Why our credit cards keep getting hacked

After the huge Target breach of 2013, you’d have thought retail companies would have figured out how to protect their cash register systems from malware that attempts to steal customers’ data.

Then came Home Depot. Then Neiman Marcus. Then Wendy’s. In the past few months, Chipotle, Arby’s and Kmart were all hit. Why are these attacks still happening?

Time and money, say experts. It takes time for companies to rebuild point of sale systems more securely and shift from magnetic stripe credit and debit cards to more secure chip cards. They need money to hire tech staff to secure those networks, money to buy software to do the securing and money to buy new, encrypted point-of-sale machines.

“It’s expensive and complicated to get systems to up the point they’re really hardened against these kinds of attacks,” said John Miller, manager of threat intelligence for FireEye, a large cyber security company.

Proportionally, attacks on point-of-sale systems (as modern cash register systems are called) are down, according to the 2017 Data Breach Investigations Report by Verizon. This year they’ve made up just 6.7% of overall breaches tracked by the company, down from a high of 45.4% in 2011.

Even so, there are still lots of these thefts, in which criminals insert malicious software into a company’s point-of-sale (POS) system. The malware surreptitiously records credit and debit card information when customers swipe them through payment terminals. It later sends the card information to the thieves, who sell it on the Internet underground, known as the dark web.

These breaches continue to cause retailers and their customers headaches. In 2016, each stolen record cost retailers $172 to deal with, according to a study commissioned by IBM. In May, Target agreed to pay $18.5 million to resolve state investigations into the attack that affected more than 41 million of the company’s customer payment card accounts.

One problem is that many retail companies are slow to install software patches, even for known security problems, because they fear the patches might disable their POS software or terminals, causing them to miss sales.

That inconvenience is compounded by the increased frequency of these recommended security updates. While once companies might have gotten quarterly software updates, today they’re hit with a constant blizzard of them.

“Now we’re agile, we’re releasing something every week, or every day or even every hour,” said Ryan O’Leary, vice president of the threat research center at WhiteHat Security in Santa Clara, Calif.

While no system is 100% secure, most can be made much safer than they are. But not all retailers take the necessary steps. In fact, some wait to install known, but expensive, protective measures until they’re hacked.

“One they’re in the headlines, that’s when they invest the money, no matter how much pain there is,” said Ryan Olson, a threat intelligence director at cyber security firm Palo Alto Networks.

Consumers can try to protect themselves by looking for retailers that have enabled chip-based credit and debit card use on their POS terminals. These are much more secure than magnetic stripe cards.

When a customer swipes a card with a magnetic stripe, the POS machine sees the credit or debit card number, the card’s expiration date and the three or four-digit security code off the stripe. On a chip card, that security code is encoded as a dynamic cryptogram that changes each time the card is used.

This means stolen stripe card information is much more valuable to thieves, as it can be sold to create fake cards or used online. Without the security code — which the chip reader masks — the stolen credit card number and expiration date are worth much less on the dark web where thieves typically sell their stolen card data.

Unfortunately, only 44% of retail storefronts have chip card readers enabled on their POS systems, so customers still have to swipe the card’s stripe, even if it has a chip, said Mark Nelsen, a senior vice president of risk and authentication products at Visa.

As that changes, POS hacking will become less lucrative, because the information hackers can collect won’t be worth as much on the black market. Though FireEye’s Miller doesn’t see cyber thieves giving up until the last possible moment.

“Criminals know there’s a shrinking window for these kinds of attacks,” he said. “They make a lot of money off them, so they want to make as much as they can while they still can.”


1 Smart Credit Card Tip to Simplify Your Life

There’s only so much time in the day, and being efficient with your finances can make room for what really matters.

In the video segment below, The Motley Fool analysts Nathan Hamilton and Michael Douglass asked one of the Fool’s credit card specialists for his top credit card tips. One smart insight is included below and it could help simplify your finances.

Michael Douglass: Let’s turn to No. 4. Dan Caplinger, who is a valued —

Nathan Hamilton: Long-time Fool.

Douglass: Yeah, longtime Fool. Hey, Dan. He suggested, talk to your credit card companies and see if you can get them to align the due dates for your payment cycles.

Hamilton: Yeah, I like this one. It’s an efficiency one for people who may be do hold multiple credit cards.

Douglass: Yeah, this isn’t something that’s going to make you a lot of extra money, but it can simplify the process and make your life easier, which is really a big part of this.

