SAN
JOSE, Calif. — Hold onto your credit cards —
cybercriminals are eager to hack them, and this holiday
shopping season, there is a good chance they will be
successful.
Despite
the massive and high-profile data breach at Target last
year, in which thieves stole credit card or personal
information for up to 110 million people just as the
shopping season kicked into high gear, many large
retailers remain woefully unprepared to defend against a
cyberattack, according to security experts.
Meanwhile,
cyberthieves are smarter and more efficient at breaking
into retailers’ networks and stealing consumer data,
and some credit card companies are ratcheting down fraud
protection to speed transactions during the shopping
rush. That sets up the holidays to potentially be a
whammy of a payday for criminal groups — and puts
consumers at greater risk as they enter the biggest
shopping season of the year.
"It’s
the perfect time to get boatloads of credit cards in one
shot," said John Kipp, chief operating officer for
security firm Sera-Brynn. "The holiday season is a
wonderful time for criminals."
And
consumers can expect to pay — as retailers face
mounting fines from financial regulators for data
breaches, and must invest in pricey new security
systems, some experts expect the costs will be passed on
to consumers in the form of higher prices.
According
to a study by Cambridge, Mass.-based security firm
BitSight Technologies, which analyzed the risk of a
breach at 300 large retail companies, 58 percent of
retailers are less secure than they were a year ago
because more hackers have been getting inside their
firewalls and stealing data, often quicker and more
stealthily than they were before. Retailers — which
just a few years ago weren’t worried about
cybersecurity — are struggling to plug the holes in
their networks and their vendors’ networks. Many
retailers don’t have cybersecurity expertise in their
boardrooms, can’t find the cash to invest in the
protection they need and are too slow to react in the
cat-and-mouse game with cybercriminals, experts say.
"Compared
to two years ago, I would say that not much has changed
except the urgency by the criminals," said Martin
Ferenczi, president of North American operations for
Oberthur Technologies, a digital security company.
The
gaps in security suggest data breaches are as inevitable
during these next few weeks as the ugly Christmas
sweater party and jockeying for parking at the mall.
Experts say holiday season is prime time for criminals,
who see crowded malls and customers armed with credit
cards and shopping lists as easy targets. And this
holiday season is expected to be a lucrative one, with
the National Retail Federation predicting sales in
November and December will grow 4.1 percent over last
year to $617 billion, and shoppers will spend about 5
percent more on gifts than last year.
"Bad
guys know that this is a big shopping season," said
Bob Ackerman, founder and managing director of venture
capital firm Allegis Capital and an expert in
cybersecurity issues. "Bad guys are on the prowl,
they are active, and they know this is a time of year
where there is a lot more fish that their net can
capture."
(EDITORS:
BEGIN OPTIONAL TRIM)
Compounding
the risk is that credit card companies usually relax
fraud rules between Black Friday and Christmas because
they have to process a tremendous volume of purchases in
a short period of time, security experts say, and fraud
detection often slows down transactions.
Since
the start of the year, more than 500 million credit card
records have been stolen, according to cybersecurity
firm TrapX Security. This year, there have been 20
publicly reported data breaches at major retailers.
"It’s
definitely going up," Kipp said. "We’ve
already eclipsed last year in terms of data breaches,
and the holidays haven’t arrived yet. I think it’s
going to get ugly."
(END
OPTIONAL TRIM)
Retailers
have ramped up security plans to protect themselves and
their customers after the Target breach, a sweeping hack
in November 2013 that convinced most retailers that
cyberattacks are a real and unavoidable threat. Still,
most corporations have moved too slowly to keep up with
cybercrime syndicates, which need only a computer and a
savvy hacker to wreak havoc, experts say.
"If
the question is how fast can corporate America adopt
these new technologies, the answer is it’s going to be
too late for this season," said Carl Wright,
general manager and executive vice president of TrapX
Security.
Retail
industry leaders, however, say credit card companies and
banks haven’t taken enough responsibility for
protecting consumer data, at times stymieing retailers’
progress. Recently, about 100 retailers joined together
to share information about bugs and potential threats,
keeping each others’ networks safe, said Mallory
Duncan, senior vice president and general counsel for
the NRF.
"It’s
like having a neighborhood watch so they know the
threats in the vicinity," he said.
There
are signs of progress. The study by BitSight
Technologies found that three-quarters of retailers who
experienced a data breach did improve their security —
a bright spot that shows the breach "woke up boards
and woke up executive management teams," and
Stephen Boyer, BitSight’s co-founder. These retailers
have embraced cybersecurity, not just as a job for the
IT department, he said, but as a new way of doing
business that involves better technology, buying
cyberinsurance, hiring security experts and sometimes
replacing top-level executives. Target ousted its CEO
following the breach and replaced him with Brian
Cornell, known for his data security chops.
These
efforts help minimize the risk, but they also cost the
retailer, who may pass the buck to the consumer.
"It
gets passed on in higher prices," said Venky
Ganesan, managing director and venture capitalist at
Menlo Ventures. "It’s the silent pass. They are
going to try and pass the entire thing on to
consumers."
———
Tips
to protect yourself from retail hacks
—Pay
in cash
—Use
prepaid cards
—Avoid
debit cards
—Don’t
make purchases on public Wi-Fi
—Secure
all your accounts with strong passwords, and change
passwords frequently
—Store
passwords using secure programs such as 1Password or
LastPass
—Use
encrypted websites, which begin with "https"
—Carefully
review credit card bills
—Ask
your financial institutions to set up fraud alerts on
your accounts
—Ask
your bank for a credit card with EMV chip technology
(Wal-Mart and Sam’s Club have EMV chip card readers)
—Update
your computer operating system
