As Hackers Hit Customers, Retailers Keep Quiet About Security : All Tech Considered Leading companies are keeping tight-lipped about what they're doing to protect customers from similar attacks that have hit Target, Home Depot and other major retailers.
NPR logo

As Hackers Hit Customers, Retailers Keep Quiet About Security

  • Download
  • <iframe src="https://www.npr.org/player/embed/366367832/366379362" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
As Hackers Hit Customers, Retailers Keep Quiet About Security

As Hackers Hit Customers, Retailers Keep Quiet About Security

  • Download
  • <iframe src="https://www.npr.org/player/embed/366367832/366379362" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

AUDIE CORNISH, HOST:

As the holiday shopping season ramps up, we were curious what retailers are doing to protect you from hackers.

ARI SHAPIRO, HOST:

You could say 2014 has been the year of the credit card hack. Home Depot, Staples, PF Chang's - those are just some of the companies that have been hit.

CORNISH: As we hear from NPR's Aarti Shahani, they're staying tightlipped about what, if anything, they're doing to protect customers.

AARTI SHAHANI, BYLINE: It's that time of year and I'm at the Rolex store. Davi Ottenheimer is with me, and we’re not looking at diamond-studded watches.

DAVI OTTENHEIMER: Yeah, so that’s a pad, right? So it’s a typical pad. It has a USB-attached card reader.

SHAHANI: Our eyes are fixed on a tablet that's just sitting by the counter with a little square card reader plugged in, totally unattended.

OTTENHEIMER: They're not even looking at us. We could replace their card reader with our own card reader. I have several of those at home.

SHAHANI: Never mind that an armed guard is patrolling the door, this store is a ripe for a micro-scale cyber-attack. Sure, it would just get a few dozen customers.

OTTENHEIMER: But they spend a lot of money. So if I wanted to get high-value cards, this would be a place where I could get them.

SHAHANI: Ottenheimer is not here to rob Rolex. He’s a security expert who’s been auditing retail for well over a decade. And we're checking out how hacker-proof stores are this holiday shopping season. Over at Macy's, we stand in an empty corner and stare at a lonely register.

OTTENHEIMER: So I can see, for example, it has a network light on the front.

SHAHANI: Which means it's not lonely. It's on a network, speaking to other machines that are grabbing card numbers. Ottenheimer is concerned - no one is watching us, and we could use this machine to try to break in.

OTTENHEIMER: They came over to help us with the jewelry but not with the fact that we’re standing and staring at a PC in the corner.

SHAHANI: NPR reached out to Macy’s to ask what it's doing to protect the customer information feeding into these machines. Are they scrambling and encrypting card numbers? Are they cordoning off the financial data, so that people with access to one point of entry can’t break in to others? Macy's declined to provide a single detail about the most general security measures it’s taking.

ORLA COX: A lot of times a lazy approach to security is just to make information difficult to get.

SHAHANI: Orla Cox is a security expert at Symantec who helps retailers after they've been hacked.

COX: Just because you’re not talking about it isn't actually making you any more protected.

SHAHANI: Cox and other security insiders say that just about every retailer remains open to the exact same attack - a point-of-sale attack that got Target and Home Depot. And it's not clear if or when that’ll change. NPR contacted two dozen of America’s largest retailers, which includes Sears, Kohl's, BestBuy, Dollar, the T.J. Maxx Company, and none of them would indicate if their budget for online security has increased in this last year of mega-breaches.

COX: I would think that it's fairly innocuous information anyway, and that's, you know, giving a number out there, you know, shows that you’re taking it seriously.

SHAHANI: Visa and Mastercard are on a national campaign to nudge retailers into taking on a bit more liability. But many say the incentives are off. Retailers make tiny margins - say 2 percent. They don't want to spend on IT support. And when credit card data gets stolen, they don't have to pay. Even if they're at fault, financial institutions pick up the bill. Among victims, a kind of fatalism has set in.

HUNTER HARGRAVE: I guess since the second time in past year and a half or so, I wouldn’t be surprised if it happened again.

KATE ANDERSON: And it always seems to happen on a Friday or a Saturday. So usually that’s kind of when I kind of really get like, well, should I really go shopping or not?

SHAHANI: Hunter Hargrave in Texas and Kate Anderson in Minnesota have come to expect the theft. Anderson's cards have been cancelled five times in the last year. Now, she knows the drill.

ANDERSON: Oh, now we have to reset all of our passwords and our pin numbers and every place that we do auto debits from.

SHAHANI: Hargrave, who is 25 years old, says he's using old school money a lot more.

HARGRAVE: Whenever I get paid, I take out the vast majority in cash, and then I put the rest on a debit card. But the debit card is only for emergencies.

SHAHANI: Even if people ditch their cards, they're not ditching the stores. Sales at Target and Home Depot have been exceeding expectations. Experts say that as long as we're spending, retailers don’t have to spend on protecting us. Aarti Shahani, NPR News.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.