For more than a year, hackers have found easy pickings at large retailers: 110 million records stolen from Target; 1.6 million from Staples; 56 million from Home Depot; 45.6 million from TJ Maxx; the list goes on.
The U.S. shift to EMV chip-and-PIN cards next fall will surely make retailers a less compelling target for such attacks. So will Apple Pay's tokenization scheme, which, like EMV, reduces the amount of sensitive cardholder data stored by merchants.
All well and good, but now some industry experts are worrying that when retailers are no longer such fruitful targets, the hackers will redouble their efforts to break into credit unions and banks.
"How is that [hacking activity] going to stop now that we've got Apple Pay and EMV coming along? It's not going to stop, it's just going to move to the next likely target," said James Gordon, chief technology officer at Needham Bank in Needham, Mass.
To be sure, credit unions and banks have not been completely bypassed by cybercriminals, of course. According to the Identity Theft Resource Center, 42 data breaches were carried out against financial institutions in 2014. But other than the massive JPMorgan Chase breach, most of these have been smaller-scale breaches that have fallen under the general public's radar.
But Credit unions have found themselves on the hook for more than $90 million in member losses as a result of data breaches at Target and Home Depot alone, according to data from CUNA.
And industry experts don't expect it to get any better anytime soon.
"Credit unions are very aware of what's going on and looking for ways to mitigate potential losses," Mike Hoover, a staff underwriting specialist in CUNA Mutual Group's credit union protection area told Credit Union Journal earlier this year. "What we're seeing is that as frauds occur and you shut off one avenue, the people committing these actions are very smart people, so they find another avenue to commit the fraud."
MasterCard and Visa have told retailers they must accept cards embedded with computer chips that comply with the Europay, MasterCard and Visa standard by Oct. 15 or take greater liability for fraud losses.
Hackers currently use stolen card data to create fake debit and credit cards, which they then use to withdraw cash from ATMs and make purchases in stores and online. It's much harder to create fake chip cards from stolen data than it is to create fake magnetic stripe cards. And EMV point-of-sale terminals that require a PIN as well as read a chip are harder to game than terminals that require only a stripe swipe and a meaningless signature that no one really looks at.
Another common concern about the shift to EMV is that cybercriminals will direct their activity at online, card-not-present fraud.
This is what happened in the United Kingdom, which adopted EMV technology in 2005 and saw card-not-present rise 54% from 2006 to 2008, reaching £328.4 million before finally going down as financial institutions and merchants addressed the fraud occurring online, said Julie Conroy, an Aite Group researcher and fraud expert. In 2013, the U.K. dealt with e-commerce fraud losses of £301 million.
Al Pascual, director of fraud and security at Javelin Strategy & Research, also sees online and e-commerce fraud becoming a bigger risk with EMV adoption.
But the threat he envisions is more around new account opening and account takeover fraud.
"If you can't steal card data at the point of sale, then the next best option is to go out and get the cards directly from the bank," he said. "You either take over an existing account, and get cards mailed to you from that account, or you steal an identity and apply for an account."
There was a dramatic rise in fraudulent new accounts and account takeovers in the U.K. when it adopted the EMV standard, Pascual said. "Certainly [financial institutions] are going to want to be concerned about that, and improving their customer identity programs for new accounts." They should also be taking advantage of advanced authentication technology, he said.
If hackers retrain their focus on CUs and banks, most would agree that financial institutions are better braced for attack than retailers have been.
"I'd say based on regulations and our fiduciary responsibility," banks and credit unions are more secure, Gordon said. He noted that in informationisbeautiful.net's visualization of the world's biggest data breaches, only one bank is associated with a major breach -- JPMorgan Chase.
"The track record speaks for itself," he said.