by Ralph Eck
| Sep 17, 2014
Retailers around the globe have known for quite some time that the level of payment system security they have is grossly insufficient, yet they have been slow to act. It is this lethargic behavior that has lead to hack after hack and 10’s of millions of clients credit card credentials exposed, stolen and abused. The annual financial damage from these and other online hacks, phishing, spam and fraud are estimated to be approaching 20 billion dollars. The latest hack reported, at Home Depot, was once again due to loose security surrounding in store credit card purchases at over 2,200 USA and Canadian stores. The theft of over 40 millions credit card holders information could easily make this hack even larger than the one reported last year by Target, and even more expensive. And what is unique in this case at Home Depot is that these stolen cards aren’t being used just for bogus online purchases, these thieves are even bolder in that they are producing physical credit cards based on these stolen credentials and have already stolen in excess of $300,000 in cash from ATMs.
What must make this hack even more damning and embarrassing for Home Depot is that they had realized their exposure and this past January had decided to purchase and implement a new system that would harden their POS (point of sale) security by encrypting the credit card information immediately. After several months of testing, this April they awarded a multi-million dollar contract with a security vendor. Sadly, it was already too late. By April the hackers had already penetrated the existing POS platform and were actively stealing the credit card information from customer after customer. The company discovered the hack in September, 5 full months after the attack had been launched. John Kindervag, an analyst with Forrester Research said, “We have been recommending for years and years that people encrypt and tokenize at the swipe ….. the attackers are really good and fast.” But the retail industry has been shamefully slow in responding to what has been common knowledge for years because they thought it was too expensive to upgrade their POS security. Well now they are paying the price for their short sighted decision.
So what does a consumer do once the news is out that his account/credit card information has been stolen. The obvious immediate steps usually given by the breached entity is to “monitor your account and report any unusual activity”. But this advise is woefully short of what the consumer really should do. Security experts agree, virtually unanimously, that monitoring the account activity is not sufficient at all. The best protection is to cancel the exposed account/card and get a new one. So if you have been potentially one of the exposed, take action now.
Post Tagged with
