Executives with Target and Neiman Marcus were among the individuals who testified before the Senate Judiciary Committee on Tuesday, essentially speaking on the increasing threat that hackers pose in the wake of several recent point-of-sale (POS) attacks against U.S. retailers.
Although Target CEO Gregg Steinhafel said in a mid-January CNBC interview that Dec. 15, 2013, was a day spent eliminating the malware from POS devices so customers could shop safely in all Target stores the following day, the testimony by John Mulligan, executive vice president and chief financial officer with Target, revealed that the malware still existed on more than two-dozen POS machines.
“On December 18 we disabled malware on about 25 additional registers which were disconnected from our system when we completed the initial malware removal on December 15,” Mulligan said. “As a result, we determined that fewer than 150 additional guest accounts were affected.”
Neiman Marcus initially revealed that as many as 1.1 million customer accounts may have been impacted, but Michael Kingston, senior vice president and chief information officer with Neiman Marcus, revealed in his testimony that the breach probably affected fewer individuals.
Kingston said that card-scraping malware was active on Neiman Marcus POS devices from July 16, 2013, to Oct. 30, 2013, but explained that the malware was not likely operating each day during that period and that there has been no evidence to support the malware was operating in all Neiman Marcus stores.
“Thus, the number of payment cards that were potentially exposed during this period appears to be lower than 1,100,000, although we have not determined how much lower,” Kingston said, adding the investigation is ongoing.
For Target, the ease of credit card theft and point-of-sale compromise these days underscores the need for the U.S. to shift to a chip card alternative. Mulligan announced on Monday that Target would be accelerating implementation of smart card technology for its customers.
In an email correspondence, Steve Durbin, global vice president of the Information Security Forum, told SCMagazine.com that the introduction of the EMV standard for chip cards in the UK and France has had a measureable impact on in-store credit card fraud, but explained that cost is likely the biggest factor holding back adoption in the U.S.
“Cost of new card readers, cost of replacing card machines and cost of cards themselves,” Durbin said. “More importantly, it is about who should pay for these costs when the United States has already rolled out the magnetic stripe system requiring a signature for verification. Should it be the card issuers or the retailers who foot the bill?”
In a statement emailed to SCMagazine.com, Mark Bower, vice president of product management for Voltage Security, said that EMV is not an automatic win and emphasized how the U.S. needs to learn from experiences in the UK that show how stolen data from these systems can be repurposed for fraud, particularly with online transactions.
“With EMV, the sensitive credit card number is still not encrypted from chip to the POS or beyond,” Bower said. “Transactions are authenticated, but not encrypted. So, mass data breaches need to be mitigated by the combination of EMV with end-to-end encryption and tokenization from the reading device using data-centric security technologies that are already here and proving their worth in the fight to make attacks harder and unattractive to criminals.”
Bill Hardin, director of the disputes and investigations practice with Navigant, told SCMagazine.com in an email correspendence that he agrees. “You have to take fraud into account, moving to chip and pin does not prevent fraud, it makes it more expensive for criminals to fabricate the card as opposed to the magnetic stripe cards,” he said.