The complex systems that retailers use to process and protect customer data have vulnerabilities in a number of areas that a cyberattacker might exploit.
The recent attack that exposed millions of Target customers’ credit and debit card information involved malicious software on point-of-sale terminals where customers pay, according to a person familiar with the investigation.
Other big security breaches have been inside jobs. It’s also possible for attackers to access computers that aggregate transaction information and transmit it to outside credit card companies.
“Criminals could intercept the card information in computer memory, even if it’s there for less than a millisecond,” said Avivah Litan, a financial services security analyst at Connecticut-based research firm Gartner.
In recent years, a wide range of companies have fallen victim to cyberattacks. With information on 40 million accounts stolen, the recent Target break-in ranks among the top 20 or so known data breaches recorded by the Open Security Foundation.
In a cyberattack on software company Adobe Systems Inc. a few months ago, hackers compromised an estimated 152 million records of all types, including the source code for some popular products.
The retail industry has been a regular victim of major attacks. In 2007, a hack of TJ Maxx parent TJX Cos. Inc. exposed the records of an estimated 94 million credit cards and transaction details, according to the Open Security Foundation’s website www.datalossdb.org.
Target spokeswoman Katie Boylan said that the Minneapolis-based retailer was also affected by an intrusion in 2007, but that it was much smaller and involved a number of retailers.
Joshua Carlson, a Minneapolis computer privacy attorney who formerly worked as a security expert in Best Buy’s information technology department, said a recent terminal upgrade at Target would have offered an opportunity for thieves to infiltrate all of the retailer’s point-of-sale terminals at once.
Such an attack would involve installing skimming software onto the machines through “firmware,” software that is coded directly onto the computer chips that run the terminals.
The skimming software would redirect the card data to another location where thieves could retrieve it later.
Even in an age of intense attention to data security, there are other avenues for attackers who want to gain access to a large enterprise’s information.
Transaction information is not supposed to be “stored” on a computer hard drive by a retailer, but Litan said there are ways to capture the information as it moves through the computer network on its way from the point-of-sale terminals to outside credit card processing firms.
Less likely, but also possible, is an attack on one of the payment processor companies with whom retailers work. Brian Krebs, the security expert who first disclosed the Target breach in his blog on Wednesday, said that type of attack could yield data from several retailers at once.
Even harder to defend against are attacks by a company’s own computer experts. Some of the biggest breaches in the past have been perpetrated by company employees who have detailed knowledge of how sensitive information is handled by IT systems.
Litan said breaches could be avoided in the future if U.S. card companies, banks and retailers would agree to convert to smart cards — credit and debit cards that contain a computer memory chip that is hard to counterfeit.
That technology is scheduled to be phased in nationwide in about two years.
“The whole world has moved to chip-based cards except the U.S. and one country in Africa,” Litan said. “Our payment system with retailers is antiquated because we rely on magnetic stripe card technology from the 1970s and ’80s that is highly insecure.”