The list of major retailers that have been hacked keeps growing. But while tens of millions of people have seen their credit card numbers fall into the hands of hackers, online shoppers at those stores appear safe.
In recent breaches at Target, Neiman Marcus and, most recently, Home Depot, the retailers said online customers were not affected. The hacks raise a curious question at a time when danger seems to lurk on every corner of the Internet: Is it actually safer to shop online than in person?
That may be true, but not because entering your credit card number on your home computer is more secure than swiping your card at the register, according to Nicholas Weaver, a senior researcher at the International Computer Science Institute.
It’s just easier for hackers to profit by stealing information linked to credit cards swiped in physical stores, he said. Such data can be used to make counterfeit cards and presents fewer obstacles for thieves than information stolen from online shoppers.
For hackers, data from physical cards "is significantly easier and therefore more profitable to use," Weaver said.
Cybercriminals already have access to malicious software specifically designed to steal credit card data from in-store payment systems. That malware, known as “BlackPOS,” was used in both the Home Depot and Target breaches, according to cybersecurity reporter Brian Krebs, who cited sources close to those investigations.
“I've taken the position that it's actually safer to shop online than it is in person -- mainly because I've seen firsthand evidence of just how many physical stores are being compromised by card-stealing malware,” Krebs said in an email.
Credit cards stolen from online shoppers are less valuable to thieves because they don't give them enough data to make counterfeit cards, Weaver said. Hackers still need key information stored on a credit card’s magnetic strip, which can only be obtained by hacking payment systems located at the cash register. That's largely why credit card data stolen from physical stores sells in the underground market for ten times more than online card data, Krebs said.
Thieves who steal credit cards from online shoppers also face other obstacles. They can only use those credit cards to make online purchases, and to prevent fraud, some retailers won’t let you ship expensive online purchases to addresses other than those linked to your credit card, Weaver said. In addition, hackers must ship online purchases to so-called “mules,” or people who pick up items bought with stolen credit cards and resell them. Mules need to be replaced frequently because they often get arrested, Weaver said.
Of course, online shopping isn’t risk-free. In 2012, Zappos, the online shoe store, was hacked, giving thieves access to customers’ names, emails, billing addresses, phone numbers and the last four digits of their credit cards. The recent Heartbleed bug was another example of websites leaving sensitive credit card data wide open to thieves.
Some experts disagree that in-store shopping is more dangerous.
“To say online transactions are any safer would be a big misnomer,” said Chris Strand, a senior manager of compliance at Bit9, a cybersecurity firm.
But for the next year, credit cards swiped at physical stores will continue to be vulnerable. October 2015 is the deadline for merchants and banks to upgrade to more secure credit card technology known as “chip and pin," or cards that use a combination of an embedded microchip and a code to authorize transactions. That technology is supposed to make it much more difficult for thieves to make counterfeit cards.
After October of next year, whoever is still using the older “swipe and sign” technology -- either the merchant or the bank -- will be liable for any fraud on those cards. The United States will be the last major developed country to transition to the new credit cards.
But it likely won’t make fraud disappear. Based on the experiences of other countries that have shifted to the more secure credit card technology, it may simply make online shopping more risky.
“Every other country that has made this transition has found that after moving to chip-and-pin, the fraud moved from offline to online fraud,” Krebs said. “The fraud doesn't go away. It's like squeezing a balloon. The fraud just goes somewhere else.”