News

A holiday without data breaches? Not likely, experts say

Here’s something to consider as you do your holiday shopping: Is it safe to swipe your credit or debit card at the register?

It was almost a year ago that we learned about the massive breach at Target stores. On December 13, 2013, cyber security journalist Brian Krebs broke the story on his blog, KrebsOnSecurity. He reported that hackers had infiltrated Target’s computer network before the Black Friday shopping rush and stolen millions of customer debit and credit card account numbers.

Damian Dovarganes / Today
Is it safe to swipe your credit or debit card at the register this holiday season? Retailers say it's getting safer; security experts say more data breaches are coming.

At the time, no one realized this would the first in a series of major hack attacks on the nation’s retailers – Michaels, Dairy Queen, P.F. Chang’s, Staples and The Home Depot, just to name a few – that would involve hundreds of millions of account numbers and other personal information.

The constant news coverage of these breaches may have you asking: Has anything been done since then to deal with this threat? Are retailers taking it seriously enough? Will this data theft ever stop?

“We are going to continue hearing about nationwide retail chain breaches at a pretty constant drumbeat for the next year, year-and-a-half, maybe two years,” Krebs said.

The nation’s retailers say they realize they’re under attack and they’re working on ways to fight back – installing more secure card readers at checkout and encrypting card numbers in their computer systems. But the work has just started and there’s a long way to go.

“And that means consumers are no more secure this year than they were last year,” said Alphonse Pascual, director of fraud and security at Javelin Strategy & Research.

Security experts contacted by TODAY all say they expect another breach similar in size to Target or Home Depot by early next year.

“If a retailer is compromised this holiday season, that announcement will probably be delayed until January,” Pascual said. “For the consumer that means stepping in line at checkout or even shopping online is still tantamount to Russian roulette when it comes to using their credit and debit cards.”

Retailers disagree.

“I think consumers are more secure this year than last, but they’re still not fully secure,” said Mallory Duncan, senior vice president and general counsel at the National Retail Federation (NRF). “There is a concerted effort to make the payment system more secure. This has begun in earnest, but we are a long way from accomplishing that.”

For example, Duncan says the NRF created an IT Security Council – made up of 130 experts in retail security technology – to make it easier for large retailers to collaborate and exchange information about ongoing threats.

Target would not talk to TODAY for this story. In an email, public relations manager Molly Snyder wrote that providing customers “with a safe and secure shopping experience will continue to be a top priority.” Snyder said Target has taken “significant steps” to enhance security and it will continue to invest in this area going forward.


What about those new chip-enabled credit cards?

Everyone agrees it’s ludicrous to store account information on a magnetic strip on the back of the card. It’s 1960s technology that makes these cards easy to counterfeit.

“You cannot secure a house of straw,” Duncan said. “If the cards are fundamentally flawed, there’s only so much we can do downstream to patch the holes.”

The next generation of payment cards, slowly rolling out to consumers, should make it much harder for criminals to use stolen credit or debit card numbers to create counterfeit cards. Chip cards use an embedded microchip to store and encrypt the account information, making them nearly impossible to copy.

Chip cards are also referred to as EMV cards – that’s what they’re called in Europe, where they were introduced about a decade ago.

In the U.S., financial institutions have been slow to replace their old card with new chip cards. Bankers said they didn’t see the need to do this until payment terminals that could accept EMV cards were in stores.

Until the Target breach, retailers weren’t in a rush to install these costly new point-of-sale machines because very few customers have EMV cards.

It was the proverbial chicken and egg standoff.

The recent string of high-profile breaches seems to have gotten everyone’s attention and pushed things along.

“The tipping point has been reached,” said Adam Levin, chairman of IDentity Theft 911. “It’s clear that we have to do it. Everybody’s calling for it and people are working hard to get it done.”

But again, it’s going to take time.

Target said it’s moving quickly and is on track to roll out chip technology to all of its stores beginning early next year.

About 60 million Americans have an EMV payment card now, according to Javelin Strategy & Research. With one billion credit and debit cards currently in circulation in the U.S., that’s a drop in the bucket.

Bob Sullivan has two EMV cards in his wallet and he can’t find a store where he can use them. He still has to swipe the magnetic strip on the back to pay. Sullivan is a journalist who covers technology and security on his blog, BobSullivan.net. He knows the changeover isn’t easy, but he’s discouraged by the slow pace.

“Until every retailer gets these EMV card readers and activates them, the crime will be the same,” he said.

And that’s going to take years. Javelin estimates that it will take until 2018 for 90 percent of the U.S. merchants to be ready to handle EMV payments.

Sullivan is so sure more retailers will be breached that he no longer uses his debit card to buy things. He only uses it to withdraw money from ATMs – a transaction which requires a PIN. He’s encouraged his readers to do the same.

“Using credit is much safer than using debit and it’s so much easier to recover when your credit card number is stolen than when your debit card number is stolen,” Sullivan said.

The fight will never end

Krebs, who has covered all the major retail security breaches since Target, says retailers must realize there is no way to keep the criminal hackers out of their systems and plan accordingly.

“If you can’t keep them out, then you’d better make darn sure that you are able to protect your crown jewels – credit and debit card data and customer contact information – when they do get in,” Krebs said. “The message from Target and Home Depot is that if you’re not encrypting this data, these crown jewels, then you are painting a target on your back.”

Security experts warn that as soon as chip technology stops fraudsters from making counterfeit cards, they’ll simply go online where physical cards are not needed. This happened in Europe as countries switched over to EMV cards. Once credit cards could not be counterfeited, point-of-sale fraud dropped dramatically, but Internet payment fraud skyrocketed.

The same thing is expected to happen here, so figuring out ways to deal with this migration of crime to the Internet needs to start now.

“There’s no silver bullet,” noted Adam Levin at IDentity Theft 911. “Every time we develop a solution, the bad guys come up with an override. But, we’ve got to keep doing better.”

Herb Weisbaum is The ConsumerMan. Follow him on Facebook and Twitteror visit The ConsumerMan website.

TOP