Feb. 9, 2007 at 7:00 AM ET
You can try to hide from the Internet, but it will find you. And so will data thieves.
The latest story of leaked data is a clear lesson for those who think steering clear of online shopping makes them safer.
Last month, customers who shopped at the brick-and-mortar stores of discount retailers TJ Maxx and Marshalls (both operated by The TJX Companies, Inc.) got the bad news that a hacker had stolen their personal information. Shoppers who paid by credit or debit card had their data stolen; in cases where customers returned merchandise for a refund, driver's license information also was stolen. The theft dates back to 2003, the company says.
The company hasn’t indicated how many consumers were affected, but a memo sent by Visa USA to member banks and viewed by MSNBC.com said “the breach involves millions of card accounts across all major payment brands.”
The story exposes this truth: Shopping offline is just as risky as shopping online. In fact, shopping offline is shopping online. Or, as computer security expert Avivah Litan of Gartner likes to say, "The store is the Internet."
That's because when you shop in a retail store, your card data ends up stored in a company's computers, which are ultimately connected to the Internet.
TJ Maxx is about as far from a risky, hip Internet site as you can get. And yet, its shoppers were hit by ID theft just like someone who shops online every day.
News of the TJ Maxx leak came as a shock to Red Tape reader Katie Slosarik.
"I, like millions of other Americans, shop frequently at a TJX CO. store, using my credit card or a check to pay for my purchases. I cannot believe they had been stockpiling financial data on their servers … from 2003! What could they possibly need that data for?"
Retailers don't need shoppers’ data for more than a few weeks, but they keep it anyway. Think of it as a bad habit, kind of like leaving expired milk in the fridge. Programmers are data pack rats, and they have long had the habit of keeping data around just for the heck of it.
And because the data is connected to their network and, ultimately, to the Internet, it is just as accessible to thieves.
Most data leaks from 'real-world' stores
In fact, security forensics firm Cybertrust researched 160 data leaks involving retailers during 2006 and attributed 80 percent of them to brick-and-mortar stores.
"Many of the large compromises are not related to e-commerce," said Bryan Sartin, vice president of investigative response at Cybertrust. Criminals don't care where their victims shop, he said, they simply target "organizations that handle great volumes of data."
It makes sense that criminals target brick-and-mortar stores, Litan said. Criminals who steal credit card numbers turn them into cash by creating counterfeit cards and selling them to other crooks for their shopping sprees. The best counterfeit credit cards are produced by criminals who manage to steal all the data stored on the magnetic stripe of the legitimate card -- including a secret code banks can use to verify authenticity.
Retailers are supposed to discard the magnetic stripe data – obtained only by physically swiping the card through a card reader -- after they use it to verify the card, but they often don’t.
Then, when the data is stored on corporate servers, hackers who break in are sure to grab it for use in counterfeiting.
These secret codes are generally unavailable e-commerce hackers, who are raiding databases of transactions, which are built by consumer purchases, who enter only account numbers and other basic information into Web sites when making purchases.
"The pot of gold is getting the magnetic stripe information," Litan said. "They can't make perfect counterfeit cards unless they have that code."
Retailers are supposed to discard the magnetic stripe data, but of course, they often don’t. When it is stored on corporate servers, hackers find it, copy it, and they have their pot of gold.
Because so much attention has been put on e-commerce security, in some ways, brick-and-mortar shoppers are at greater risk, Litan said.
"You need to be more afraid of the gas pump than shopping online," she said. "This is a surprise to consumers, and even my clients. But people have been so focused on protecting Internet commerce they forget about real world commerce and forget the real world is on the Internet."
Security standards ignored
For years, the credit card associations have been instructing retailers to improve security standards, and in particular, to avoid storing personal information. A set of security standards promoted by Visa and Mastercard -- known as the PCI (Payment Card Industry) -- was supposed to be implemented by stores last October. But so far, only about one-third of the nation’s largest retailers are PCI-compliant, Litan said. The shortcomings are obvious from the continued news of data leaks.
As in the TJMaxx case, data stolen from retailers can go beyond credit cards. Sartin said he’s seen hackers delve deep into retail computer systems to target loyalty card data, which includes detailed purchase histories and other personal information.
"Consumers should be very careful who they give that data to," he said.
But most consumers don't have much choice, Litan pointed out -- like TJ Maxx buyers who wanted refunds and were forced to fork over a driver's licenses.
"What are you supposed to do, not shop?" she said.
Banks should do more
Consumers aren't liable for fraud committed using their credit cards or debit cards. As long as fraud is spotted quickly and reported, they have little trouble recovering from the incident. Still, it's a nuisance -- automatic payments must be resubmitted using the new cards, for example. And there's no telling what hackers might do with more sensitive information, like the driver's licenses stolen from TJ Maxx.
Litan says banks should take more responsibilty for the mess. There are 5 million retailers in the U.S., she said, and it's unfair to expect all of them to become financial security experts. It's also impractical to expect all of them to stop saving consumer data.
"Banks keep shifting the problem to retailers, but banks must strengthen card security as well," she said. "The problem is banks aren't doing enough to change the payment systems."
That may not last forever. While the steady drumbeat of data thefts continues, there is evidence suggestion the thieves are becoming more sophisticated, Litan said. In the TJ Maxx case, for instance, criminals who stole the data quickly distributed it around the world and began making fraudulent purchases, making it harder to stop the fraud.
The pattern followed a similar large credit card heist last year that published reports tied to OfficeMax, a charge the company denies. In that theft, criminals managed to make thousands of fraudulent purchases worldwide before banks were able to put a lid on the fraud, Litan said.
"This stuff is not going away," she said. "The criminal gangs are just getting started."
And they are after your personal information -- whether or not you shop online.