Home Depot breach hits 56 million cards. Why do hacks keep happening?
The data breach at Home Depot could be the biggest in history, and is the latest in a string of breaches that have customers asking why businesses aren't doing more to protect their data.
Home Depot announced听Thursday that 56 million cards might have been compromised in an attack between between April and September of this year. The breach affected stores in the US and Canada.听
鈥淲e apologize to our customers for the inconvenience and anxiety this has caused, and听want to reassure them that they will not be liable for fraudulent charges,鈥 Frank Blake,听Home Depot鈥檚 chief executive, .听鈥淔rom the time this investigation began, our guiding principle has been to put our听customers first, and we will continue to do so.鈥澨
The breach is the latest in a long series of high profile attacks on retailers, including Target, Neiman听Marcus, Supervalu, Dairy Queen, and P.F. Chang鈥檚 China Bistro.听Why do these breaches keep happening, and what is being done to protect your information? Read on for a few answers.听
Where is the data being stolen?
The breaches at Home Depot and Target, the two highest profile cases, were point of听sale (POS) attacks. In both instances, someone was able to install malware in the company's payment system and then able to capture information when shoppers swiped their听credit cards.听
POS attacks accounted for 31 percent of all breaches between 2011 to 2013, 听
Why is it so prevalent?
Most businesses have only basic security in place. All business that wish to accept credit or debit cards must meet standards set by the听Payment Card Industry (PCI). But PCI compliance can only do so much to protect the听data.听
鈥淚t is possible to be PCI compliant and still be hacked," Stephen Cobb, senior security听researcher at ESET, told 海角大神 in early September [LINK?]. He made the case that attacks keep happening because businesses don't go beyond minimum requirements.听鈥淭here is a lot of discussion about updating the standard, and a lot of people in security听are saying 鈥榟aving a standard in compliance isn't being secured.'"
For those who do invest in extra security, some experts argue they could be buying the the wrong type. 鈥淢ost of the resources are invested to protect the permitter. The thinking is, if you put a听high enough wall, then you are protected. That used to be true once, you just needed to听be safer than other businesses,鈥 says Michael Mumcuoglu, chief technology officer of the听Israeli-based security firm LightCyber, adding that听businesses need to invest听more into knowing when there is a breach to quickly deal with the problem.
听鈥淸Businesses] must spend more money for detection and response. You can鈥檛 just try to听protect yourself from attack,鈥 he says. 鈥淭hey need to shift the focus to a more holistic听approach that doesn鈥檛 only look at what is bombarding them from the outside. They need听to look at what is happening inside the network.鈥
What is being done to protect customers?
With the traditional magnetic strip credit card, hackers are able to make fake credit cards using the stolen data. The credit card can be used like a normal card. But many听credit card companies are now moving to a chip-and-pin system. Chip-and-pin cards have an embedded听microchip that 听prevent hackers from being able to make faux credit cards.听
"The idea is that it enables the information to be read off a secure chip on the card," John听Pironti, risk and security advisory at ISACA, . "It has to be present for the听transaction, and the card number itself is never released to the provider."
Chip-and-pin cards are held by millions of Americans, but there is a major problem鈥 听oftentimes, customers听can鈥檛 use them. Businesses must install new point of sales systems to accept these cards, but, thus far, US merchants have been slow to do so because of the cost.听
鈥淭he problem with security is that it is like insurance," Phil Montgomery, executive vice president of Identiv, a security firm, told the Monitor in September [LINK].听It is something you have to invest in up front, and the attack may or may not happen. It鈥檚 hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.鈥
Walmart and Target are the only two major retailers to unveil the new system in the US, but that听could soon change. New credit card standards go into effect in October 2015, and they听will change who is liable for data breaches.听While businesses won鈥檛 be forced to accept听chip-and-pin cards, those who don鈥檛 accept them will now be held liable for breaches.
Home Depot said it will unveil a new chip-and-pin system by early 2015, only in Canadian stores.
Another level of protection comes in the form of the new Apple Pay system, announced by Apple听last week. iPhone 6 users will be able to upload their credit card information onto their听phones and then use their phone to pay for purchases. The credit card is more secure听for two reasons: Apple doesn鈥檛 store the card鈥檚 information on its servers and the stores听never get access to the cards information. Instead, Apple gives the store a one-time use听password that the store uses to get its payment.听
Still, only time will tell if Apple Pay is as secure as it claims.
What can customers do to protect themselves?
Experts say the best thing customers can do is watch their credit card statements for听fraudulent purchases. When a fraudulent charge appears, customers should call their banks as soon as possible.
Many experts are also pushing customers to demand that businesses invest in听infrastructure听that makes their data more secure.听
鈥淭o get business owners to pay attention is a challenge,鈥 Lee Plave, a lawyer with the Virginia-based听Plave Koch PLC, told 海角大神听in early September. 鈥淸People] have听to convince them that it鈥檚 something they have to change.鈥
