Skip to main content

See also:

Holiday breach list grows by 41 more companies, including gas station chains

Several dozen small and medium-sized retailers in the United States, Australia, the U.K., Canada and Russia also appear to have been attacked in the year-end POS breaches. While less sophisticated than the malware that hit Target, Ukrainian hackers were able to steal 25 million records starting Oct. 25. The raids on the smaller retailers used a malicious software program dubbed ChewBacca.

RSA Security LLC discovered the theft when it found a large cache of stolen data according to an analysis posted on the company website on Jan. 30. Thankfully only about 50,000 customers were affected because the majority of the data records were either duplicates or unusable. The FBI has been notified.

The hacking attacks highlight the vulnerability of the point-of-sale, or POS, systems. According to The Nilson Report these systems process more than $3 trillion in U.S. transactions a year.

“Hopefully we’re learning the lesson that it is literally not possible to fully secure systems like these given how massively complex they are,” said Paul Henninger, global product director for BAE Systems Applied Intelligence, a security division of the U.K.-based defense company. “Over and over again, the bad guys keep finding a hole in the network.”

On Feb. 3 Congress will begin hearings about the recent POS breaches. You can expect specific, lengthy questions of company IT security experts and inquiries into ways to avoid the problem in the future.

In the past some retailers have pushed for the adoption of the chip-based smart card technology used in Europe for credit and banking cards. The Retail Industry Leaders Association will again try to get support from the banking industry for the change. PIN and chip cards are also known as EMV cards (Europay, Mastercard, Visa) and do not use magnetic strips and signature security. The PIN in smart cards can be encrypted so that card information is more secure even if hacked. The U.K has decreased fraud by 70 percent after implementing this card system.

Merchants paid $2.79 for each dollar of fraud losses in 2013, a 3.7 percent increase from 2012. Yet many retailers are reluctant to change to PIN and chip due to the cost of setting up the smart card system. Javelin Strategy estimated that the cost of implementing the EMV system might run $8.6 billion, about $400 to $600 per POS terminal.

The cost of creating and issuing new cards would fall on card issuers and banking industry and could well exceed $1.4 billion. However, it might prove a good long-term investment if hackers continue to attack card payment systems. Large card networks like Visa and Mastercard have set a deadline of Oct. 2015 for retailers to change to the PIN/chip system.

It took Canada more than seven years to change and it will be significantly more complex in the U.S. David Hogan, executive technology advisor for the National Retail Federation, predicts it could take 10 or more years to transition to the EMV system.