Why retailers like Home Depot get hacked

Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say.

Home Depot decided only in January to buy technology that fully encrypts payment card data the moment a card is swiped, The Wall Street Journal reported Monday. The home improvement retailer launched the project in order to avoid a breach on the scale of Target's.

The breach at Target in December compromised 40 million credit-card accounts and contributed to the ouster of its chief executive officer.

Following several months of testing, Home Depot signed a multimillion-dollar contract with a security vendor in April, but by then, hackers may have already cracked the retailer's payment systems, the Journal reported. The company said it discovered it had been hacked in September.

While Home Depot has not said how many credit-card accounts were affected, experts speculate that given the size of its business the number of compromised accounts could be in the 10s of millions.

Hackers stole card numbers from Target and Home Depot using malware that scraped unencrypted data from the memory of their payment systems.

This exploitable vulnerability has been known for years, yet retailers chose not to upgrade their so-called point-of-sale (POS) systems, because of the cost.

"We have been recommending for years and years and years that people encrypt and tokenize at the swipe, and for years and years and years, they haven't done it," John Kindervag, analyst for Forrester Research, said. "The fact that the attackers are really good and fast is not an excuse.

In data security, tokenizing is the process of substituting card data with a random number that is useless to the hacker. The token often comes from an embedded chip found in new cards.

Apple plans to use such a system in the iPhone 6, so the smartphone can be used instead of a credit card.

Most readers used by U.S. retailers today take the card number in plain text from the magnetic stripe found on most debit and credit cards.

Eric Cole, a cyber-defense lead at the SANS Institute, said retailers have to approach security with the assumption that they will be targeted.

"Security has to be designed into the network and not just add-on components," Cole said.

For example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet.

In the case of Target, malware was planted in POS systems after the hackers stole the login credentials of a supplier that used another portion of the retailer's network.

"(The network) should be segmented, so if a compromise does occur, the amount of damage is contained and controlled," Cole said.

Also, retailers have to stop the practice of using credit-card data for more than just completing a transaction, Kindervag said. Card data is often fed into analytic systems used by marketers to track customer buying habits.

"There's a long held culture of using the credit card number as a way of analyzing the buying habits of consumers and projecting what they might be in the future," Kindervag said.

Retailers and the marketing people who work for them have to recognize that some data is "just too dangerous to have," he said.

Overall, retailers have to approach the avoidance of data breaches the same way energy companies view oil spills, Kindervag said. "It's the most costly thing that could happen to your business."