AUDIE CORNISH, HOST:
As the holiday shopping season ramps up, we were curious what retailers are doing to protect you from hackers.
ARI SHAPIRO, HOST:
You could say 2014 has been the year of the credit card hack. Home Depot, Staples, PF Chang's - those are just some of the companies that have been hit.
CORNISH: As we hear from NPR's Aarti Shahani, they're staying tightlipped about what, if anything, they're doing to protect customers.
AARTI SHAHANI, BYLINE: It's that time of year and I'm at the Rolex store. Davi Ottenheimer is with me, and weâre not looking at diamond-studded watches.
DAVI OTTENHEIMER: Yeah, so thatâs a pad, right? So itâs a typical pad. It has a USB-attached card reader.
SHAHANI: Our eyes are fixed on a tablet that's just sitting by the counter with a little square card reader plugged in, totally unattended.
OTTENHEIMER: They're not even looking at us. We could replace their card reader with our own card reader. I have several of those at home.
SHAHANI: Never mind that an armed guard is patrolling the door, this store is a ripe for a micro-scale cyber-attack. Sure, it would just get a few dozen customers.
OTTENHEIMER: But they spend a lot of money. So if I wanted to get high-value cards, this would be a place where I could get them.
SHAHANI: Ottenheimer is not here to rob Rolex. Heâs a security expert whoâs been auditing retail for well over a decade. And we're checking out how hacker-proof stores are this holiday shopping season. Over at Macy's, we stand in an empty corner and stare at a lonely register.
OTTENHEIMER: So I can see, for example, it has a network light on the front.
SHAHANI: Which means it's not lonely. It's on a network, speaking to other machines that are grabbing card numbers. Ottenheimer is concerned - no one is watching us, and we could use this machine to try to break in.
OTTENHEIMER: They came over to help us with the jewelry but not with the fact that weâre standing and staring at a PC in the corner.
SHAHANI: NPR reached out to Macyâs to ask what it's doing to protect the customer information feeding into these machines. Are they scrambling and encrypting card numbers? Are they cordoning off the financial data, so that people with access to one point of entry canât break in to others? Macy's declined to provide a single detail about the most general security measures itâs taking.
ORLA COX: A lot of times a lazy approach to security is just to make information difficult to get.
SHAHANI: Orla Cox is a security expert at Symantec who helps retailers after they've been hacked.
COX: Just because youâre not talking about it isn't actually making you any more protected.
SHAHANI: Cox and other security insiders say that just about every retailer remains open to the exact same attack - a point-of-sale attack that got Target and Home Depot. And it's not clear if or when thatâll change. NPR contacted two dozen of Americaâs largest retailers, which includes Sears, Kohl's, BestBuy, Dollar, the T.J. Maxx Company, and none of them would indicate if their budget for online security has increased in this last year of mega-breaches.
COX: I would think that it's fairly innocuous information anyway, and that's, you know, giving a number out there, you know, shows that youâre taking it seriously.
SHAHANI: Visa and Mastercard are on a national campaign to nudge retailers into taking on a bit more liability. But many say the incentives are off. Retailers make tiny margins - say 2 percent. They don't want to spend on IT support. And when credit card data gets stolen, they don't have to pay. Even if they're at fault, financial institutions pick up the bill. Among victims, a kind of fatalism has set in.
HUNTER HARGRAVE: I guess since the second time in past year and a half or so, I wouldnât be surprised if it happened again.
KATE ANDERSON: And it always seems to happen on a Friday or a Saturday. So usually thatâs kind of when I kind of really get like, well, should I really go shopping or not?
SHAHANI: Hunter Hargrave in Texas and Kate Anderson in Minnesota have come to expect the theft. Anderson's cards have been cancelled five times in the last year. Now, she knows the drill.
ANDERSON: Oh, now we have to reset all of our passwords and our pin numbers and every place that we do auto debits from.
SHAHANI: Hargrave, who is 25 years old, says he's using old school money a lot more.
HARGRAVE: Whenever I get paid, I take out the vast majority in cash, and then I put the rest on a debit card. But the debit card is only for emergencies.
SHAHANI: Even if people ditch their cards, they're not ditching the stores. Sales at Target and Home Depot have been exceeding expectations. Experts say that as long as we're spending, retailers donât have to spend on protecting us. Aarti Shahani, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.