Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say.
Home Depot decided only in January to buy technology that fully encrypts payment card data the moment a card is swiped, The Wall Street Journal reported Monday. The home improvement retailer launched the project in order to avoid a breach on the scale of Target's.
The breach at Target in December compromised 40 million credit-card accounts and contributed to the ouster of its chief executive officer.
Following several months of testing, Home Depot signed a multimillion-dollar contract with a security vendor in April, but by then, hackers may have already cracked the retailer's payment systems, the Journal reported. The company said it discovered it had been hacked in September.
While Home Depot has not said how many credit-card accounts were affected, experts speculate that given the size of its business the number of compromised accounts could be in the 10s of millions.
Hackers stole card numbers from Target and Home Depot using malware that scraped unencrypted data from the memory of their payment systems.
这利用的漏洞已相识多年,但零售商选择不升级其所谓的点的销售终端(POS)系统,因为成本的。
"We have been recommending for years and years and years that people encrypt and tokenize at the swipe, and for years and years and years, they haven't done it," John Kindervag, analyst for Forrester Research, said. "The fact that the attackers are really good and fast is not an excuse.
在数据安全技术中,tokenizing is the process of substituting card data with a random number that is useless to the hacker. The token often comes from an embedded chip found in new cards.
苹果计划使用such a systemin the iPhone 6, so the smartphone can be used instead of a credit card.
由美国零售商目前使用的大多数读者承担大部分借记卡和信用卡发现磁条明文卡号。
Eric Cole, a cyber-defense lead at the SANS Institute, said retailers have to approach security with the assumption that they will be targeted.
“安全必须设计到网络中,而不只是附加成分,”科尔说。
For example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet.
In the case of Target, malware was planted in POS systems after the hackers stole the login credentials of a supplier that used another portion of the retailer's network.
"(The network) should be segmented, so if a compromise does occur, the amount of damage is contained and controlled," Cole said.
Also, retailers have to stop the practice of using credit-card data for more than just completing a transaction, Kindervag said. Card data is often fed into analytic systems used by marketers to track customer buying habits.
"There's a long held culture of using the credit card number as a way of analyzing the buying habits of consumers and projecting what they might be in the future," Kindervag said.
Retailers and the marketing people who work for them have to recognize that some data is "just too dangerous to have," he said.
Overall, retailers have to approach the avoidance of data breaches the same way energy companies view oil spills, Kindervag said. "It's the most costly thing that could happen to your business."
This story, "Why retailers like Home Depot get hacked" was originally published byCSO .