Why retail data hacks keep happening

Annie Baxter Aug 15, 2016
HTML EMBED:
COPY
The "point of sale" moments like this when you pay, are the root of many data breaches.  Joe Raedle/Getty Images

Why retail data hacks keep happening

Annie Baxter Aug 15, 2016
The "point of sale" moments like this when you pay, are the root of many data breaches.  Joe Raedle/Getty Images
HTML EMBED:
COPY

Another day, another data breach. This time, cyber criminals may have gotten their hands on the payment data of patrons of food and beverage outlets at 20 major hotel chain properties operated by HEI Hotels and Resorts. 

Some of the locations HEI identified include the Boca Raton Marriott, the Sheraton Pentagon City and the Westin Philadelphia. 

Cyber thieves want to get your credit card data any way they can, and the point of sale, where you’re swiping a credit or debit card, can be a point of vulnerability.

 “One of the weakest links is the point of sale because you never know who the merchant is,” said cyber security expert Avivah Litan at Gartner. “The merchant could be bad. The staff that accessed it might be negligent or malicious.”

Litan said a retailer may appear to have a good system that transports your payment information securely.  But some employees or other users—like maintenance staff– have access to the system. 

“And the bad guys are getting in through the user accounts that are able to access the system,” she said. 

Litan said cyber crooks can hack a maintenance person’s credentials and then access anything they want on a system. 

But as we move to chip cards, experts said, many of those problems go away. Chip cards generate a one-time transaction code. The card number itself doesn’t get transmitted, so cyber thieves can’t access it and make counterfeit cards. 

The problem is, we’re not there yet. 

“No doubt you’ve gone to a retailer and seen a piece of tape over the chip portion,” said Brian Dodge with the Retail Industry Leaders Association, a trade group. 

Dodge said major retailers have chip card readers up and running. But some smaller retailers haven’t been able to get their readers certified by the credit card companies yet. 

And Dodge said many problems will persist so long as chip cards still also bear a magnetic stripe, holding open the possibility of fraud. His group also wants users to type in a pin code with chip card transactions, which would provide a further layer of security in the event someone is using a lost or stolen card. Credit card companies say the chips alone thwart fraud. 

Once chip technology is more widely adopted, cyber security experts say point-of-sale transactions will be a lot more secure. But online transactions?  Not so much. And that’s where cyber thieves may then focus their efforts.

As a nonprofit news organization, our future depends on listeners like you who believe in the power of public service journalism.

Your investment in Marketplace helps us remain paywall-free and ensures everyone has access to trustworthy, unbiased news and information, regardless of their ability to pay.

Donate today — in any amount — to become a Marketplace Investor. Now more than ever, your commitment makes a difference.