Another day, another retailer hacked — and more should be expected in the days to come, according to a financial security expert.
Brian Krebs broke the news yesterday that, according to the banks, Home Depot suffered a card data breach as large or larger than the one that hit Target late last year.
Paula Drake, a Home Depot spokeswoman, announced yesterday, “At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate.” Home Depot has about 2,000 stores, according to the Wall Street Journal, and high-profile partnerships with companies like PayPal.
As merchants and issuers prepare for the EMV liability shift in October 2015, more attacks of this kind should be expected, according to Mary Ann Miller, senior director and fraud executive advisor with NICE Actimize. “I lived in the U.K. during the EMV migration,” Miller said. “What they see [as the shift occurs] is that the value of the data diminishes in the rush to implementation [of EMV.]”
EMV stands for Europay-MasterCard-Visa, and is used as a shorthand to describe so-called smart cards, which contain chips that tokenize transactions, making fraud more difficult.
The data from magstripe cards — technology comparable to that used in cassette tapes, according to Jason Oxman of the Electronic Transactions Association — used to create dummy cards becomes less valuable after EMV becomes universal. However, with backward compatibility and slow-moving issuers, magstripe will remain viable for both customers and fraudsters for some time.
Still, the window is closing, Miller said, adding that she believes fraud attempts will continue at a steady pace at major retailers over the next year.
What is to be done beyond updating point of sale devices? Miller believes that groups within companies, from the CFO on down, should be educated about what is happening in the fraud space and what countermeasures are available. “Consumer confidence is important. Merchants have to communicate with their customer base and tell them what actions they are taking, letting them know security is important.”
Hiring the right talent is also important, Miller said.
Smaller banks and credit unions, however, do not appear to be placing EMV migration at the top of their To-Do Lists, because they do not believe merchants will be ready. Miller agreed and said that these smaller institutions will suffer the most as the migration happens.
“What we see is that as the migration occurs, fraud will migrate to unprotected channels,” Miller said. She recommends that both large and small FIs examine their card-not-present strategies, as fraud will be expected to move online as the magstripe market dries up. “Card-not-present fraud is an important migration point while implementing EMV,” Miller said. “We recommend that companies address both types of fraud at the same time, as the migration occurs.”
She also recommends that FIs field “fraud observatory” teams to look at metrics and analytics as fraud migrates to other channels. “We will expect to see more social engineering and identity theft as the EMV shift occurs,” she said.