The home improvement chain also said the malware responsible for the breach has been removed from all stores.
The hackers stealing consumer data from retailers are sophisticated, interconnected—and anonymous. A security expert advises retailers how to defend themselves.
Make no mistake about it, we are at war with a sophisticated and interconnected army of digital ghosts. For the moment, they have the edge—a perfect disguise (online anonymity), unlimited funding and the element of surprise. With the recent Target breach alone, tens of millions of consumers had their payment or identity data exposed. Think about the enormity of that number. In a matter of days, the ghost army was able to erode consumer trust in – and loyalty to – the Target brand. It was an audacious attack and you can bet that it won't be the last.
Data breaches are nothing new. One of the most concerning issues around breaches like the one at Target is that consumers' digital identities are often based on a single e-mail address or username/password.
This means that a well-designed phishing e-mail that compromises a retailer's network administrator can open the door to a goldmine of customer payment and identity data. With stolen identity data in hand, criminals can submit fraudulent credit card applications in the names of thousands of unsuspecting victims; or—as we have seen in the case of the Target breach—use it to generate millions of counterfeit cards for fraudulent in-store or online transactions. Regardless of how the data is used, one thing is certain: breaches pose serious dangers to consumers, retailers and financial intuitions. Serious dangers that demand immediate action.
It's no secret that retailers are in the crosshairs of this global threat. They are the richest source for payment and identity data and are also the first place many attackers turn as they look to quickly monetize their data heists. Unfortunately, many organizations have yet to deploy proper defenses. So how do you defend against an unregulated, networked enemy intent on inciting chaos and filling their bank accounts?
Once a breach has occurred, it is critical for organizations to perform a forensic review of the attack to identify and understand all of the potential points of vulnerability, what data was stolen and how that data was transmitted back to the attackers. As happened in the Target breach, the initial scope may quickly expand into something much larger. This makes it essential that retailers rapidly gain complete visibility of their customer data and transactions across channels and keep drilling-down until the root cause can be identified and protected against a repeat attack.
For most retailers, unfortunately, this type of deep and consolidated view simply does not exist. Do you really know who is logging into your customers' accounts? Without realizing their data has been compromised, consumers can fall prey to personalized phishing attacks and "give away the keys" to their accounts. How can you be certain a VIP customer is really behind a high-dollar transaction being rushed to an overseas address? No one wants to decline legitimate orders from loyal customers; but with revenue, reputation and brand equity at stake, no one can afford to ignore the potential risk.
Below are a several recommendations to help ensure that retailers are protecting themselves and their customers against the danger of data breaches:
- Know your enemy. As attackers grow increasingly sophisticated, it is virtually impossible to identify fraudulent online transactions without being able to accurately identify the device behind the transaction. Clear visibility into fraudulent attacks is difficult with the anonymity of the Web, but device identification is helps provide greater protection.
- Consider increasing operational staffing (at least temporarily). While manually reviewing transactions may seem like a waste of resources, it is often valuable to have fraud investigators review a higher percentage of orders during periods of heightened risk. Unfortunately, with all of the compromised data available, these periods of heightened risk will undoubtedly increase.
- Collaborate. Other retailers who are having success solving breach-related challenges can be an excellent resource for ideas around fraud prevention. Leverage your industry networks, as well as law enforcement resources, where necessary.
- Trust your instinct. In times of increased threat, proactively contact customers if you suspect fraud or when transactions do not fit their typical purchase, payment or delivery patterns. Better safe than sorry.
- Protect your entire online estate. Account creation, profile management and loyalty programs are soft targets for attackers most fraud prevention controls are focused on transaction systems. Ensure that all points of account access and management are equally protected from fraudulent access.
Even after a breach has occurred, the risk can be managed. Arming your organization with a layered security strategy that includes device intelligence will prepare them for the onslaught of compromised card usage, fraudulent enrollments, phishing attacks and attempted account takeovers that follow in the wake of any high-profile breach.
41st Parameter is a provider of fraud-prevention technology and a part of Experian.