Why are brick-and-mortar retailers crumbling under hacker attacks?

target credit card theft warnings ignored exterior

Over the weekend, high-end retailer Neiman Marcus admitted that hackers infiltrated its system and stole untold lists of credit and debit card numbers, along with other personal information belong to its customers.

The breach comes just days after Target said that hackers stole the payment data, addresses, phone numbers, and names of some 70 million customers – a number that may or may not include the roughly 40 million shoppers whose private data landed in hackers’ hands following the post-Thanksgiving spending spree.

“The recent Target attack was about stealing data.”

The bleeding does not stop there, however; according to Reuters, hackers have successfully breached the systems of “at least three other well-known US retailers.” We don’t yet know the identities of these outlets, but will undoubtedly find out soon.

Cyberattacks are nothing new, of course. What makes the Target and Nieman breaches so frightening for shoppers – at least, for this shopper – is that both attacks only affected customers who made purchases offline.

So why have have hackers suddenly turned toward brick-and-mortar retailers? How are they pulling it off? And is it possible that shopping offline is now less safe, or at least as risky, as shopping online?

Low-hanging fruit

Since Amazon.com launched in 1995, consumers have worried about hackers snagging their credit-card data from the Web – and rightly so. Retailers lost roughly $3.5 billion in e-commerce sales during 2012 due to credit card fraud, according payment processor CyberSource.

“If we measured fraud loss, payment fraud is three times higher online than it is offline,” says Loc Nguyen, vice president of marketing for fraud prevention firm Feedzai, which uses advanced machine-learning techniques to predict payment fraud. “Online has been traditionally thought of as less safe, but online shopping only accounts for 6 percent of spending, which equals $343 billion out of the $4 trillion in retail purchases.”

Neiman MarcusSo while online shopping may be considered less safe, offline retailers represent a far juicier target for cyber-thieves. “Just as bank robbers rob banks (because that’s where the money is at), professional fraud organizations go after offline environments because that’s where the card data are,” Nguyen says.

Historically, offline retailers have enjoyed greater protection from cyberattacks simply because their business transactions were less connected to the online world. But this is changing. Increasingly, the systems you use to buy online and offline are inexorably intertwined. And that’s a problem. 

Rise of the RAM scrapers

In recent years, hackers have begun using a type of malware known as a RAM scraper, which specifically targets brick-and-mortar retailers’ point-of-sale devices – digital cash registers, in other words. Reuters reports that the Target and Neiman Marcus hackers likely used sophisticated RAM scrapers to steal customers’ credit- and debit-card numbers.

RAM scrapers have been around for years, and target a payment security standard known as PCI-DSS, which is predominantly used in the US. While PCI-DSS requires that payment data is encrypted end-to-end, there is a brief moment – milliseconds – after you swipe when your card that the number and other data is in plain-text form, meaning anyone could read it during that instant. That’s all hackers need to steal the payment data and copy it to their list. 

“Payment fraud is three times higher online than it is offline.”

Using RAM scrapers makes perfect economic sense for hackers; not only can they pilfer far more credit card numbers at a time, but the wealth of data they obtain through a RAM scraper attack is more useful and valuable than what they can potentially take from online transactions.

“Going after point-of-sale gives the attackers an opportunity to collect credit card data in bulk,” says Roel Schouwenberg, Principal Security Researcher at cybersecurity firm Kaspersky Lab. “The attackers will also be hoping to have a higher success rate using cloned, physical cards rather than using cards online.”

Attacking point-of-sale also makes it possible to sell those card numbers to other criminals in a greater variety of forms, Schouwenberg says. “When trying to resell the stolen credit card data online, the attackers may also be able to sell into different underground markets, as the people dealing with cloned cards are not necessarily the same people dealing with online fraud,” he says. 

Bad connection

Twice last year, in April and August, Visa issued security alerts about the rise of RAM scrapers, warning retailers both times to separate their payment systems from other systems to help mitigate the risks of malware infections, and curb the amount of data that attackers could steal. But this isn’t happening – if anything, retailers’ systems are becoming more and more interconnected.

Target Red Card“Brick-and-mortar and online retailers are storing lots of information on consumers to make shopping easier and more personal; therefore, a swipe of a credit card at a store versus an online merchant is the same,” says Eric Chiu, president and co-founder of cloud security firm HyTrust. “Also, because of the density of data in today’s networks, thieves don’t just get some data – they get it all.” 

“The recent Target attack was about stealing data,” says Nguyen. “Data has and will continue to be the digital payment industry’s most valuable asset.” And because our offline and online shopping is becoming further entwined, we can only assume that cybercriminals will increasingly target both online and brick-and-mortar payment systems.

Nguyen adds, “As our lives gradually migrate onto the Internet, and consumers continue to embrace omnichannel commerce, so too will the criminals employing increasingly sophisticated attacks that cross channels so the notion of a relatively safer channel is fleeting.”

The big fix

The good news in all this is that credit card fraud has fallen over the past 20 years, “from 6.1 cents to 5.2 cents for every $100 spent,” says Nguyen, “so we can say that, overall, our money [is] safer than it has ever been.” Unfortunately, that’s talking percentages. During the same period, credit card use has increased – and so has the total number of dollars lost, from less than $2 billion annually to more than $11 billion, by Feedzai’s count.

“As the world moves away from cash, there’s just more electronic payment volume to be protected,” says Nguyen. 

Still, $11 billion is a lot of money. And protecting that money in an increasingly connected payment infrastructure likely requires retailers and payment processors to swap out the PCI-DSS standard for a whole new set of tools known as EMV.

