Chances are good that U.S. consumers will feel at least somewhat more secure about their personal credit information as millions of chip-enabled credit cards begin arriving in the mail in the new year.
At the same time, chances are their fears of losing confidential information will be reignited, as they’re reminded of the porous nature of the digital universe and growing risks posed by their increased reliance on smartphones and tablets.
This story first appeared in the December 19, 2014 issue of WWD. Subscribe Today.
Security concerns grew in late 2013 as security breaches against Target Corp. and Neiman Marcus Group resulted in the loss, respectively, of an estimated 40 million and 1.1 million customer records.
Target suffered through lower holiday sales in the aftermath of the breach, contributing to the departure of chief executive officer Gregg Steinhafel, and a string of quarters of same-store sales declines that only ended during this year’s third quarter. Target appointed a veteran of the Department of Homeland Security, Bob DeRodes, as its chief information officer and, at a cost of about $100 million, accelerated both the conversion of its RedCard portfolio of credit and debit cards to chip-enabled cards and the activation of chip-reading terminals at point of sale.
While the move to chip-enabled cards will make the duplication of cards far more difficult than it’s been in the era of magnetic-stripe cards, the imminent conversion will do nothing to safeguard information residing on banks’, stores’ and payment networks’ mainframes that’s coveted by a worldwide network of cyber thieves, who continue to be pursued by a growing legion of imperturbable cyber cops.
While less dramatic than the massive hack on Sony Pictures or the disclosures of nude celebrity photos, the cyber thieves hardly have overlooked retail, which, according to the National Retail Federation, accounts for about one in nine hacking incidents. They’ve recently succeeded in stealing an estimated 56 million records from Home Depot Inc., the largest retail heist since the 2007 security breach at The TJX Cos. Inc., which resulted in the loss of approximately 94 million records. This month, Bebe Stores Inc. acknowledged that it also had been a victim of hackers who made off with an undisclosed number of customers’ records in the 19 days leading up to Thanksgiving. Its stores in Canada, already on chip-and-PIN cards, were spared.
With its continued dependence on magnetic-stripe cards, the U.S. has long been the soft target in the global digital battlefield. The U.S. accounted for 47.3 percent of the $11.27 billion in global credit, debit and prepaid card fraud losses in 2012, despite generating just 23.5 percent of global volume, according to data from The Nilson Report, a publication focused on the payment industry.
The criminal network might begin with tech-savvy hackers, but it ultimately makes its way to the street.
Consumers looking for less-than-honest bargains can buy the cards online or from street criminals who peddle them much the way they might illicit drugs. Other cards are used to buy merchandise, which can then be sold on the black market.
New York City Police Commissioner William Bratton said post 9/11, the city’s police force was moved into the information and technology age, “an era that continues to define us as it does [retail] business, all the changes in terms of how people shop online and the changes in how they charge the items they buy from you. With policing, we’re also going into technology in a very big way.
“Gangs have moved away from fighting over drugs,” Bratton said. “They are now fighting much more frequently over larceny type crimes, credit card theft. They’re becoming more sophisticated in where they’re trying to make their money.”
“What a lot of people are forgetting is that chips do nothing to protect online transactions and only protect the user at one point of entry — the store transaction,” said Wil Klusovsky, manager of North American pre-sales for NTT Com Security, a global information security and risk management firm. “It doesn’t make networks more secure, and we’re facing increasingly sophisticated technology and better-funded organizations, including some that appear to be state-sponsored, as we try to make our clients into ‘hard targets.’”
He found it “unfathomable” that, in a recent survey by his firm of U.S. companies, just 42 percent thought their data was completely secure and bemoaned what he felt was a sense of complacency on the part of many executives.
“It’s really not a matter of if you’ll be hit by a breach, it’s a matter of when,” Klusovsky said. “The important thing is to stop it quickly, recover quickly and help your customers recover quickly, too. Every time you enter into new technology, someone is working on a way of getting around it.”
The pace of hacking — the number of attacks, their point of origin and their destination — is tracked by cybersecurity firm FireEye at its Web site, fireeye.com. On one recent day, it recorded more than 26,000 attacks in 14 hours, with most coming from Russia and Asia, but a fair share from Germany and the U.S. as well.
Another security specialist, Gary Miliefsky, founder and ceo of SnoopWall, noted that the hackers have come a long way since they rode in cars outside parking lots burgling TJX data with a Pringles can used as an amplifying antenna. He worries that smart devices will lull consumers into a false sense of security and leave them vulnerable in new ways, especially as the popularity of mobile commerce grows.
“On Cyber Monday, you had people buying tablets for $100 and thinking that they were safe,” he told WWD. “What they don’t realize is there are apps in these devices that are loaded with creepware that’s spying on us. You can buy a vest stuffed with proximity hacking devices that can effectively access credit card and contact information from the apps running in the background on your smart devices, and more and more commerce is moving to e-commerce.”
He advises consumers to look for apps that don’t require location access or to disable location settings whenever possible.
Meanwhile, in what will be the last holiday season of magnetic-stripe card dominance, retailers and banks continue to lock horns on the protocol to be employed — chip-and-PIN or the relatively less secure chip-and-signature. The National Retail Federation and the Retail Industry Leaders Association are opting for chip-and-PIN as their members and other retailers spend an estimated $25 billion to $30 billion gearing up for the technology while the banks, anxious to shift the liability for losses off their own shoulders and onto those of stores with less up-to-date, stringent security at point of sale, favor a chip-and-signature protocol that would be less onerous for them to establish.
Mallory Duncan, senior vice president and general counsel of NRF, likens chip-and-signature to “closing the front door while leaving the back door open. The chip will help but it makes no sense to spend billions of dollars for a conversion like this and not go as far as possible to safeguard the system.”