The home improvement chain also said the malware responsible for the breach has been removed from all stores.
Cross-channel services like buy online and return to any store—without requiring a receipt—are creating formidable security challenges for retail chains, Wal-Mart’s director of global e-commerce investigations said at a payments security industry conference this week.
The retailer that wants to be all things to all shoppers is trying hard not to extend the welcome mat to cybercrimals, Fred Helm, director of global e-commerce investigations for Wal-Mart Stores Inc., said this week.
Retail chains like Wal-Mart that operate both physical and online stores have “created a perfect fraud culture” by letting shoppers return merchandise to any bricks-and-mortar store, often without a receipt, Helm said during a presentation at the Merchant Risk Council’s 2014 E-Commerce Payments and Risk Conference, held Mar. 17-20 in Las Vegas. At the same time, he added, criminals are increasing their use of counterfeit payment cards to purchase gift cards in stores as well as online, then using them to fund other transactions.
“We’re in an unbelievably risky time,” Helm said.
Criminals for years have found ways to steal merchandise from bricks-and-mortar stores, including by paying with stolen credit cards, then fence them online through e-marketplaces and other web sites, he said. Now more of them are simply returning merchandise to stores for cash or credit to purchase other merchandise.
Helm also noted that some criminals will place bulk orders of gift cards sold through “scrip” organizations, which are legitimate businesses that provide gift cards redeemable at various merchants for use in fundraising efforts. Charities and public institutions like schools, for example, purchase high volumes of gift cards for sale in fundraising campaigns; as people buy the cards and redeem them either online or in stores, the charity gets to keep a percentage of the card value.
But merchants and fundraising organization usually don’t know if criminals are purchasing large volumes of these gift cards with counterfeit payment cards, Helm said.
To mitigate the losses, Helm directs a team of five data analysts and three investigators who watch for unusual activity and cooperate with law enforcement officials to identify and catch thieves. In one case, he noted, Wal-Mart provided value-loaded gift cards used by law enforcement officers in a campaign to catch thieves.
Dealing with cybercriminals is getting more challenging as criminals assemble “botnets”—large numbers of computers they control via inserting malicious software. They use those computers to automatically place fraudulent online orders much faster than in the recent past, Helm said. Adding to the challenge facing retailers is the proliferation gangs of cybercriminals in regions such as mid-Africa and Eastern Europe, he said.
But though Helm’s team will work with law enforcement to help track and apprehend criminals, he said his team is focusing more on analyzing the data in fraudulent transactions rather than on locking up the bad guys. “We want good analytics to make data decisions” and help Wal-Mart’s risk manager set the most effective rules for accepting and rejecting transactions online and in stores, he said.