September 2, 2014, 12:03 PM

The war with no end

With criminals constantly searching for weak spots in online merchants' systems, retailers face an impossible challenge when it comes to Internet security—maintain a perfect defense, or else.

Lead Photo

Todd Morris, CEO of security and surveillance products retailer BrickHouse Security, has trouble falling asleep every night after he hears about hackers penetrating an online merchant’s defenses.

And lately, he’s been having a lot of sleepless nights.

That’s because criminals are on a relentless hunt to find merchants’ weak spots. The hackers pose a daunting challenge to any retailer selling online—or offline, for that matter. The only way for merchants to fight back, experts say, is to maintain a perfect defense. But being perfect isn’t easy.

Take Target Corp. The retailer was compliant with the Payment Card Industry Data Security Standards, the set of rules created by payment card networks to protect cardholder data. It worked with FireEye Inc. to monitor its systems for suspicious activity. And its systems, at least on the surface, were secure, says Jerry Irvine, chief information officer at information technology outsourcer Prescient Solutions Inc. and a member of the National Cyber Security Partnership. Yet criminals still found a way to steal more than 40 million credit and debit card numbers, as well as 70 million names and addresses, in one of the largest data breaches in U.S. history.

While Target is among the most high-profile victims of criminal hackers, it is hardly alone. The number of data breaches jumped 53.6% in 2013 from 2012, and 54.0% of those breaches were targeted at e-commerce web sites, according to a recent report by security firm Trustwave. Among those victims are e-commerce giants like eBay Inc., Adobe Systems Inc., the Neiman Marcus Group Inc., as well as small merchants like Made in Oregon.

These incidents put pressure on retailers because the number of consumers impacted by data theft is on the rise; the percentage of U.S. adults who report they’ve had personal data, such as their credit card account numbers, stolen as a result of their online activities jumped to 18% in January 2014, up from 7% in January 2013, according to the Pew Research Center. The situation leaves retailers with a near-impossible, but unavoidable challenge—wage a never-ending battle against increasingly sophisticated criminals, or else. After all, those who fail might not be around long because the majority of consumers—86.6% in a recent poll by contact center software provider Semafone—say they are not likely to do business with a company that has experienced a data breach that resulted in the loss of payment card data.

To avoid falling prey, retailers have to arm themselves by doing everything they can to secure their systems, say experts. In addition to being PCI compliant, some merchants are using tokens, a method using encrypted code to represent a consumer’s credit card account number rather than using the actual number, and limiting the amount of customer data they hold. They also are minimizing the number of vendors they grant system access to. The goal, says BrickHouse Security’s Morris, is for retailers to encourage hackers to move on to an easier target.

“If a hacker wants to get into a retailer’s system, he will because every company is hackable with enough effort,” he says. “But that’s why we have to limit the amount of valuable data we have so that it isn’t worth a hacker’s effort.”

But being secure isn’t easy. Just look at Target. Despite its multipronged defense, criminals still found a way to access its network on Nov. 15. The thieves reportedly stole network credentials from refrigeration, heating and air conditioning subcontractor Fazio Mechanical Services Inc., which didn’t adhere to the retailer’s information security practices. The vendor released a statement that said it had access to Target’s network without confirming it was the source of the breach; Target declined to comment on the incident. The thieves then moved from less-sensitive areas of Target’s network to more secure areas containing consumer data before installing malware on the retailer’s system to steal its data.

While Target’s systems alerted it to suspicious activity on its network, its staff failed to recognize the full extent of the issue and didn’t take action, according to a U.S. Senate analysis of the breach. Nearly a month passed before the U.S. Justice Department warned Target of suspicious activity involving payment cards used at Target stores, and then another three days passed before the retailer discovered the breach. The delay enabled the criminals to steal records from up to 110 million consumers.

Prior to the breach, the retailer was having a good fourth quarter. But immediately after its Dec. 15 statement alerting consumers to the breach, sales turned south and the merchant has yet to recover. In addition to the lost sales, breach-related expenses cost Target $236 million in the first half of its fiscal year and led to the departures of CEO Gregg Steinhafel and chief information officer and executive vice president for technology services Beth Jacob. 

The sheer number of consumers impacted by breaches is mind-boggling.

While Target’s breach affected upward of 110 million consumers—more than one in three U.S. consumers—that’s a mere blip when you consider that a single Russian crime ring amassed 1.2 billion unique records such as usernames and passwords, researchers at security research firm Hold Security LLC announced last month after a seven-month investigation.

The gang gathered those records by buying stolen databases containing consumers’ personal information on the black market. It then used those databases to attack e-mail providers, social media sites and other web sites to distribute spam for a fee.

Then in April the gang began using botnet networks, large groups of virus-infected computers controlled by a single criminal system. Whenever an infected user visited a web site, the botnet would test the site to see if it was vulnerable to a SQL injection, a technique criminals use to find web site and network security vulnerabilities and steal, or otherwise compromise, confidential data. The technique helped the criminals steal data from more than 420,000 web and FTP sites. FTP sites are used to post and download computer files.

comments powered by Disqus



Get a Free Subscription to IR


From The IR Blog


Terri Mock / E-Commerce

How online jewelers fared this Valentine’s Day

The key takeaway: Start early, because sales tail off in the last few days before ...


Cynthia Price / E-Commerce

4 tips for improving email marketing results

Every piece of data you collect can help you serve your audience exactly what they ...