Buyers Beware: The Latest Wave of Retail Cyber Scams
When it comes to cybersecurity, consumers want to trust that retailers are protecting them in some way, shape or form. But with high-profile breaches at Target, Home Depot and Neiman Marcus, among others, it behooves buyers themselves to know what to watch for, what scams can happen and what retailers can do.
“Retailing involves more and more digital technology, and as consumers we leave more data footprints, both online and offline,” says Denise Dahlhoff, research director at Wharton’s Baker Retailing Center. “Data is collected at all stages of the shopping process — from browsing and buying online, opting into mobile ads at a store, posting store check-ins and reviews on social media to paying with a credit card or mobile wallet. More technology and data have many benefits for consumers and retailers, but they also increase the risk of security breaches.”
“Generally it’s not a question of ‘if,’ it’s a question of ‘when,’” adds Christopher Yoo, professor of law, communication, and computer and information science at the University of Pennsylvania Law School, and founding director of the Center for Technology, Innovation, and Competition. No matter how many protections are put into place from the retailers, consumers and banks, there are constant threats from hackers and fraudsters coming from all over the world at all hours of the day. The so-called “black hats,” or cybercriminals, just need one weakness, one way to get in, and they can leverage any type of customer information — anything from credit card numbers, debit card numbers, passwords, email addresses and Social Security numbers — into lucrative, illegal income streams.
A couple of years ago, major retailers like Target, Home Depot, Neiman Marcus and Michael’s Stores were making headlines for major cybersecurity breaches. Fortunately, “there have been no major security breaches in retail recently” in the headlines, says Dahlhoff. Retailers have learned hard lessons from the past, but it helps to understand what happened to prevent it from occurring again.
“Generally it’s not a question of ‘if,’ it’s a question of ‘when.’”–Christopher Yoo
With nearly 1,800 stores in the United States, Target was a victim of one of the most widespread data breaches in history. More than 40 million Target customers had their debit and credit card records stolen, along with 70 million people who had their email and mailing addresses taken. The New York Times reported that quarterly profits dropped by 46% as the hit happened during the busy holiday shopping period. Target’s CEO resigned and later the retailer had to pay $10 million to settle a lawsuit from Target shoppers.
The culprit was malware, which made its way through the laptop of an HVAC contractor onto Target’s main computer network. Through the third-party vendor, hackers were able to access Target’s database, according to a report from the Ponemon Institute. “The greatest vulnerabilities for retailers are attacks from third-party vendors,” Yoo says. “The attack on Target put a spotlight on the fact that retailers have to do more than just secure their own network. They should be negotiating terms in the contracts with vendors obligating them to have strong security measures, as well agreeing to a compliance audit. They can’t take their word for it. It’s a pretty onerous task to be on top of vendors.”
“Retailers have been caught out by bad data architecture. You should never store sensitive information on a network that third-party vendors have access to. Create a systematic classification categorizing what’s sensitive and what’s not,” suggests Yoo.
Daniel Garrie, CEO of consulting firm Law & Forensics and senior advisor at Risk Assistance Network and Exchange (RANE), suggests to his retail clients to go as far as providing cybersecurity to the vendors themselves. “I tell my clients you need to secure them. Spending any amount of money is worth it if these are vendors you can’t live without.”
In the case of Home Depot, the breach occurred at the point-of-sale terminal system. Yoo explains that a cybercriminal was able to insert a memory stick and inject custom-built malware into the system. The cyberattacks resulted in 56 million payment cards in the United States and Canada compromised over a period of several months, costing the home improvement store $62 million in expenses from credit monitoring to extra staffing at call centers, according to The New York Times. “The irony was the point-of-sale terminal system was 30-year-old technology. If you [personally] were using a 30-year-old computer, you would be replacing it,” Yoo points out. Companies are used to the idea of replacing computers in their capital replacement cycle, but they haven’t regarded point-of-sale terminals equally as important and avoided spending the money. “That’s a problem for larger retailers, and even a bigger problem for small and medium enterprises,” adds Yoo.
As a result, Home Depot “upgraded its security to make sure it was state of the art,” says Yoo. Recently, Home Depot has filed an antitrust lawsuit against Visa and MasterCard for allegedly blocking the adoption of chip-and-PIN technology on credit-card transactions, a more secure system for transactions, according to ZDNet. Walmart also filed a similar lawsuit against Visa, reports Fortune.
Dahlhoff explains that the way chip-and-PIN technology works is that the chip creates a unique identity number with each transaction. You can use that identity number for one transaction only and it can’t be used again for another transaction. “In its current antitrust lawsuit against Visa and MasterCard, Home Depot is saying [to the credit card companies] that they’re not doing the best job with security that they could do,” says Dahlhoff. The retailers argue that they have put in all the hardware to make their stores safe, but the credit card companies and banks are providing payment systems that mostly require signature verification instead of PIN verification, which in turn means higher transaction fees for retailers.
Types of Scams
Companies have learned from the weaknesses that have already been exposed in their systems, but there are a large number and variety of scams happening all the time, says Robert Meyer, Wharton marketing professor and co-director of Wharton’s Risk Management and Decision Processes Center. “It’s almost like a game of Whack-a-Mole,” he adds.
“I tell my clients you need to secure them. Spending any amount of money is worth it if these are vendors you can’t live without.”— Daniel Garrie
David Lawrence, founder of RANE and a former federal prosecutor, explains, “In order to understand why the retail space has been particularly attractive to hackers, it is necessary to understand that this is a low-risk, high-reward crime. Attacks can be launched easily, cheaply, remotely, and the risk of prosecution is extremely low. Stolen consumer data is highly valuable and marketable in the commission of identity theft and financial fraud.”
Historically, one of the original scams was almost like a “sleight-of-hand” when credit card companies “gave your credit card information to an affiliate marketer as a ‘personal convenience’ to you” as you checked out of a retail website, explains Meyer. Since then, Congress has enacted legislation to prevent that type of fraud. However, people might still find themselves enrolled in something like a shopper’s club for something they don’t need. “As a consumer, there’s a tendency to be trusting. The first line of defense is really to be very distrusting