By Alistair Barr, and Donna Leinwand Leger
SAN FRANCISCO - The U.S. Federal Bureau of Investigation warned U.S. retailers that there will be more cyber attacks in a "disturbing" report describing how vulnerable the $5 trillion industry is to hackers trying to steal valuable customer data.
Leaders at the National Retail Federation said they reviewed the FBI's report. It outlines techniques used by cyber criminals to access personal data and warns retailers to be wary, general counsel Mallory Duncan said.
The hackers, the report said, are prolific and sophisticated, Duncan added.
"This is a very disturbing report and obviously, there is a great deal of work that's going to have to be done by all of the parties," Duncan said. "There is a fundamental flaw in the current card payment system, and until we can remedy that, and that's a reliance on easily copied numbers and data, that flaw is going to plague us."
The report comes in the wake of an attack against Target which compromised the data of more than 100 million people during the busy holiday shopping period. Luxury retailer Neiman Marcus said this week that a similar attack earlier in 2013 affected 1.1 million cards.
TIMELINE:Hacks against Target and Neiman
The FBI report, dated Jan. 17, describes risks posed by "memory-parsing" malware that infects point-of-sale (POS) systems,Reutersreported, citing the document "Recent Cyber Intrusion Events Directed Toward Retail Firms."
The FBI has discovered about 20 hacking incidents in the past year involving similar malware used in the Target breach,Reutersadded.
"In 2014, we expect to see one or more of these major breaches a month," said JD Sherry, vice president, technology and solutions at cyber security firm Trend Micro. "Retail seems to be the most targeted vertical because of the potential pay-outs and the high number of transactions that occur."
Many merchants are using legacy Windows XP software from Microsoft to run their POS platforms. If the software is not updated with all the necessary security patches they are "extremely vulnerable," Sherry added.
One version of the POS malware, known as Alina, included an option that allowed remote upgrades, making it tougher for corporate security teams to identify and eradicate it, the FBI report said.
The hackers have essentially got inside retailers' computer networks, allowing the malware to operate from the inside over long periods of time. The criminals also keep activity levels low and this combined approach throws off traditional anti-virus protection, according to Trend Micro's Sherry.
"These slow-and-low attacks help them maintain a stealthy presence for as long as they can," he said. "The delay with Neiman is very interesting because it took them so long to figure out what was going on."
Neiman Marcus said payment card data was collected from July 16 to Oct. 30 and the company did not find out about the breach until late December at the earliest.
The POS malware collects card data before it is encrypted and sent to card processing companies including Visa and MasterCard, Sherry said.
"This means anti-virus software isn't going to be the savior," he said. "Full blown, end-to-end encryption is needed."
The "chip and PIN" technology used by retailers in Europe embeds and encrypts customer data on payment cards before the information is transferred to POS terminals, Sherry noted.
The NRF has pushed for banks and credit card issuers to adopt this system in the U.S., but it has so far failed to catch on because of concerns about the cost and the impact on marketing capabilities.
In a letter to Congress on Tuesday, the NRF complained that banks "have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation 'PIN and Chip' card technology for customers in Europe and dozens of other markets."
Retailers, too, will have to change how they police their networks, Timothy P. Ryan, managing director for Kroll Advisory Solutions Cyber Investigations and a former FBI cyber crimes agent. In addition to detecting intrusions to the system, cyber security must also include measures that can ferret out a hacker who managed to evade that detection.
"Putting up a fence is awesome until somebody jumps the fence," Ryan said.
Retailers can expect more data breaches, Ryan said, "unless they change the paradigm they use to protect their systems."