The e-retail implications of the Target and Neiman Marcus data thefts
January 13, 2014 02:48 PM
Criminals could use the payment card and associated data recently stolen from two large retail chains to attempt fraudulent purchases online, several payment experts say.
So far, though, payment experts contacted by Internet Retailer report no uptick in online fraud connected with the data breaches suffered by Target Corp. and The Neiman Marcus Group Inc. The breaches have affected tens of millions of consumers.
Target on Friday said that its breach could include information for up to 110 million consumers, while the Neiman Marcus breach reportedly involves data from some 1 million consumers, though that chain declines comment today about any aspect of the theft. "While we are in the midst of our criminal investigation I have no further information to share," says a spokeswoman for Neiman Marcus. The breach also hit three other unnamed retailers in the United States during the recently completed holiday shopping season, according to reports Monday.
At first glance, the types of data stolen from Target would seem to favor criminals bent on making fake cards for use inside stores. That’s because the chain says that while the thieves gained access to card expiration dates and a security code known as the Card Verification Value embedded in those cards’ magnetic stripes, the stolen data did not include three- or four-digit CVV2 security codes printed on the back of payments card. Many e-retailers often ask for those codes before allowing an online purchase to go through.
Many, but hardly all. 79% of e-commerce operators in the United States ask for those CVV2 codes when customers place orders, according to a 2013 report from CyberSource, an online payment security company that is part of Visa Inc. 29% consider checking CVV2 codes as among their top three fraud prevention tools. That compares with 31% that contact customers to confirm orders and 27% that use address verification services to help weed out fraudulent orders.
“E-retailers should continue to be vigilant for any unusual activity or abnormal patters,” says Julie Fergerson, vice president of emerging technologies at payment security service Ethoca Ltd. “That said, as long as merchants have good rules in place around CVV2 they should be pretty well protected based on the details that have been reported to date.”
She said retailers that might want to increase their anti-fraud vigilance through CVV2 confirmation face a customer-service hurdle. “The challenge of rejecting orders solely based on a CVV2 is that some good customers also might not know their CVV2 code,” she says. “Unfortunately they sometimes fade off credit cards and sometimes consumers just [enter] a typo.”
Even so, online fraud attempts appear likely in the wake of these breaches, even if it turns out that CVV2 codes were not stolen. “There are likely millions of online stores where you can use a card without [those codes],” says Andreas Baumhof, chief technology officer at ThreatMetrix, which sells fraud prevention technology. “Remember, these cards work worldwide and not just in the U.S. or Europe.” His colleague, ThreatMetrix chief products officer Alisdair Faulkner, adds that criminals “are able to differentiate between retailers that require a CVV2 number and those that do not.”
Another potential problem for online retailers is that the Target thieves gained personal information, including billing addresses and e-mail addresses, of 70 million customers. They also stole the card number and other data of 40 million credit and debit cards that were used in Target stores between Nov. 27 and Dec. 15, Target says. That gives the criminals more information they can use to attempt to defraud consumers and retailers—for instance, by using that data to get around address-verification services retailers employ to fight fraud.
Roughly a third of merchants use e-mail address verification to combat fraud, says Loc Nyguen, vice president of marketing at Feedzai, which sells fraud prevention software. “This by itself isn’t particularly effective, especially since there are disposable e-mails available,” Nyguen says.
Target is No. 18 in the Internet Retailer Top 500 Guide. Neiman Marcus is No. 39.