RACHEL MARTIN, HOST:
This is WEEKEND EDITION from NPR News. I'm Rachel Martin. If you use a credit card - and most of us do - it's hard not to be a little concerned. Discount retailer Target continues to apologize for a massive security breach over the holidays. And just yesterday, the high-end retailer Neiman Marcus disclosed that shoppers at its stores have been compromised as well. Independent investigative reporter Brian Krebs was the first to report on both these security breaches. He joins us to talk more. Welcome to the program, Brian.
BRIAN KREBS: Hi, Rachel.
MARTIN: So, what do you we know about this most recent security breach at Neiman Marcus? What type of data was taken?
KREBS: Well, we don't know a lot. What we do is that the banks that issue credit cards, some of them started seeing some funky charges that they trace back to cards that had all been used at Neiman Marcus. And they got notified in the middle of December by their credit card processor that something wasn't right. They're still trying to figure that out and they really didn't have too many details to share about how broad this is, how many cards may be affected, how the bad guys got in, that kind of stuff.
MARTIN: This Neiman Marcus breach comes on the heels of this major security breach at Target, where potentially millions of Americans were affected. Are these happening more often or are we just hearing about them more?
KREBS: Yeah, I think it's fair to say we're just hearing about them more. My sense in talking to folks in the financial industry, I'm surprised that many of them are a bit nonchalant and some of them have told me, you know, I don't know why everybody is so upset about these. You know, these things happen all the time and they never get reported. Well, if people really know how many there were, nobody would feel comfortable using their cards anywhere. And I think that the industry as a whole doesn't like talking about these things for that very reason.
MARTIN: So, what is the latest on the investigation into what happened at Target?
KREBS: Target is not saying too much. This is being treated by almost every corner of the regional industry as a unknown zero-day threat. 'Cause everybody looks at Target and says, well, if it can happen to them, it can happen to us. So, that's a good distinction here. Are the retailers or victims of cybercrime under any kind of obligation to disclose this - and they are - but they're not under any kind of obligation to disclose how they got hacked, which is a really, really important thing because other folks can learn from this stuff and hopefully not become victims coming forward.
MARTIN: So, you've been looking at this. You broke both of these huge stories. What are the solutions that are being proffered to try to curb this kind of security breach?
KREBS: The solutions are moving to a chip and pin, which is where that little chip that gets encoded into the card makes it expensive and more difficult to duplicate that card for bad guys. So, you know, that's kind of a solution but it doesn't really solve the problem. So, I think, Rachel, we can look forward to a lot more of these disclosures going forward.
MARTIN: Brian Krebs is the author of the blog KrebsOnSecurity.com. Brian, thanks so much for talking with us.
KREBS: Thank you, Rachel.