Weak US card security made a juicy Target

Published: Monday | December 23, 2013 Comments 0
In this January 18, 2008, file photo, a customer signs his credit card receipt at a Target store in Tallahassee, Florida.
In this January 18, 2008, file photo, a customer signs his credit card receipt at a Target store in Tallahassee, Florida.
Shoppers leave a retail Target last Thursday in Hackensack, New Jersey. Target says that about 40 million credit and debit card accounts customers may have been affected by a data breach that occurred at its US stores between November 27 and December 15. AP Photo
Shoppers leave a retail Target last Thursday in Hackensack, New Jersey. Target says that about 40 million credit and debit card accounts customers may have been affected by a data breach that occurred at its US stores between November 27 and December 15. AP Photo
Traders James Dresch (left), and Timothy Nick work at the post that trades Target on the floor of the New York Stock Exchange last Thursday. Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season in its US stores shifted into high gear between November 27 and Deccember 15. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the back of cards.AP
Traders James Dresch (left), and Timothy Nick work at the post that trades Target on the floor of the New York Stock Exchange last Thursday. Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season in its US stores shifted into high gear between November 27 and Deccember 15. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the back of cards.AP

NEW YORK (AP):

The United States (US) is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because US credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the US, people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The US is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

40 million people affected

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between November 27 and December 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder's name, account number, the card's expiration date and a security code different from the three or four-digit security code printed on the back of most cards.

When the card is swiped at a store, an electronic conversation is begun between two banks. The store's bank, which pays the store right away for the item the customer bought, needs to make sure the customer's bank approves the transaction and will pay the store's bank. On average, the conversation takes 1.4 seconds.

During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security code printed on the back of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But the security code on the back of a card is not needed for in-person purchases. And because the magnetic strips on cards in the US are so easy to make, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

 

Share |

The comments on this page do not necessarily reflect the views of The Gleaner.
The Gleaner reserves the right not to publish comments that may be deemed libelous, derogatory or indecent. Please keep comments short and precise. A maximum of 8 sentences should be the target. Longer responses/comments should be sent to "Letters of the Editor" using the feedback form provided.
blog comments powered by Disqus

Top Jobs

View all Jobs

Videos