theft or fraud. If a breach affected more than 5,000 consumers, law-enforcement and federal agencies also would have to be notified. The Target breach first came to light when an independent reporter published word of it, not from a company disclosure.
“We cannot allow technology advances to outpace the security measures in place to safeguard the transactions we conduct in person and online,” Carper said in introducing the bill.
Said James: “If it passes, costs will increase for retailers.”
But without it, she said, the prospects for industry-wide reform are questionable.
“It’s very unlikely that any retailer is a ‘model citizen’ in this regard,” she says. “They are especially challenged because they are very attractive targets to cybercriminals — but they work hard to keep their costs down. And good security costs money.”
James has joined the growing call for American businesses to adopt a system in use in Europe that has replaced the half-century-old magnetic-strip technology that leaves American cards especially vulnerable to breach. The “smart cards” favored across the Atlantic include a microchip and require PIN authentication, features that make hacking more difficult.
In a letter to Congress last month, the president and CEO of the National Retail Federation, America’s largest such group, accused U.S. financial institutions of failing American consumers — and of acting hypocritically in the domestic market.
“For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets,” said Matthew Shay, head of the National Retail Federation.
“The retail industry is eager to work with banks and card companies to fight cyber attacks and reduce fraud,” Shay said. “These efforts include installation of sophisticated new PIN-enabled point-of-sale-systems and readiness to adopt cards with more secure microchip technology, but the fact remains that retailers cannot do this alone.”
Harvard economist Edward L. Glaeser, who wrote recently about the issue in The Boston Globe, also endorses the change:
“The steady outbreak of credit card thefts reminds us that the swipecard system is fundamentally insecure — the cards are easy to make and signatures afford no protection whatsoever. Chip and pin is not a panacea and it isn’t free — conversion costs will certainly be in the billions. But as data thefts become even more spectacular, the case for upgrading to the global standard seems ever more urgent.”
Still, a chip-and-PIN system cannot be seen as a panacea, says Yan (Lindsay) Sun, associate professor with the University of Rhode Island’s department of electrical, computer and biomedical engineering.
“I personally like the chip-and-PIN system,” she said. “It has successfully reduced the credit card fraud in Europe. On the other side, please be aware that technologies often do not provide the complete solution. Security level is determined by the weakest link, which can involve polices, incentives, and ourselves — i.e. human, errors and negligence.”
It did not take long for the Target criminals to capitalize on their stolen information. Sold on the Internet’s Dark Web, it has already been used in the manufacture of fraudulent credit cards now available on the black market. Reports of identity theft connected to the hacking have surfaced. The Secret Service, FBI and other government agencies are investigating. The trail seems to lead to young men in Eastern Europe, perhaps Russia, as masterminds of the attack.
Rhode Island Attorney General Peter F. Kilmartin has joined other attorneys general in their own investigation. Kilmartin urges consumers who may have been affected by the Target breach to take advantage of the company’s offer of free credit monitoring, details at creditmonitoring.target.com
“Being pro-active in protecting your credit and identity may prevent future problems,” Kilmartin said.
Beyond that, security experts recommend several measures.
“One of the best options is to go ahead and sign up for one of those credit protection services which monitors our accounts and reports on all new activity,” said Kaspersky’s James. She also recommends checking credit-card accounts and bank balances regularly, and immediately reporting any suspicious activity.
Scott A. Merritt, author of “Identity Theft Do’s and Don’ts,” suggests learning about how cybercrime can occur. “Understand how and where it happens,” he said. “Identity theft is like being robbed when you are away from home: most thefts occur in places where you do business every day.” He also recommends changing passwords regularly.
“Of course, you can greatly reduce being a victim of such recent hacks that occurred at the major retailers by using cash more often,” Merritt said. “But if you’re going to use credit, use a card from a national bank or a national credit union and never a debit card, no exceptions.”
Some consumers may indeed turn — or return — to using cash, but currency is susceptible to theft of the old-fashioned sort. Hiding your assets under the mattress was never a wise strategy to begin with.
In any event, says Rochester Institute of Technology’s Fram, purchasing with plastic is an entrenched consumer behavior.
“The genie is out of the bottle,” Fram says. “Consumers are totally married to their credit cards.”
In the end, there may be no end. For most of us, life in the digital age is inextricably interwoven with the data bits that provide us convenience, entertainment and a window to the world — and which can be stolen by people with the appropriate motivation and skills.
“With the Target attack,” said Agari’s Peterson, “we are witnessing the unveiling of the next weapon in the never-ending arms race between the good guys and cybercriminals.”
No comments:
Post a Comment