Published Friday, January 24, 2014 at 1:00 am / Updated at 4:00 pm
Joe Nocera: Breaches show hackers winning

Last week, a letter landed in my email inbox from Gregg Steinhafel, the chief executive of Target. He wanted me to know that there was a decent likelihood that some of my personal information had been stolen by criminals who had “forced their way into our systems,” as Steinhafel put it, and pulled off one of the biggest data breaches in history.

I’m not a regular Target shopper, so I had to think about this for a minute. Then I remembered: In mid-December, while marooned in Houston after missing a connecting flight to Rio de Janeiro, I went to a Target store to buy some clean clothes. I paid with my debit card, which I swiped through the little “point of sale” machine, and then entered my passcode — something I probably do a dozen times a day. The very ordinariness of the transaction is partly why it hadn’t stood out in my memory.

Since receiving Steinhafel’s letter, however, I’ve been brushing up on data breaches, and I’m here to say it is going to be a while before I’m sanguine when I make that little swiping motion with my debit card. In the battle between hackers and retailers, it sure looks as though the hackers are winning.

If you have read anything about the Target data breach, you know that from Nov. 27 to mid-December, hackers siphoned off the credit-card information of 40 million Target shoppers, including card numbers, passcodes and the three-digit security code on the back. They also took names and email addresses of tens of millions of other Target customers.

Target acknowledged the breach Dec. 19, but only after a reporter named Brian Krebs had broken the news on his authoritative blog, Krebs on Security.

When I talked to Krebs, he told me that while Target was “hardly a poster boy for how to secure data,” the company probably wasn’t all that much worse than most other retailers. Its digital system undoubtedly had all the current anti-virus software, none of which had detected the malicious software — “malware,” as it’s called — that had infected it.

Krebs was pretty convinced that the hackers were Russians. It was obvious that they were extremely sophisticated in how they went about stealing credit- card data.

After burrowing into a Target server, he explained on his blog, the malware would then grab data from Target’s point-of-sale terminals all across the country shortly after customers swiped their cards. At that moment, a moment of maximum vulnerability since all the data was unencrypted at that point, the magnetic stripe would yield all the information the hacker needed.

Another security expert, Gerhard Eschelbeck, the chief technology officer at Sophos, wrote in a recent report that “one trend that stands out is the growing ability of malware authors to camouflage their attacks.” Eschelbeck described modern hacks as “innovative and diverse.”

Virtually every security expert I spoke to said it is likely that a lot more retail companies have been breached than has been acknowledged. Indeed, Neiman Marcus recently admitted that its systems had been breached. And just the other day, the Department of Homeland Security sent a report to retailers and banks warning about point-of-sale malware, which it suspects has infected more systems than just Target’s.

So why don’t retailers do more to stop such attacks? Part of the reason is that nobody is forcing them to. It costs a lot of money to completely revamp their systems in ways that would make them harder to breach. However disruptive to customers, there really hadn’t been any business consequences, not until the Target breach, anyway. (Target saw its Christmas sales decline after the breach was announced.)

The simplest thing we could do to diminish data breaches would be to move away from magnetic stripes, which are relatively easy to copy, and go to a system in which credit and debit cards are embedded with chips. In widespread use in Europe and elsewhere, such cards are practically nonexistent in the United States (although a rollout is supposed to begin in the fall of 2015). In 2009, a payment company called Heartland suffered a breach that was even larger than Target’s. You would think that would have been a wake-up call, but apparently it wasn’t.

The most galling part of Steinhafel’s letter is its advice to consumers. “Never share information with anyone,” he writes. “Be wary of emails that ask for money.”

None of this advice, of course, would have helped anyone who had the misfortune to shop at Target during the three weeks the malware was doing its devious work. The fault was not ours, Mr. Steinhafel; it was yours.

As for me, it turns out that the Russian hackers won’t be able to use my debit card information after all. I had to get a new card — after I was hacked in Brazil.

Easter Sunday temperatures climb into 80s in Omaha area
City Council to vote on adding Bluffs pedestrian safety lights
Sole big donor to Beau McCoy says he expects nothing in return
Convicted killer Nikko Jenkins might await his sentence in prison
Kelly: 70 years after a deadly D-Day rehearsal, Omahan, WWII vet will return to Europe
Midlands runners ready for Boston Marathon
Families from area shelters treated to meal at Old Chicago
Omaha police investigate two Sunday shootings
Firefighters battle brush fire near Fontenelle Forest
Sioux City riverboat casino prepares to close, still hoping to be saved
Omaha high schoolers to help canvass for Heartland 2050
Mizzou alumni aim to attract veterinary students to Henry Doorly Zoo
Grant ensures that Sioux City can start building children's museum
Party looks to 'nudge' women into public office in Iowa
For birthday, Brownell-Talbot student opts to give, not get
Two taken to hospital after fire at Benson home
Grace: Pipe organ concert a tribute to couple's enduring love
Omaha-area jails and ERs new front line in battling mental illness
Civil rights hearing to consider voting policies in Midwest
17 senators in Nebraska Legislature hit their (term) limits
It's a pursuit of pastel at Spring Lake Park's Easter egg hunt
Financial picture improving for city-owned Mid-America Center
No injuries after fire at midtown's old Mercer Mansion
29-year-old Omahan arrested for 22nd time in Lincoln
Police: Slaying of woman in Ralston apartment likely over drugs
< >
COLUMNISTS »
Kelly: 70 years after a deadly D-Day rehearsal, Omahan, WWII vet will return to Europe
A World War II veteran from Omaha will return this week to Europe to commemorate a tragedy in the run-up to D-Day.
Dickson’s Week in Review, April 13-19
On Twitter some guy tweeted that the spring game isn’t taken as seriously as a regular-season contest. What was your first clue? When the head coach entered waving a cat aloft?
Kelly: A California university president returns to her Nebraska roots on Ivy Day
The main speaker at today's Ivy Day celebration at the University of Nebraska-Lincoln is a college president who grew up roping calves and earned her Ph.D. at the prestigious Oxford University in England.
Breaking Brad: Stuck in a claw machine? You get no Easter candy
I know of one kid in Lincoln who will be receiving a lump of coal from the Easter Bunny, just as soon as he's extricated from that bowling alley claw machine.
Breaking Brad: Mountain lion season's over, but the bunny's fair game!
Thursday was the last day of a Nebraska Legislature session. Before leaving town, legislators passed a bill to hold a lottery to hunt the Easter Bunny.
Deadline Deal thumbnail
The Jaipur in Rockbrook Village
Half Off Fine Indian Cuisine & Drinks! $15 for Dinner, or $7 for Lunch
Buy Now
PHOTO GALLERIES »
< >
SPOTLIGHT »
Omaha World-Herald Contests
Enter for a chance to win great prizes.
OWH Store: Buy photos, books and articles
Buy photos, books and articles
Travel Snaps Photo
Going on Vacation? Take the Omaha World-Herald with you and you could the next Travel Snaps winner.
Click here to donate to Goodfellows
The 2011 Goodfellows fund drive provided holiday meals to nearly 5,000 families and their children, and raised more than $500,000 to help families in crisis year round.
WORLD-HERALD ALERTS »
Want to get World-Herald stories sent directly to your home or work computer? Sign up for Omaha.com's News Alerts and you will receive e-mails with the day's top stories.
Can't find what you need? Click here for site map »