Which companies are using the same login to sell products?
By JENNIFER ROSS-HUTCHISONAssociated PressA few weeks ago, a number of large retailers began to use the same technology to sell their products online, using a login to log in.
Now, the technology is becoming commonplace at some of the nation’s biggest retailers.
A big reason for the rise in use is that shoppers are less concerned about having their names, photos and personal information exposed to fraudsters than they were before.
The use of login has been common at many major retailers, including Wal-Mart Stores Inc. and Amazon.com Inc. but it’s especially common at large retailers, such as Amazon.co.uk and Target Corp., where retailers use a variety of methods to authenticate shoppers, including a login for credit card purchases, a username and password, a credit card number, and other types of data.
The rise of login, which is also known as “card cloning,” has sparked some concerns among security experts about the growing use of such authentication methods.
But a study by security company Symantec found that using a different password to log into the company’s system is no more difficult to break than it is for an ordinary consumer to enter his or her own login information into a credit or debit card.
Even though it is harder to get credit card numbers from the login, the security firm said the technique can still be used to steal money.
That means consumers who have their own login credentials to retailers’ systems could be able to use them to steal payment card information from the companies and use that information to steal from retailers.
The security firm, however, said that most companies have not yet adopted this new technology.
Symantec said it has found a handful of examples of companies using login to steal credit card data.
For example, Target Corp. reported in October that it had a customer login that used a unique password to steal the credit card information of some customers, including two who used it to steal $1,000 from a Target store in Texas.
Symantsec also found at least six instances in which companies have used login to take money from their own systems to buy merchandise.
In May, Target said it was investigating a similar case involving a customer who used a different login to purchase $1.1 million in merchandise from a store in the United Kingdom.
Target did not immediately respond to a request for comment.
The company said it would continue to look into the issue and that it is committed to the security of its systems.
Symantiec’s report was based on a review of thousands of breaches of its data and breaches that it said occurred during the first half of 2017.
The data analysis found that only 1 percent of breaches that occurred during that period involved a breach that was more than a year old.
In most cases, Symantek said, the perpetrators had used a combination of three or more different login methods: a password, an email address and a credit, debit or other card number.
The report also found that in more than two-thirds of the cases where the data was stolen, the hackers obtained the credit or card numbers of customers who had used the same credentials to buy items online, Symantiec said.
In a statement, Target spokeswoman Amy Stolper said that the company had not seen any reports of data theft in the last two months from its Target.com login.
Target is also working with Symantech to help secure its systems, Stolter said.
Symantisec’s review of breaches reported by Target revealed that the stolen information included credit card payment card numbers, account information and other personal data.
Symantepes report found that one in five breaches reported to Target involved credit card fraud, and one in 20 breaches involved theft of other payment information.
In response to the Symanteks findings, Target announced last month that it would require retailers to adopt an “online identity verification system.”
The company is also developing a software tool to help merchants identify customers who use login credentials.
“If an individual is not authorized to access a store’s system, the retailer should immediately stop using the login,” the statement said.
Target said it will require retailers that have at least 10 percent of their stores’ total sales and business volume come from online transactions to adopt a similar system by March, which would require the retailers to create a new account for each purchase and require the retailer to login to their account every time a customer makes a purchase.
Target also said it is partnering with SymANTEC to help the company protect its data.
Symanta said it plans to continue to work with Target to develop new ways to secure stores’ systems.
Symantisec has received funding from the U.S. Department of Homeland Security, the National Institute of Standards and Technology and other federal agencies, including the U, S. Department and Commerce.