Also called “Chip-and-PIN,” the EMV standard – named after its primary developers, Europay, MasterCard, Visa – uses cards with embedded microprocessors that require customers to enter a PIN to authenticate a transaction, rather than simply scribbling their signature on a piece of paper or digital payment pad.

“Because of the density of data in today’s networks, thieves don’t just get some data – they get it all.”

In the same warnings from last year, Visa urged companies to switch away from PCI-DSS to EMV, which has become the standard in the rest of the world. In fact, the US is the last major PCI-DSS holdout, meaning American customers are, according to experts, less safe than their counterparts in Europe and elsewhere on the planet. Why the mass migration to EMV? Because it’s much more secure – nearly four times as secure, according to PNC, which saw fraud loss on just 0.035 percent of EMV transactions in 2008, compared to 0.13 percent on signature-confirmed transactions during the same period.

“In Europe, we’ve witnessed a serious ramping-up of offline attacks over the course of the last few years. It took migrating to an EMV-only infrastructure to significantly curb the amount of incidents,” says Schouwenberg. “It’s plausible we’re going to see a similar pattern over here. With EMV adoption being few and far between in the US, it would likely take us longer to curb the amount of incidents.”

Additionally, security experts say retailers need to begin thinking about their entire payment network as though it could be breached at anytime – or possibly already has been breached.

“Given that attackers are getting more sophisticated, all merchants need to re-think their security model and focus on an ‘inside-out’ model of security, which assumes the bad guys are already on the network,” says Chiu.

Last two cents

As cybercriminals wage ever-sophisticated attacks, and US retailers scramble to institute new safeguards on their networks while migrating to an entirely new security standard, we customers must remain vigilant about protecting ourselves from the bad guys by watching our transaction histories like a hawk. The transition to the EMV standard not going to be easy, it will take a long time to get there, and still won’t be fool-proof. So if you’re looking for a quick fix, I can offer but one reliable suggestion: Use cash (and keep an eye out for pickpockets).

The views expressed here are solely those of the author and do not reflect the beliefs of Digital Trends.

Home Theater

Budget TVs are finally worth buying, and you can thank Roku

Not all that long ago, budget TVs were only worth looking at if, well, you were on a budget. Thanks to Roku, not only are budget TVs now a viable option for anyone, but they might even be a better buy than more expensive TVs.
Podcasts

'Avengers: Endgame' trailer chills, 'Game of Thrones' teaser, $100M 'Friends'

This week on Between the Streams, we'll talk about the Avengers 4 trailer (aka Avengers: Endgame), the latest nothing of a Game of Thrones teaser, Netflix's $100 million barter to keep Friends, and much more!
Computing

Quora hit by data breach affecting around 100 million users

Question-and-answer website Quora has revealed that hackers may have stolen data belonging to 100 million of its users. The recently discovered security breach is still being investigated, and Quora is contacting affected users.
Mobile

Smartphone makers are vomiting a torrent of new phones, and we’re sick of it

Smartphone manufacturers like Huawei, LG, Sony, and Motorola are releasing far too many similar phones. The update cycle has accelerated, but more choice is not always a good thing.
Opinion

Do we even need 5G at all?

Faster phones, easier access to on-demand video, simpler networking -- on the surface, 5G sounds like a dream. So why is it more of a nightmare?
Computing

Razer’s most basic Blade 15 is the one most gamers should buy

Razer's Blade 15 is an awesome laptop for both gamers, streamers, professionals, and anyone else needing serious go in a slim profile, but its price is out of reach for many games. The new Blade 15 Base solves that problem with few…
Home Theater

The Apple AirPods 2 needed to come out today. Here are four reasons why

Apple announced numerous new products at its October 30 event, a lineup that included a new iPad Pro, a MacBook Air, as well as a new Mac Mini. Here are four reasons we wish a new set of AirPods were on that list.
Gaming

Going to hell, again. The Switch makes 'Diablo 3' feel brand-new

I've played every version of Diablo 3 released since 2012, racking up hundreds of hours in the process. Six years later, I'm playing it yet again on Nintendo Switch. Somehow, it still feels fresh.
Gaming

‘Fallout 76’ may have online multiplayer but it’s still a desolate wasteland

"Is Fallout 76 an MMO?" That depends on who you ask. Critics and players often cite its online multiplayer capabilities as a reason it qualifies. Yet calling the game an MMO only confuses matters, and takes away from what could make…
Digital Trends Live

Microsoft has #*!@ed up to-do lists on an epic scale

Microsoft has mucked up to-do lists on a scale you simply can’t imagine, a failure that spans multiple products and teams, like a lil’ bit of salmonella that contaminates the entire output from a factory.
Opinion

As Amazon turns up the volume on streaming, Spotify should shudder

Multiple players are all looking to capitalize on the popularity of streaming, but it has thus far proved nearly impossible to make a profit. Could major tech companies like Amazon be primed for a streaming take-over?
Gaming

Throw out the sandbox. ‘Red Dead Redemption 2’ is a fully realized western world

Despite featuring around 100 story missions, the real destination in Red Dead Redemption 2 is the journey you make for yourself in the Rockstar's open world, and the game is better for it.
Gaming

‘Diablo Immortal’ is just the beginning. Mobile games are the future

Diablo fans were furious about Diablo Immortal, but in truth, mobile games are the future. From Apple and Samsung to Bethesda and Blizzard, we’re seeing a new incentive for games that fit on your phone.
Movies & TV

He created comics, movies, and superheroes. But Stan Lee lived for joy

Stan Lee was a creator, a celebrity, an icon, and beneath it all, a real-life good guy with all the same human qualities that made his superheroes so relatable. And his greatest joy was sharing his creations with the world.