As Hackers Hit Customers, Retailers Keep Quiet About Security | KERA News

As Hackers Hit Customers, Retailers Keep Quiet About Security

Nov 24, 2014
Originally published on November 25, 2014 9:15 am

As the holiday buying season approaches, retailers remain open to the same attack — called a "point of sale" attack — that hit Target and Home Depot, security experts say. Those analysts say that retailers have their fingers crossed, hoping they're not next.

And leading companies are keeping very tight-lipped about what, if anything, they're doing to protect customers.

Is This Store Hackerproof?

It's easy to spot a scratched face on a watch. It's much harder to tell if the checkout machine that you swipe to pay for that watch is defective.

But Davi Ottenheimer knows how. He's a security researcher at EMC, a Hopkinton, Mass.-based data storage company. He's been auditing retail for a decade. And we're looking at how "hackerproof" stores are this holiday shopping season.

We walk into a Rolex Store in San Francisco, and the diamond-studded watches don't catch Ottenheimer's eye. A tablet that's sitting by the counter, with a little square card reader plugged in, does.

"They're not even looking at us," he says as a sales representative walks away. "We could replace the card reader with our own card reader. I have several of those at home."

Never mind that an armed guard is patrolling the door. This store is ripe for a microscale cyberattack. Sure, it would just get a few dozen customers. But, Ottenheimer says, "they spend a lot of money, so if I want to get high-value cards, this would be a place where I could get them."

Rolex and Tourneau, the company managing the store, did not respond to NPR's request for comment about on-site security.

Over at Macy's, Ottenheimer wanders over to an empty corner and stares at a lonely register. He points to a little green icon that's blinking on the hard drive. "It has a network light on the front," he says.

That means it's speaking to other machines that are grabbing card numbers.

Ottenheimer is concerned that crooks could use this unprotected machine to try to break in. "They came over to help us with the jewelry but not with the fact that we're standing and staring at a PC in the corner," he says.

NPR reached out to Macy's to ask what it's doing to protect the customer information feeding into these machines. Is the retail chain scrambling and encrypting card numbers? Is it cordoning off the financial data, so that people with access to one point of entry can't break into others?

Macy's declined to provide a single detail about the most general security measures it's taking.

'Security By Obscurity'

Orla Cox, a security expert at Symantec, helps retailers behind the scenes. And while she can't name her clients because of nondisclosure agreements, she criticizes companies for acting like they can achieve "security by obscurity."

"A lot of times, a lazy approach to security is just to make information difficult to get," she says. "Just because you're not talking about it isn't actually making you any more protected."

According to a recent Symantec report, hacks have gotten bigger and more frequent. Cox and other security insiders say that just about every retailer remains open to the exact same attack — a point-of-sale attack that lifts information from credit card readers — that got Target and Home Depot.

It's not clear if or when that'll change. NPR contacted two dozen of America's largest retailers — which include Sears, Kohl's, Best Buy, Dollar General, the TJ Maxx company — and none of them would indicate whether their budget for online security has increased in this last year of megabreaches.

"I would think that it's fairly innocuous information anyway," Cox says. "Giving a number out there shows that you're taking it seriously."

A Lack Of Incentives

Visa and MasterCard are nudging retailers to take on a bit more liability. By October 2015, merchants who don't have the more up-to-date EMV chip card readers could have to pay for certain credit and debit card theft in stores.

"There is no silver bullet," says Ellen Richey, Visa's chief risk officer, who's on a national campaign to get retailers to invest.

But, many say, there aren't enough incentives for retailers to address the issue.

Retailers make tiny margins — say 2 percent. They don't want to spend on IT support. When credit card data are stolen, they don't typically have to pay. Even if the retailers' lax network security is at fault, financial institutions typically pick up the bill.

That includes credit unions, like LGE Community Credit Union in Georgia. Its president, Chris Leggett, says he is tired of paying for replacement cards after a hack. "It sure would be nice if the merchants would be willing to share in the cost of cleaning it up due to their lax security," he says. "The issuers are paying the brunt of the expense."

The Credit Union National Association is asking lawmakers to intervene, so that retailers are held to stricter security and disclosure rules.

Card Thefts Become Routine

Among victims, a kind of fatalism has set in. People have come to expect the theft.

Kate Anderson in Minnesota has had to replace her cards five times in the past year. "It always seems to happen on a Friday or a Saturday. So usually that's kind of when I kind of really get like, 'Well, should I really go shopping or not?' " she says.

Now, she and her husband know the drill: "Reset all of our passwords and our PIN numbers and every place that we do auto debits from."

Texas resident Hunter Hargrave has replaced his cards twice following hacks. "I wouldn't be surprised if it happened again," he says.

