Experts say retailers have ignored for years the vulnerabilities that exist in payment systems Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say.Home Depot decided only in January to buy technology that fully encrypts payment card data the moment a card is swiped, The Wall Street Journal reported Monday. The home improvement retailer launched the project in order to avoid a breach on the scale of Target’s.The breach at Target in December compromised 40 million credit-card accounts and contributed to the ouster of its chief executive officer.Following several months of testing, Home Depot signed a multimillion-dollar contract with a security vendor in April, but by then, hackers may have already cracked the retailer’s payment systems, the Journal reported. The company said it discovered it had been hacked in September. While Home Depot has not said how many credit-card accounts were affected, experts speculate that given the size of its business the number of compromised accounts could be in the 10s of millions.Hackers stole card numbers from Target and Home Depot using malware that scraped unencrypted data from the memory of their payment systems. This exploitable vulnerability has been known for years, yet retailers chose not to upgrade their so-called point-of-sale (POS) systems, because of the cost.“We have been recommending for years and years and years that people encrypt and tokenize at the swipe, and for years and years and years, they haven’t done it,” John Kindervag, analyst for Forrester Research, said. “The fact that the attackers are really good and fast is not an excuse.In data security, tokenizing is the process of substituting card data with a random number that is useless to the hacker. The token often comes from an embedded chip found in new cards.Apple plans to use such a system in the iPhone 6, so the smartphone can be used instead of a credit card.Most readers used by U.S. retailers today take the card number in plain text from the magnetic stripe found on most debit and credit cards.Eric Cole, a cyber-defense lead at the SANS Institute, said retailers have to approach security with the assumption that they will be targeted. “Security has to be designed into the network and not just add-on components,” Cole said.For example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet.In the case of Target, malware was planted in POS systems after the hackers stole the login credentials of a supplier that used another portion of the retailer’s network.“(The network) should be segmented, so if a compromise does occur, the amount of damage is contained and controlled,” Cole said. Also, retailers have to stop the practice of using credit-card data for more than just completing a transaction, Kindervag said. Card data is often fed into analytic systems used by marketers to track customer buying habits.“There’s a long held culture of using the credit card number as a way of analyzing the buying habits of consumers and projecting what they might be in the future,” Kindervag said.Retailers and the marketing people who work for them have to recognize that some data is “just too dangerous to have,” he said.Overall, retailers have to approach the avoidance of data breaches the same way energy companies view oil spills, Kindervag said. “It’s the most costly thing that could happen to your business.” Related content news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Android Security Mobile Security news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management news Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements Open letter claims current provisions will create new threats that undermine the security of digital products and individuals. By Michael Hill Oct 03, 2023 4 mins Regulation Compliance Vulnerabilities feature The value of threat intelligence — and challenges CISOs face in using it effectively Knowing the who, what, when, and how of bad actors and their methods is a boon to security, but experts say many teams are not always using such intel to their best advantage. By Mary K. Pratt Oct 03, 2023 10 mins CSO and CISO Advanced Persistent Threats Threat and Vulnerability Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe