WASHINGTON — The rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say.
Traditional defenses, such as installing antivirus software and monitoring accounts for unusual activity, have offered little resistance against Eastern European criminal gangs whose programmers write malicious code aimed at specific companies or buy inexpensive hacking kits online. Armed with such tools, criminals can check for system weaknesses in wireless networks, computer servers, or stores’ card readers.
Nearly two dozen companies have been hacked in cases similar to the Target breach and more almost certainly will fall victim in the months ahead, the FBI recently warned retailers, according to an official who was not authorized to speak publicly. The names of all of the compromised firms have not been revealed, nor is it clear how many shoppers have had their credit card numbers and other personal data stolen.
Banks, retailers, and policy makers have been slow to address the growing sophistication of cybercriminals. Only 11 percent of businesses have adopted industry-standard security measures, said a recent report by Verizon Business Solutions, and outside experts say even these ‘‘best practices’’ fall short of what is needed to defeat aggressive hackers lured by the prospect of a multimillion-dollar heist.
‘‘You’re going to see more and more people trying this,’’ said Nicolas Christin, a security researcher at Carnegie Mellon University. ‘‘If you just saw your neighbor win the lottery, even if you weren’t interested in the lottery before, you may go out and buy a ticket.’’
Cybercrime cost US companies an average of $11.5 million in 2012, according to a study by the Ponemon Institute, up 26 percent compared with the previous year. The effect on consumers can last for years, as they are left vulnerable to bogus charges and potential identity theft.
Experts say that reversing the rise in major data breaches would require expensive upgrades, including the adoption of end-to-end encryption, the walling-off of the most sensitive data on separate networks, and the adoption of newer credit card technology that holds customer information on an embedded chip rather than the familiar black magnetic strip on most American cards.
Credit card chips can communicate with banks in a way that better protects a user’s private information, often requiring a personal identification number to verify a purchase. Such systems are widespread in most of the developed world but are appearing in the United States only gradually.
‘‘Our decades-old payment system was not designed with cybersecurity in mind,’’ said Christopher Soghoian, principal technologist at the American Civil Liberties Union. ‘‘Times have changed. Data breaches now occur on a weekly basis, the result of which is that consumers become victims of fraud and identity theft.’’
An industry group including the major American credit card issuers is pushing for widespread adoption of chip cards by October 2015. Consumer groups want Washington to mandate a faster and more complete shift, but federal regulators have balked at forcing the politically influential banking industry to invest in new technology, especially if there is a chance that it might not thwart future attacks.
In a sign of the growing concern over credit card security, Congress held four hearings last week to examine whether the industry and the government are doing enough to protect consumers. Tuesday’s meeting featured officials from the largest retailers at the center of the recent run of data breaches.
‘‘The unfortunate reality is that we suffered a breach, and all businesses — and their customers — are facing increasingly sophisticated threats from cybercriminals,’’ John Mulligan, Target’s chief financial officer, told lawmakers.
Hackers lifted 40 million debit and credit card numbers from Target customers during the holiday season. The company later said thieves also grabbed personal information, including names, home addresses, and telephone numbers, of an additional 70 million customers in that attack. Other companies have since reported breaches of their computer systems.
‘‘I think we’re going to hear a lot about these breaches over the next year,’’ said Brian Krebs, a cybersecurity journalist who blogs at KrebsOnSecurity.com. ‘‘It just looks like some of the guys involved in this activity have compromised a ridiculous number of companies.’’
Krebs reported that the Target breach happened after criminals gained access to the company networks through a contractor that was servicing heating and air-conditioning systems at several stores.
Department store Neiman Marcus also was attacked recently. Its senior vice president, Michael Kingston, told lawmakers Tuesday that the company’s antivirus software was virtually useless in defending its computers. The retailer did not detect that its credit card systems were being hacked, and the company did not learn of the intrusion until the beginning of January, many months after it began.
His reference to antivirus software drew scoffs from security experts, who compare the protections offered by such programs to a flu shot — capable of staving off infection from wide and unfocused threats but of little value against a serious attacker determined to breach a specific network.
Security experts say companies must install systems that detect and halt intrusions quickly, before massive amounts of personal data can be lost.
‘‘Companies need to be hunting on their networks constantly . . . looking for signs of compromise,’’ said Shawn Henry, former head of cybercrime for the FBI and now president of Crowdstrike Services, a security company.