The 25-year-old is turning away from the world of plastic and using old-school money a lot more. "Whenever I get paid, I take out the vast majority in cash, and then I put the rest on a debit card. But the debit card's only for emergencies," he says.

Even if people ditch their cards, they're not ditching the stores. While the cost of cleaning up a hack is climbing, according to a recent survey by the Ponemon Institute, the cost of doing nothing — and hoping for the best — is not.

Sales at Target and Home Depot have been exceeding expectations. Experts say that as long as we're spending, retailers don't have to spend on protecting us.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

As the holiday shopping season ramps up, we were curious what retailers are doing to protect you from hackers.

ARI SHAPIRO, HOST:

You could say 2014 has been the year of the credit card hack. Home Depot, Staples, PF Chang's - those are just some of the companies that have been hit.

CORNISH: As we hear from NPR's Aarti Shahani, they're staying tightlipped about what, if anything, they're doing to protect customers.

AARTI SHAHANI, BYLINE: It's that time of year and I'm at the Rolex store. Davi Ottenheimer is with me, and we’re not looking at diamond-studded watches.

DAVI OTTENHEIMER: Yeah, so that’s a pad, right? So it’s a typical pad. It has a USB-attached card reader.

SHAHANI: Our eyes are fixed on a tablet that's just sitting by the counter with a little square card reader plugged in, totally unattended.

OTTENHEIMER: They're not even looking at us. We could replace their card reader with our own card reader. I have several of those at home.

SHAHANI: Never mind that an armed guard is patrolling the door, this store is a ripe for a micro-scale cyber-attack. Sure, it would just get a few dozen customers.

OTTENHEIMER: But they spend a lot of money. So if I wanted to get high-value cards, this would be a place where I could get them.

SHAHANI: Ottenheimer is not here to rob Rolex. He’s a security expert who’s been auditing retail for well over a decade. And we're checking out how hacker-proof stores are this holiday shopping season. Over at Macy's, we stand in an empty corner and stare at a lonely register.

OTTENHEIMER: So I can see, for example, it has a network light on the front.

SHAHANI: Which means it's not lonely. It's on a network, speaking to other machines that are grabbing card numbers. Ottenheimer is concerned - no one is watching us, and we could use this machine to try to break in.

OTTENHEIMER: They came over to help us with the jewelry but not with the fact that we’re standing and staring at a PC in the corner.

SHAHANI: NPR reached out to Macy’s to ask what it's doing to protect the customer information feeding into these machines. Are they scrambling and encrypting card numbers? Are they cordoning off the financial data, so that people with access to one point of entry can’t break in to others? Macy's declined to provide a single detail about the most general security measures it’s taking.

ORLA COX: A lot of times a lazy approach to security is just to make information difficult to get.

SHAHANI: Orla Cox is a security expert at Symantec who helps retailers after they've been hacked.

COX: Just because you’re not talking about it isn't actually making you any more protected.

SHAHANI: Cox and other security insiders say that just about every retailer remains open to the exact same attack - a point-of-sale attack that got Target and Home Depot. And it's not clear if or when that’ll change. NPR contacted two dozen of America’s largest retailers, which includes Sears, Kohl's, BestBuy, Dollar, the T.J. Maxx Company, and none of them would indicate if their budget for online security has increased in this last year of mega-breaches.

COX: I would think that it's fairly innocuous information anyway, and that's, you know, giving a number out there, you know, shows that you’re taking it seriously.

SHAHANI: Visa and Mastercard are on a national campaign to nudge retailers into taking on a bit more liability. But many say the incentives are off. Retailers make tiny margins - say 2 percent. They don't want to spend on IT support. And when credit card data gets stolen, they don't have to pay. Even if they're at fault, financial institutions pick up the bill. Among victims, a kind of fatalism has set in.

HUNTER HARGRAVE: I guess since the second time in past year and a half or so, I wouldn’t be surprised if it happened again.

KATE ANDERSON: And it always seems to happen on a Friday or a Saturday. So usually that’s kind of when I kind of really get like, well, should I really go shopping or not?

SHAHANI: Hunter Hargrave in Texas and Kate Anderson in Minnesota have come to expect the theft. Anderson's cards have been cancelled five times in the last year. Now, she knows the drill.

ANDERSON: Oh, now we have to reset all of our passwords and our pin numbers and every place that we do auto debits from.

SHAHANI: Hargrave, who is 25 years old, says he's using old school money a lot more.

HARGRAVE: Whenever I get paid, I take out the vast majority in cash, and then I put the rest on a debit card. But the debit card is only for emergencies.

SHAHANI: Even if people ditch their cards, they're not ditching the stores. Sales at Target and Home Depot have been exceeding expectations. Experts say that as long as we're spending, retailers don’t have to spend on protecting us. Aarti Shahani, NPR News. Transcript provided by NPR, Copyright NPR.