Major attacks on retailers cast spotlight on higher-security cards

Network breaches that occurred at Target, Neiman Marcus and other popular U.S. retailers over the holiday shopping season has turned the spotlight on the use of higher-security debit and credit cards.

[CSO's guide to the Target data breach]

Over the weekend, Target Chief Executive Gregg Steinhafel confirmed security experts' suspicions that the company's point-of-sale systems had been infected with malware, which led to the theft of 40 million credit and debit card accounts and personally identifiable information for 70 million people. The data stolen did not include social security numbers.

On Friday, luxury retailer Neiman Marcus confirmed its network also had been hacked, but has yet to provide details on the amount and type of customer data stolen. Reuters reported Sunday that breaches smaller than Target's had occurred in at least three other well-known U.S. retailers. The names of the retailers or details of the attacks were not available.

The high-profile attacks have brought to the forefront the banking and retail industry's efforts to migrate away from current cards that use a magnetic stripe in the back to store customer data. In their place would be cards that use a computer chip and require a personal identification number (PIN).

Banks in 80 countries in Europe and Asia use so-called "chip-and-pin" cards. U.S. banks have been much slower to adopt the technology because losses from fraud were much lower than the cost of issuing new cards, as well as the expense of having retailers upgrade POS hardware and software to use the cards.

However, the size and frequency of card number thefts, starting in 2007 with the compromise of 94 million accounts from retailer TJX, has made the case for higher-security cards more compelling.

The media attention on such cases is starting to shake consumer confidence, which could lead to less credit card use and significantly add to the direct losses from fraud.

"The benefits are now there for the consumers, the banks and the retailers," Mary Ann Miller, managing director of fraud consulting and industry relations at NICE Actimize, said. "I doubt that card losses alone would ever direct the business case in the U.S., but I think it's definitely consumer confidence that's driving the business case now."

[Rising impact of Target breach indicates deeper hack into systems]

Banks plan to require retailers to accept chip-carrying cards sometime in 2015, Miller said. Gas stations will have until 2017 to outfit pumps for the new cards.

Retailers say they support the move, but need to see more commitment on the part of the banks.

"Retailers are encouraging a move to adopt the new technologies, and indeed some have already begun to do so," Mallory Duncan, general counsel for the National Retail Federation, said. "But frankly, it's a useless investment until the banks upgrade from their fraud-prone cards to PIN and chip."

The more advanced cards would not have helped prevent the Target hack, which experts say likely involved a malware called a "RAM scraper." Such malware steals transaction data from the POS terminal's random access memory (RAM), which could also contain the customer information and PIN from a chip-based card.

"The chip card prevents me from taking your card and using it at the store," Ron Gula, chief executive at Tenable Network Security, said.

The cards also make it much more difficult for criminals to make counterfeit cards after they have stolen card data, Miller said.

"They certainly could use the (stolen) information for card-not-present transactions on the Internet or mobile, but it would definitely limit their options at the point of sale," Miller said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecurity

More about CSOindeedNICEReuters AustraliaTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts