If there's a silver lining for banks in the Home Depot data breach, it's this: most experts agree banks are getting better at deterring card fraud.
If only retailers were better at preventing data theft.
Within the past 12 months, one large retailer after another including Target, Neiman Marcus, Michaels Stores, P.F. Changs, Goodwill and now Home Depot has fallen victim to a massive data breach affecting millions of customers.
Home Depot confirmed on Tuesday that a long-term breach of its point-of-sale network has been under way. Since April. Anyone who used a payment card in one of the company's 2,200 stores in the past five months may have had their card data stolen (but not their PIN, the company says). About 60 million customers are believed to be affected.
But at least the data pilfered in these incidents is increasingly hard for thieves to monetize, thanks to measures like transaction monitoring, fraud alerts and real-time fraud detection.
"If you watch the chatter in the underground" -for instance, black market websites where stolen card data is sold "these guys are upset," Brian Krebs, the security blogger who broke the news of the Home Depot breach on Sept. 2, said in an interview Tuesday. "A lot of the cards they're buying are coming back canceled."
Banks are getting better at monitoring transactions in real time to block the use of stolen card information at the point of purchase, said David Pollino, senior vice president and enterprise fraud prevention officer at Bank of the West.
"Whenever you swipe your card, it goes into a system that routes transactions back to the issuer and checks for things like whether or not you have available funds, whether or not your PIN or the last four digits of your card number have been entered correctly," Pollino pointed out. Issuers' monitoring systems decide instantly whether each transaction is consistent with customer behavior.
Another way banks are protecting their customers with analytics is through what are called common point of purchase analyses, to look for potentially breached merchants.
Often financial services companies and card networks can detect fraud before the merchant does, because of their bird's-eye view of transactions and fraud patterns, Pollino pointed out. "Every institution should be using their analytical environment to perform this type of analysis as a way of protecting customers and detecting additionally compromised customers."
As Pollino sees it, the answer to preventing card breaches lies largely in EMV, the chip-and-PIN technology that makes cards difficult to counterfeit and therefore makes these breaches less appealing.
While some argue EMV is useless in preventing fraud in card-not-present transactions (in which the customer doesn't physically present a card, for example on a website), Pollino says the technology would deter most of the fraud that is happening.
"Typically if a bad guy goes through the process of stealing the magnetic stripe information, he will use that information for card-present fraud," rather than attempt to make purchases online, Pollino said. Most card-not-present transactions require data that's not contained in the magnetic stripe, such as the security code on the back of the card, he explained.
JPMorgan Chase declined to comment on the Home Depot breach, but shared a link to a message on its website about the incident. The message assures customers they are not liable for unauthorized transactions as long as they report them. The bank also said it uses sophisticated fraud-monitoring tools to review account transactions that help detect abnormal spending and ATM usage patterns. Chase also recommended that customers enroll in the bank's account alert service and advised them to monitor their accounts for unfamiliar transactions and immediately report anything suspicious.
Wells Fargo provided a similar statement. The three other largest U.S. bank card issuers did not immediately respond to requests for interviews.
In the wake of the Target breach, in which information about an estimated 110 million customers was compromised, banks, especially smaller ones, are not waiting around to figure out which accounts were compromised.
"They're being proactive and cancelling," Krebs said. "They don't have the sophisticated systems in place to monitor their customers' activities, so for them it makes more sense to kill the card and eat that reissue cost."
But Krebs thinks banks' knowledge-based authentication systems need to be replaced or upgraded with more sophisticated technology. He said he knew of a case where fraudsters easily changed PIN numbers by calling a bank's customer service line armed only with a few identifiers that can be bought on the black market.
"If thieves know the answer better than customers, that's a problem," he said. Voice biometrics or device ID could be much more useful in accurately authenticating cardholders.
Banks such as Bank of the West and SunTrust are starting to create fraud hubs where they can look across all customer interactions and correlate data to better understand normal customer behavior and recognize signs of fraud.
"Many times banks' fraud departments and security departments only talk to each other during a crisis," said Mary Ann Miller, senior director and fraud executive advisor at analytics software company Nice Actimize. "They don't have regular, business-as-usual interaction." With the same criminals operating in the cyber world and the real world, the silos need to be brought together, she said.
The front line of this cyber war, of course, is the retailers whose networks are being hacked on a regular basis. In many cases, malware strains like BlackPOS or Backoff are climbing in through thinly protected remote access software.
"Traditionally retail's been one of the more challenging industries to sell security software and services to," Krebs said. "They're extremely bottom-line-oriented, they have thin profit margins. They see every dollar invested in security as a dollar they're not earning."
Still, Krebs said he believes some merchants are taking these breaches to heart and improving their security tactics.
"Some are trying to poach each other's best security people. That's always a good sign," he said.