Neiman Marcus, TaxSlayer Experience Sophisticated Account Takeover Attempts

Feb. 8, 2016

Neiman Marcus, TaxSlayer Experience Sophisticated Account Takeover Attempts Designer-fashion retailer Neiman Marcus recently acknowledged a massive attack on the accounts of its online customers that perfectly exemplifies the double-edged nature of how network security and fraud can intersect for online and omnichannel retailers. In late 2013, Neiman Marcus followed Target as the second high-profile security breach in a short period and helped bring significant media attention to the problem of network security and how retailers were vulnerable. But, after the information is stolen, online retailers—as well as banks, credit-card issuers, insurance companies and others—and their customers are at risk as cybercriminals put that information to work taking over online accounts to make fraudulent purchases or perform other unauthorized activity.

On Jan. 29, the Dallas-based company notified online customers of Neiman Marcus, Bergdorf Goodman, Last Call, CUSP and Horchow that an automated attack trying various login and password combinations accessed some of its customers’ accounts. According to Lindy Rawlinson, senior vice president of e-commerce for Neiman Marcus Group, the account takeover attempts likely were “due to large breaches at other companies, where user login names and passwords were stolen and then used for unauthorized access to other accounts where a user may use the same login name and/or password.” On the same day, online tax return preparer TaxSlayer reported similar activity to more than 8,800 of its own customers, also blaming fraudsters’ ability to access the accounts on information stolen in other network intrusions.

Some media reports confusingly have called the activity at these companies “breaches” (much like a similar episode at Starbucks last spring ). But, they are actually examples of an increasingly prevalent kind of fraud that has made personally identifiable information more valuable to hackers than payment card information. Many companies will experience attempts to take over legitimate customer accounts, but Neiman Marcus illustrates how online retailers are at risk twice: as potential victims of a network security breach and as victims of the fraud the stolen information generates. A session at this Spring’s CNP Expo , “Network Security: A double-edged sword for CNP merchants,” will focus on this exact topic.