Hamilton: Yeah. When I asked him about one of his tips and he submitted this to me, I thought to myself, oh man, I have to do this as well, because my bills specifically are spread throughout the month. And it is a hassle to track all of them and make sure everything is paid. But if you have multiple credit cards, and you call up your issuer, most issuers I know of allow you to change the due date to wherever you please.

Douglass: Sure, as long as they get paid.

Hamilton: Yeah. So, calling up your issuer to do that and, say, put it on the 15th of every month, whatever date you choose, whatever works with your budget and how you like to have it set up, can absolutely simplify your finances. It’s a very useful tip that’s very easy.

Douglass: Yeah, and one of the nice things about this is, the way I often think about it is, let’s say you know you have $2,000 in credit card bills that are going to come to you at different parts of the month, and you’re making more than that, you’re pulling in more than that with your paychecks and all. But, if you aren’t managing when that cash is coming in versus when it’s going out, you could be in a position where you don’t have any money in your checking account, you’re overdrawn, and all that stuff gets ugly. So, putting it all together means you could be like, “Cool, by the 6th or the 15th or whatever, I just need to make sure that I have this amount,” as opposed to, “I have this amount by the 5th, and this amount by the 10th, and this amount by the 12th, and hopefully stuff comes in by the 14th.” That’ll make your life easier.

Hamilton: Living paycheck to paycheck, it’s absolutely important.


Here’s What You Should Know About Credit Cards Paying Up to 10% Cash Back

Are you considering which card to apply for?

The Motley Fool analysts Nathan Hamilton and Michael Douglass compiled a handful of helpful credit card insights from the Fool’s credit card specialists, and included one tip in the video about choosing a cash-back credit card or sign-up bonus.

5 Simple Tips to Skyrocket Your Credit Score Over 800!

Increasing your credit score above 800 will put you in rare company. So rare that only 1 in 9 Americans can claim they’re members of this elite club. But contrary to popular belief, racking up a high credit score is a lot easier than you may have imagined following 5 simple, disciplined strategies. You’ll find a full rundown of each inside our FREE credit score guide. It’s time to put your financial future first and secure a lifetime of savings by increasing your credit score. Simply click here to claim a copy 5 Simple Tips to Skyrocket Your Credit Score over 800.

Michael Douglass: Tip No. 3 comes from Selena, who is one of our writers and great partners, she’s a longtime Fool. Don’t put off exploring cards that might be great for you, such as one that gets you 5-10% back on bonus categories spending, or one that offers a fat sign up bonus worth hundreds of dollars in travel benefits. Essentially, it’s the same idea that we have when we are approaching the stock market, which is, the important thing is to be invested now. That’s not arguing for market timing, it’s essentially saying, if you were in the stock market, that’s generally a better move than not being in the stock market, because long-term, things have historically tended to return a lot. So, our hope is that that will continue. In the same way, with credit cards, the best time to get started is right now, particularly with some of these that can really do a lot for you.

Nathan Hamilton: If you’re staying on budget, if you’re not incurring interest charges, if you’re paying your balances off monthly, it absolutely makes sense. Going back to our first point from Adam, where he mentioned Mint and Personal Capital, the last I recall, those apps allowed you to look at your spending categories and say, “I spend 60% on dining out, I spend 40% on gas.”

Douglass: Or junk food.

Hamilton: Yeah. But you can categorize it. Here’s where it makes sense for these bonus cashback cards. I generally look at it, when people ask me how many cards they should have, I say, normally, one to two. If you want to simplify your finances, keep it at one. If you want to optimize your rewards, two can make sense. But, back it up to what you see your budget is, and say, “OK, I can get a bonus cashback card, and this certain line item represents 80% of what I normally spend on a budget.” That’s where you can get the most use out of your time for earning rewards. Then, for the other card, get essentially a basic, flat rate card that is transparent, flexible, and works for everything else.

Douglass: Yeah. Let’s talk about a couple of the reasons why people tend to be a little bit shy a lot of the time about opening new credit cards. One of them is concern about their credit store. The issue here is, when you apply for a credit card, usually there’s a hard inquiry on your credit score. What that means is, somebody checks with the credit bureau whether you are creditworthy.

Hamilton: See how risky you are.

Douglass: Yeah, exactly. As a result, your credit score goes down a little bit. Usually not by a lot. We’re talking less than 20 points. But, a little bit, because it indicates that you’re looking to open up a new debt sleeve. So, that might make your credit appear a little bit riskier for somebody else if you try to open up another debt sleeve and another debt sleeve. So, people tend to delay because of that concern. Of course, on the flip side, it can actually be a benefit to your credit score longer-term.

Continue Reading