Skip to main content

Why are brick-and-mortar retailers crumbling under hacker attacks?

target credit card theft warnings ignored exterior
Image used with permission by copyright holder

Over the weekend, high-end retailer Neiman Marcus admitted that hackers infiltrated its system and stole untold lists of credit and debit card numbers, along with other personal information belong to its customers.

The breach comes just days after Target said that hackers stole the payment data, addresses, phone numbers, and names of some 70 million customers – a number that may or may not include the roughly 40 million shoppers whose private data landed in hackers’ hands following the post-Thanksgiving spending spree.

“The recent Target attack was about stealing data.”

The bleeding does not stop there, however; according to Reuters, hackers have successfully breached the systems of “at least three other well-known US retailers.” We don’t yet know the identities of these outlets, but will undoubtedly find out soon.

Cyberattacks are nothing new, of course. What makes the Target and Nieman breaches so frightening for shoppers – at least, for this shopper – is that both attacks only affected customers who made purchases offline.

So why have have hackers suddenly turned toward brick-and-mortar retailers? How are they pulling it off? And is it possible that shopping offline is now less safe, or at least as risky, as shopping online?

Low-hanging fruit

Since Amazon.com launched in 1995, consumers have worried about hackers snagging their credit-card data from the Web – and rightly so. Retailers lost roughly $3.5 billion in e-commerce sales during 2012 due to credit card fraud, according payment processor CyberSource.

“If we measured fraud loss, payment fraud is three times higher online than it is offline,” says Loc Nguyen, vice president of marketing for fraud prevention firm Feedzai, which uses advanced machine-learning techniques to predict payment fraud. “Online has been traditionally thought of as less safe, but online shopping only accounts for 6 percent of spending, which equals $343 billion out of the $4 trillion in retail purchases.”

Neiman MarcusSo while online shopping may be considered less safe, offline retailers represent a far juicier target for cyber-thieves. “Just as bank robbers rob banks (because that’s where the money is at), professional fraud organizations go after offline environments because that’s where the card data are,” Nguyen says.

Historically, offline retailers have enjoyed greater protection from cyberattacks simply because their business transactions were less connected to the online world. But this is changing. Increasingly, the systems you use to buy online and offline are inexorably intertwined. And that’s a problem. 

Rise of the RAM scrapers

In recent years, hackers have begun using a type of malware known as a RAM scraper, which specifically targets brick-and-mortar retailers’ point-of-sale devices – digital cash registers, in other words. Reuters reports that the Target and Neiman Marcus hackers likely used sophisticated RAM scrapers to steal customers’ credit- and debit-card numbers.

RAM scrapers have been around for years, and target a payment security standard known as PCI-DSS, which is predominantly used in the US. While PCI-DSS requires that payment data is encrypted end-to-end, there is a brief moment – milliseconds – after you swipe when your card that the number and other data is in plain-text form, meaning anyone could read it during that instant. That’s all hackers need to steal the payment data and copy it to their list. 

“Payment fraud is three times higher online than it is offline.”

Using RAM scrapers makes perfect economic sense for hackers; not only can they pilfer far more credit card numbers at a time, but the wealth of data they obtain through a RAM scraper attack is more useful and valuable than what they can potentially take from online transactions.

“Going after point-of-sale gives the attackers an opportunity to collect credit card data in bulk,” says Roel Schouwenberg, Principal Security Researcher at cybersecurity firm Kaspersky Lab. “The attackers will also be hoping to have a higher success rate using cloned, physical cards rather than using cards online.”

Attacking point-of-sale also makes it possible to sell those card numbers to other criminals in a greater variety of forms, Schouwenberg says. “When trying to resell the stolen credit card data online, the attackers may also be able to sell into different underground markets, as the people dealing with cloned cards are not necessarily the same people dealing with online fraud,” he says. 

Bad connection

Twice last year, in April and August, Visa issued security alerts about the rise of RAM scrapers, warning retailers both times to separate their payment systems from other systems to help mitigate the risks of malware infections, and curb the amount of data that attackers could steal. But this isn’t happening – if anything, retailers’ systems are becoming more and more interconnected.

Target Red Card“Brick-and-mortar and online retailers are storing lots of information on consumers to make shopping easier and more personal; therefore, a swipe of a credit card at a store versus an online merchant is the same,” says Eric Chiu, president and co-founder of cloud security firm HyTrust. “Also, because of the density of data in today’s networks, thieves don’t just get some data – they get it all.” 

“The recent Target attack was about stealing data,” says Nguyen. “Data has and will continue to be the digital payment industry’s most valuable asset.” And because our offline and online shopping is becoming further entwined, we can only assume that cybercriminals will increasingly target both online and brick-and-mortar payment systems.

