SAN FRANCISCO -- The U.S. Federal Bureau of Investigation warned U.S. retailers that there will be more cyber attacks in a "disturbing" report describing how vulnerable the $5 trillion industry is to hackers trying to steal valuable customer data.
Leaders at the National Retail Federation said they reviewed the FBI's report. It outlines techniques used by cyber criminals to access personal data and warns retailers to be wary, general counsel Mallory Duncan said.
The hackers, the report said, are prolific and sophisticated, Duncan added.
"This is a very disturbing report and obviously, there is a great deal of work that's going to have to be done by all of the parties," Duncan said. "There is a fundamental flaw in the current card payment system, and until we can remedy that, and that's a reliance on easily copied numbers and data, that flaw is going to plague us."
The report comes in the wake of an attack against Target which compromised the data of more than 100 million people during the busy holiday shopping period. Luxury retailer Neiman Marcus said this week that a similar attack earlier in 2013 affected 1.1 million cards.
TIMELINE: Hacks against Target and Neiman
The FBI report, dated Jan. 17, describes risks posed by "memory-parsing" malware that infects point-of-sale (POS) systems, Reuters reported, citing the document "Recent Cyber Intrusion Events Directed Toward Retail Firms."
The FBI has discovered about 20 hacking incidents in the past year involving similar malware used in the Target breach, Reuters added.
INTERVIEW: How retailers rationalize lack of breach disclosure
"In 2014, we expect to see one or more of these major breaches a month," said JD Sherry, vice president, technology and solutions at cyber security firm Trend Micro. "Retail seems to be the most targeted vertical because of the potential pay-outs and the high number of transactions that occur."
Many merchants are using legacy Windows XP software from Microsoft to run their POS platforms. If the software is not updated with all the necessary security patches they are "extremely vulnerable," Sherry added.
One version of the POS malware, known as Alina, included an option that allowed remote upgrades, making it tougher for corporate security teams to identify and eradicate it, the FBI report said.
The hackers have essentially got inside retailers' computer networks, allowing the malware to operate from the inside over long periods of time. The criminals also keep activity levels low and this combined approach throws off traditional anti-virus protection, according to Trend Micro's Sherry.
"These slow-and-low attacks help them maintain a stealthy presence for as long as they can," he said. "The delay with Neiman is very interesting because it took them so long to figure out what was going on."
Neiman Marcus said payment card data was collected from July 16 to Oct. 30 and the company did not find out about the breach until late December at the earliest.
The POS malware collects card data before it is encrypted and sent to card processing companies including Visa and MasterCard, Sherry said.
"This means anti-virus software isn't going to be the savior," he said. "Full blown, end-to-end encryption is needed."
The "chip and PIN" technology used by retailers in Europe embeds and encrypts customer data on payment cards before the information is transferred to POS terminals, Sherry noted.
The NRF has pushed for banks and credit card issuers to adopt this system in the U.S., but it has so far failed to catch on because of concerns about the cost and the impact on marketing capabilities.
In a letter to Congress on Tuesday, the NRF complained that banks "have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation 'PIN and Chip' card technology for customers in Europe and dozens of other markets."
Retailers, too, will have to change how they police their networks, Timothy P. Ryan, managing director for Kroll Advisory Solutions Cyber Investigations and a former FBI cyber crimes agent. In addition to detecting intrusions to the system, cyber security must also include measures that can ferret out a hacker who managed to evade that detection.
"Putting up a fence is awesome until somebody jumps the fence," Ryan said.
Retailers can expect more data breaches, Ryan said, "unless they change the paradigm they use to protect their systems."
Here are some tips from Bank of America to help you decide which payment method is best for you:
Paying by cash:
Keeping cash on hand can be a great way to avoid overspending. You can choose exactly how much cash you're willing to spend, carry it with you, and stop spending when you're out of cash. For some people, cash can "burn a hole" in their wallet meaning the temptation of easily accessible cash can lead to undesired spending. Carrying cash also carries the risk that it could be stolen. If these factors are concerns, consider using a debit or credit card, which in most cases offer you protection against fraudulent use.
Debit cards provide easy recordkeeping and are accepted at many merchants which makes purchasing convenient. Unlike a credit card, which requires you to pay the bill later, the money comes directly out of your checking account. This is a great way to avoid spending more money than you have available.
Before you use your debit card, make sure you know your checking account balance. If you try to spend more than you have, your purchase may be declined or the bank might charge you an extra fee, also known as an overdraft fee. (Note: One good way to help you avoid overdraft fees when using your debit card is to set up alerts through online banking to notify you by text or email when your balance is low.) It is important to recognize that certain banks do not allow you to overdraw your account, while others will allow you to overdraft. Please make sure to check your bank's policy so you are aware of any potential fees you could incur by spending more than you have available in your account.
Look into your bank's fraud liability protection program so you have a good understanding of your debit card's security. Some debit cards offer protections similar to a credit card, so if your debit card is lost or stolen, you won't be on the hook for fraudulent purchases. Some banks also offer debit cards that include photo ID to help ensure no one but you can use your card. (Learn about Bank of America's Total Security Protection® package.)
Paying by credit card:
Responsible use of a credit card can be a safe and easy way to build up your credit rating.
If you choose to make a purchase with a credit card, you can reduce the amount of interest you pay by paying more than your minimum payment each month. Or, if you are able, you can avoid interest on purchases altogether by paying your bill in full each month.
Many credit cards come bundled with rewards programs that allow you to earn points that are redeemable for things like travel and merchandise. There are also cash-back credit card programs that allow you to earn a certain percentage of money back for each purchase you make with the card. The ability to earn points or cash back on purchases may make using your credit card the right choice for some transactions.
Some credit cards offer a certain amount of protection on purchases. For example, some credit cards provide protection if you buy merchandise that turns out to be defective. Many credit cards also come with fraud liability protection, meaning the card provider won't hold you responsible for fraudulent charges on your card as long as you report them promptly.
Time to take action:
You are the one who makes the decision whether cash, debit or credit (or a combination) best suits your lifestyle and habits. Carefully consider the benefits of each payment method before making a purchase. Deciding your payment methods ahead of time can help you keep better track of your money, and you won't be stumped at the checkout line when the cashier asks "cash," "debit" or "credit."