Much of the exposure is the result of the continuing trend by merchants to unhook their POS terminals from dial-up networks and connect them to IP-based networks, Litan said. Such systems often store magnetic stripe data from credit and debit cards and are deployed with default passwords that are easily hackable, she said.

The Payment Card Industry (PCI) data security standard from credit card companies such as Visa International and MasterCard explicitly prohibit the storing of such information on POS systems. Even so, a large number of retailers still do so. And many POS software products even today store such data by default, she said.

"Crooks figure out which brands are storing magnetic stripe data and determine which companies to target simply by looking at the list of customers on the terminal manufacturer's Web site," she said.