Retailers, Shoppers at Risk in 2014 as Online Thieves Seek PINs and Passwords
Luxury department store Neiman Marcus has become the latest victim in a new wave of silent, sophisticated online crime that is likely to continue through 2014, jeopardizing both the retailers and the shoppers they depend on.
In the last year, retailers ranging from luxury brands to mass market online sellers have been targeted by a generation of cyber-criminals who seek only to steal payment information and convert it to cash. As recently as 2012, online crooks focused mainly on mining data for later use by illicit marketers and others. Financial fraud was a secondary consequence.
As part of the trend to quick-buck online theft, Neiman Marcus was notified of unauthorized payments from customers’ credit and debit cards in mid-December. Only weeks earlier, an online security breach at discount retailer Target affected 70 million people.
The new cyber-schemes are silent, low profile and produce cash fast. The Target breach fits this description. Rather than going after each individual credit card owner with a classical banker virus, hackers breached the store’s network and planted backdoor software to steal customer e-mail addresses, user names and credit-card data as well as their encrypted PINs.
“Nowadays, the banking infrastructure is more optimized for shopping than it is for security,” says Bogdan Botezatu, Senior E-Threat Analyst at antivirus provider Bitdefender. “Shopping online or offline is often as simple as entering a series of numbers on the credit card or swiping the magnetic strip and entering the PIN number. If these details get stolen, cyber-criminals can burn them on $ 0.1 blanks and sell them to ATM thieves around the world.”
Previously, hackers exploited the fragile security of US credit and debit cards in more “traditional” skimming operations. Unlike Europe, where chip-and-pin is implemented by default, US cards still rely on magnetic strips to store account information. The outdated technology doesn’t encrypt the owner’s data, leaving it vulnerable to even simple theft tactics.
Hackers can fix a thin pad on top of an ATM’s key pad to capture the credit card number when swiped and the PIN number when typed. The data collected is used to easily clone cards for auction on black markets around the world.