As Hackers Hit Customers, Retailers Keep Quiet About Security

As the holiday buying season approaches, retailers remain open to the same attack — called a "point of sale" attack — that hit Target and Home Depot, security experts say. Those analysts say that retailers have their fingers crossed, hoping they're not next.

And leading companies are keeping very tight-lipped about what, if anything, they're doing to protect customers.

Is This Store Hackerproof?

It's easy to spot a scratched face on a watch. It's much harder to tell if the checkout machine that you swipe to pay for that watch is defective.

But Davi Ottenheimer knows how. He's a security researcher at EMC, a Hopkinton, Mass.-based data storage company. He's been auditing retail for a decade. And we're looking at how "hackerproof" stores are this holiday shopping season.

We walk into a Rolex Store in San Francisco, and the diamond-studded watches don't catch Ottenheimer's eye. A tablet that's sitting by the counter, with a little square card reader plugged in, does.

"They're not even looking at us," he says as a sales representative walks away. "We could replace the card reader with our own card reader. I have several of those at home."

Never mind that an armed guard is patrolling the door. This store is ripe for a microscale cyberattack. Sure, it would just get a few dozen customers. But, Ottenheimer says, "they spend a lot of money, so if I want to get high-value cards, this would be a place where I could get them."

Rolex and Tourneau, the company managing the store, did not respond to NPR's request for comment about on-site security.

Over at Macy's, Ottenheimer wanders over to an empty corner and stares at a lonely register. He points to a little green icon that's blinking on the hard drive. "It has a network light on the front," he says.

That means it's speaking to other machines that are grabbing card numbers.

Ottenheimer is concerned that crooks could use this unprotected machine to try to break in. "They came over to help us with the jewelry but not with the fact that we're standing and staring at a PC in the corner," he says.

NPR reached out to Macy's to ask what it's doing to protect the customer information feeding into these machines. Is the retail chain scrambling and encrypting card numbers? Is it cordoning off the financial data, so that people with access to one point of entry can't break into others?

Macy's declined to provide a single detail about the most general security measures it's taking.

'Security By Obscurity'

Orla Cox, a security expert at Symantec, helps retailers behind the scenes. And while she can't name her clients because of nondisclosure agreements, she criticizes companies for acting like they can achieve "security by obscurity."

"A lot of times, a lazy approach to security is just to make information difficult to get," she says. "Just because you're not talking about it isn't actually making you any more protected."

According to a recent Symantec report, hacks have gotten bigger and more frequent. Cox and other security insiders say that just about every retailer remains open to the exact same attack — a point-of-sale attack that lifts information from credit card readers — that got Target and Home Depot.

It's not clear if or when that'll change. NPR contacted two dozen of America's largest retailers — which include Sears, Kohl's, Best Buy, Dollar General, the TJ Maxx company — and none of them would indicate whether their budget for online security has increased in this last year of megabreaches.

"I would think that it's fairly innocuous information anyway," Cox says. "Giving a number out there shows that you're taking it seriously."

A Lack Of Incentives

Visa and MasterCard are nudging retailers to take on a bit more liability. By October 2015, merchants who don't have the more up-to-date EMV chip card readers could have to pay for certain credit and debit card theft in stores.

"There is no silver bullet," says Ellen Richey, Visa's chief risk officer, who's on a national campaign to get retailers to invest.

But, many say, there aren't enough incentives for retailers to address the issue.

Retailers make tiny margins — say 2 percent. They don't want to spend on IT support. When credit card data are stolen, they don't typically have to pay. Even if the retailers' lax network security is at fault, financial institutions typically pick up the bill.

That includes credit unions, like LGE Community Credit Union in Georgia. Its president, Chris Leggett, says he is tired of paying for replacement cards after a hack. "It sure would be nice if the merchants would be willing to share in the cost of cleaning it up due to their lax security," he says. "The issuers are paying the brunt of the expense."

The Credit Union National Association is asking lawmakers to intervene, so that retailers are held to stricter security and disclosure rules.

Card Thefts Become Routine

Among victims, a kind of fatalism has set in. People have come to expect the theft.

Kate Anderson in Minnesota has had to replace her cards five times in the past year. "It always seems to happen on a Friday or a Saturday. So usually that's kind of when I kind of really get like, 'Well, should I really go shopping or not?' " she says.

Now, she and her husband know the drill: "Reset all of our passwords and our PIN numbers and every place that we do auto debits from."

Texas resident Hunter Hargrave has replaced his cards twice following hacks. "I wouldn't be surprised if it happened again," he says.

The 25-year-old is turning away from the world of plastic and using old-school money a lot more. "Whenever I get paid, I take out the vast majority in cash, and then I put the rest on a debit card. But the debit card's only for emergencies," he says.

Even if people ditch their cards, they're not ditching the stores. While the cost of cleaning up a hack is climbing, according to a recent survey by the Ponemon Institute, the cost of doing nothing — and hoping for the best — is not.

Sales at Target and Home Depot have been exceeding expectations. Experts say that as long as we're spending, retailers don't have to spend on protecting us.