Over the weekend, high-end retailer Neiman Marcus admitted that hackers infiltrated its system and stole untold lists of credit and debit card numbers, along with other personal information belong to its customers.
The breach comes just days after Target said that hackers stole the payment data, addresses, phone numbers, and names of some 70 million customers – a number that may or may not include the roughly 40 million shoppers whose private data landed in hackers’ hands following the post-Thanksgiving spending spree.
“The recent Target attack was about stealing data.”
Cyberattacks are nothing new, of course. What makes the Target and Nieman breaches so frightening for shoppers – at least, for this shopper – is that both attacks only affected customers who made purchases offline.
So why have have hackers suddenly turned toward brick-and-mortar retailers? How are they pulling it off? And is it possible that shopping offline is now less safe, or at least as risky, as shopping online?
Low-hanging fruit
Since Amazon.com launched in 1995, consumers have worried about hackers snagging their credit-card data from the Web – and rightly so. Retailers lost roughly $3.5 billion in e-commerce sales during 2012 due to credit card fraud, according payment processor CyberSource.
“If we measured fraud loss, payment fraud is three times higher online than it is offline,” says Loc Nguyen, vice president of marketing for fraud prevention firm Feedzai, which uses advanced machine-learning techniques to predict payment fraud. “Online has been traditionally thought of as less safe, but online shopping only accounts for 6 percent of spending, which equals $343 billion out of the $4 trillion in retail purchases.”
So while online shopping may be considered less safe, offline retailers represent a far juicier target for cyber-thieves. “Just as bank robbers rob banks (because that’s where the money is at), professional fraud organizations go after offline environments because that’s where the card data are,” Nguyen says.
Historically, offline retailers have enjoyed greater protection from cyberattacks simply because their business transactions were less connected to the online world. But this is changing. Increasingly, the systems you use to buy online and offline are inexorably intertwined. And that’s a problem.
Rise of the RAM scrapers
In recent years, hackers have begun using a type of malware known as a RAM scraper, which specifically targets brick-and-mortar retailers’ point-of-sale devices – digital cash registers, in other words. Reuters reports that the Target and Neiman Marcus hackers likely used sophisticated RAM scrapers to steal customers’ credit- and debit-card numbers.
RAM scrapers have been around for years, and target a payment security standard known as PCI-DSS, which is predominantly used in the US. While PCI-DSS requires that payment data is encrypted end-to-end, there is a brief moment – milliseconds – after you swipe when your card that the number and other data is in plain-text form, meaning anyone could read it during that instant. That’s all hackers need to steal the payment data and copy it to their list.
“Payment fraud is three times higher online than it is offline.”
“Going after point-of-sale gives the attackers an opportunity to collect credit card data in bulk,” says Roel Schouwenberg, Principal Security Researcher at cybersecurity firm Kaspersky Lab. “The attackers will also be hoping to have a higher success rate using cloned, physical cards rather than using cards online.”
Attacking point-of-sale also makes it possible to sell those card numbers to other criminals in a greater variety of forms, Schouwenberg says. “When trying to resell the stolen credit card data online, the attackers may also be able to sell into different underground markets, as the people dealing with cloned cards are not necessarily the same people dealing with online fraud,” he says.
Bad connection
Twice last year, in April and August, Visa issued security alerts about the rise of RAM scrapers, warning retailers both times to separate their payment systems from other systems to help mitigate the risks of malware infections, and curb the amount of data that attackers could steal. But this isn’t happening – if anything, retailers’ systems are becoming more and more interconnected.
“Brick-and-mortar and online retailers are storing lots of information on consumers to make shopping easier and more personal; therefore, a swipe of a credit card at a store versus an online merchant is the same,” says Eric Chiu, president and co-founder of cloud security firm HyTrust. “Also, because of the density of data in today’s networks, thieves don’t just get some data – they get it all.”
“The recent Target attack was about stealing data,” says Nguyen. “Data has and will continue to be the digital payment industry’s most valuable asset.” And because our offline and online shopping is becoming further entwined, we can only assume that cybercriminals will increasingly target both online and brick-and-mortar payment systems.
Nguyen adds, “As our lives gradually migrate onto the Internet, and consumers continue to embrace omnichannel commerce, so too will the criminals employing increasingly sophisticated attacks that cross channels so the notion of a relatively safer channel is fleeting.”
The big fix
The good news in all this is that credit card fraud has fallen over the past 20 years, “from 6.1 cents to 5.2 cents for every $100 spent,” says Nguyen, “so we can say that, overall, our money [is] safer than it has ever been.” Unfortunately, that’s talking percentages. During the same period, credit card use has increased – and so has the total number of dollars lost, from less than $2 billion annually to more than $11 billion, by Feedzai’s count.
“As the world moves away from cash, there’s just more electronic payment volume to be protected,” says Nguyen.
Still, $11 billion is a lot of money. And protecting that money in an increasingly connected payment infrastructure likely requires retailers and payment processors to swap out the PCI-DSS standard for a whole new set of tools known as EMV.
Also called “Chip-and-PIN,” the EMV standard – named after its primary developers, Europay, MasterCard, Visa – uses cards with embedded microprocessors that require customers to enter a PIN to authenticate a transaction, rather than simply scribbling their signature on a piece of paper or digital payment pad.
“Because of the density of data in today’s networks, thieves don’t just get some data – they get it all.”
“In Europe, we’ve witnessed a serious ramping-up of offline attacks over the course of the last few years. It took migrating to an EMV-only infrastructure to significantly curb the amount of incidents,” says Schouwenberg. “It’s plausible we’re going to see a similar pattern over here. With EMV adoption being few and far between in the US, it would likely take us longer to curb the amount of incidents.”
Additionally, security experts say retailers need to begin thinking about their entire payment network as though it could be breached at anytime – or possibly already has been breached.
“Given that attackers are getting more sophisticated, all merchants need to re-think their security model and focus on an ‘inside-out’ model of security, which assumes the bad guys are already on the network,” says Chiu.
Last two cents
As cybercriminals wage ever-sophisticated attacks, and US retailers scramble to institute new safeguards on their networks while migrating to an entirely new security standard, we customers must remain vigilant about protecting ourselves from the bad guys by watching our transaction histories like a hawk. The transition to the EMV standard not going to be easy, it will take a long time to get there, and still won’t be fool-proof. So if you’re looking for a quick fix, I can offer but one reliable suggestion: Use cash (and keep an eye out for pickpockets).