Nguyen adds, “As our lives gradually migrate onto the Internet, and consumers continue to embrace omnichannel commerce, so too will the criminals employing increasingly sophisticated attacks that cross channels so the notion of a relatively safer channel is fleeting.”

The big fix

The good news in all this is that credit card fraud has fallen over the past 20 years, “from 6.1 cents to 5.2 cents for every $100 spent,” says Nguyen, “so we can say that, overall, our money [is] safer than it has ever been.” Unfortunately, that’s talking percentages. During the same period, credit card use has increased – and so has the total number of dollars lost, from less than $2 billion annually to more than $11 billion, by Feedzai’s count.

“As the world moves away from cash, there’s just more electronic payment volume to be protected,” says Nguyen. 

Still, $11 billion is a lot of money. And protecting that money in an increasingly connected payment infrastructure likely requires retailers and payment processors to swap out the PCI-DSS standard for a whole new set of tools known as EMV.

Also called “Chip-and-PIN,” the EMV standard – named after its primary developers, Europay, MasterCard, Visa – uses cards with embedded microprocessors that require customers to enter a PIN to authenticate a transaction, rather than simply scribbling their signature on a piece of paper or digital payment pad.

“Because of the density of data in today’s networks, thieves don’t just get some data – they get it all.”

In the same warnings from last year, Visa urged companies to switch away from PCI-DSS to EMV, which has become the standard in the rest of the world. In fact, the US is the last major PCI-DSS holdout, meaning American customers are, according to experts, less safe than their counterparts in Europe and elsewhere on the planet. Why the mass migration to EMV? Because it’s much more secure – nearly four times as secure, according to PNC, which saw fraud loss on just 0.035 percent of EMV transactions in 2008, compared to 0.13 percent on signature-confirmed transactions during the same period.

“In Europe, we’ve witnessed a serious ramping-up of offline attacks over the course of the last few years. It took migrating to an EMV-only infrastructure to significantly curb the amount of incidents,” says Schouwenberg. “It’s plausible we’re going to see a similar pattern over here. With EMV adoption being few and far between in the US, it would likely take us longer to curb the amount of incidents.”

Additionally, security experts say retailers need to begin thinking about their entire payment network as though it could be breached at anytime – or possibly already has been breached.

“Given that attackers are getting more sophisticated, all merchants need to re-think their security model and focus on an ‘inside-out’ model of security, which assumes the bad guys are already on the network,” says Chiu.

Last two cents

As cybercriminals wage ever-sophisticated attacks, and US retailers scramble to institute new safeguards on their networks while migrating to an entirely new security standard, we customers must remain vigilant about protecting ourselves from the bad guys by watching our transaction histories like a hawk. The transition to the EMV standard not going to be easy, it will take a long time to get there, and still won’t be fool-proof. So if you’re looking for a quick fix, I can offer but one reliable suggestion: Use cash (and keep an eye out for pickpockets).

Editors' Recommendations

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
How to change your language in Google Chrome on desktop
Chrome OS

Google Chrome supports a wide range of languages. While it'll default to English in most cases, there's nothing stopping you from changing its settings and displaying pages in Spanish, French, or dozens of other languages.

Changing your default language in Chrome takes only a few seconds, and the technique used is the same across Windows and Mac. Aside from changing your language, note that Chrome now gives you the option to automatically translate pages written in another language – making it easy to read content from around the globe.

Read more
23 of the best Netflix hacks, tips, and tricks
The Netflix home screen.

Netflix is one of the most popular streaming platforms for all things movies and TV shows. Home to an immense library of titles, the Netflix archive is constantly changing and evolving, and so are the many ways you can use your Netflix account. 

For instance, did you know you can access region-locked Netflix shows and flicks by using a VPN? Or that you can disable that pesky Autoplay feature? There are tons of Netflix hacks, tips, and tricks out there, so we’ve gone ahead and rounded up all of our favorites! 
Expand your streaming with a VPN

Read more
How to make a GIF from a YouTube video
woman sitting and using laptop

Sometimes, whether you're chatting with friends or posting on social media, words just aren't enough -- you need a GIF to fully convey your feelings. If there's a moment from a YouTube video that you want to snip into a GIF, the good news is that you don't need complex software to so it. There are now a bunch of ways to make a GIF from a YouTube video right in your browser.

If you want to use desktop software like Photoshop to make a GIF, then you'll need to download the YouTube video first before you can start making a GIF. However, if you don't want to go through that bother then there are several ways you can make a GIF right in your browser, without the need to download anything. That's ideal if you're working with a low-specced laptop or on a phone, as all the processing to make the GIF is done in the cloud rather than on your machine. With these options you can make quick and fun GIFs from YouTube videos in just a few minutes.
Use GIFs.com for great customization
Step 1: Find the YouTube video that you want to turn into a GIF (perhaps a NASA archive?) and copy its URL.

Read more