The major security breaches at Target, Neiman Marcus and at least three other anonymous small retailers this past holiday season are sending strong signals to retailers, consumers and local banks about the need for heightened cyber security in this electronic age.
The true cost of fraud to retailers is $2.79 for each dollar of fraud losses they incur, according to a September 2013 fraud study by LexisNexis. The cost rose 10 cents on the dollar from 2012, according to the report. The study attributes the increased cost to a spike in online purchases being driven by the proliferation of malware and data breaches, which facilitate the theft and misuse of consumers’ payment cards and other payment information.
Target CEO Greg Steinhafel told CNBC on Sunday (Jan. 12) that the security breach it suffered between Nov. 17 and Dec. 15. was perpetrated through point-of-sale malware installed in its payment system. This opened the floodgate of consumer information stored by the retailer including the vital payment card and PIN number information for some 40 million customers and the names, phone numbers, email and physical addresses for another 70 million customers.Target said there may be some overlap between the two groups.
Target has promised consumers they will face no liability for the security breach, and the company is offering one year’s free credit monitoring to any of the 110 million shoppers at risk from the recent security breach.
Despite Target’s candidness about the breach and willingness to accept full responsibility there is still a huge cloud over the retailer. Target reduced its fourth quarter earnings guidance by 20% late last week expecting between $1.20 and $1.30 per share, a 30-cent downward departure from the prior estimate, which was given before the hacker attack. Target also lowered its fourth quarter comps, which are expected to decline 2.5% in the period, down from prior guidance of flat comps.
Analysts quickly surmised that the high number of Target customers affected from the security breach likely shopped elsewhere. Faye Landes, retail analyst at Cowen and Company, said consumers do care about about the security breach, no matter what Target does to ensure no liability with the increased fraud risks. She expects the costs to Target will be millions when all is said and done and the lawyers get paid.
Given the most recent update from Target about how the breach occurred, cyber security experts agree the information heist is likely an inside job of sorts.
Scott Schober, cyber security expert, told CNBC the malware had to be installed directly into the system from inside, given that Target does not use outside services like Google. He said the crime is highly sophisticated and unlike the usual breach schemes seen in Eastern Europe.
The retail industry is behind other sectors as they have not updated their point-of-sale infrastructure with the latest technology advances such as chip technology, according to David Kennedy, CEO of TrustedSec.EMV smart chips have been widely adopted in Europe. Kennedy said this chip, in combination with a PIN, unlocks the financial data, with is more secure than the magnetic strip technology now used by U.S. retailers.
He said the time estimates for U.S. retailers to adopt EMV chips is 2020 and until then they are vulnerable to these types of data scraping attacks. Part of the reason for the delay is the cost involved in changing out the point-of-sale systems in thousands of stores across the country. But experts say the timeline for EMV could move up with continued fallout from the recent breaches.
Credit card companies like Chase already use the technology in their Chase Sapphire credit card and Google wallet is also a mechanism for consumers to consider, Kennedy said.
Kennedy urges consumers who used their cards at Target or Neiman Marcus to cancel those cards. But local banks did not give consumers the same advice regarding card cancelations.
Gaye Wilcox, sales manager for Arvest Bank in Fayetteville, said Arvest chose to handle the card cancellations on a case-by-case basis.
“We did not do a mass reissue from the Target breach. We did talk with several customers who had concerns and we raised the height of our credit monitoring to high alert. Consumers were told to monitor their accounts daily online or via mobile banking and our internal fraud department watched closely those accounts flagged at risk,” Wilcox said.
Karen Cardwell, senior vice president of operations at First National Bank of Fort Smith, said their internal fraud also department uses software to monitor debit card activity on a regular basis. Like Arvest, in the case of a major breach or security hack, Cardwell said the banking group will replace a card for a customer who has experienced a fraudulent charge, or anyone who requests a new card for their own peace of mind. Cardwell said the banking company has locations in Fort Smith and Northwest Arkansas were customers can get a card reissued instantly if they want it.
The bankers said there is often more inconvenience in canceling a debit card than a credit card given that consumers may have automatic payments linked to their debit cards, such as insurance premiums, utility bills, etc.
Arvest said many customers may never experience issues from the data compromise, but they should continue to monitor their accounts because it’s the cautious thing to do.
Four years ago, debit cards passed credit cards, cash and checks to become the most popular form of payment among consumers, according to creditcards.com. Debit card users total some 50 billion in the U.S., growing from 15.6 billion in the past decade.
Some 7% of debit card users and 10% of credit card users in the U.S. have been victims of fraud in the past five years, according to U.S. Department of Justice.
Debit card fraud has been rising by about 30% annually over the last few years, and the liability in case of fraud errors varies by issuer. About one in 14 consumers has been hit by debit card fraud in the last five years. Wilcox said Visa provides a no-liability guarantee for both debit and credit card holders, but the emotional stress can be higher for consumers with a debit card breach given it is linked directly to their financial liquidity.
In the typical case of debit card fraud, consumers spend 28 hours making phone calls, dealing with their bank and filing police reports to get the problem resolved.