nb_cid nb_clickOther -tt-nb this.style.behavior='url(#default#homepage)';this.setHomePage('http://www.aol.com/?mtmhp=acm50ieupgradebanner_112313 network-banner-empty upgradeBanner
AOL Mail
AOL Mail
AOL Favorites

Weak US Card Security Made Target a Juicy Target

Target Data Breach

NEW YORK (AP) -- The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder's name, account number, the card's expiration date and one of two security codes. When the card is swiped at a store, an electronic conversation is begun between two banks. The store's bank, which pays the store right away for the item the customer bought, needs to make sure the customer's bank approves the transaction and will pay the store's bank. On average, the conversation takes 1.4 seconds.

During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security codes printed on the backs of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that the three or four-digit security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But because the magnetic strips on cards in the U.S. are so easy to generate, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

"That's where the real value to the fraudsters is," says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.

Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card with the security number printed on the back of the card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.

To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn't be able to create fraudulent cards.

Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.

"Everyone knows that the signature is a useless authentication device," Duncan says.

Duncan, who represents retailers, says banks want to preserve the higher profits they can get when a signature is needed because there are fewer signature processing networks, and less price competition. The higher profits outweigh the cost of fraud, Duncan says.

"Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards," he says.

Even so, there are a few things retailers can do, too, to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.

"Financial institutions are more used to having high levels of protection," says Pascual. "Retailers are still getting up to speed."

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say. They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully. These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs -and, likely, fees for all customers.

"Part of the cost in the system is for fraud protection," Oxman says. "It costs money, and someone's going to pay for it eventually."

More From You

*0 / 3000 Character Maximum
Filter by:
Barbara Gunther December 28 2013 at 4:59 PM


Reply Flag as Abusive rate up rate down
dlyfaith December 25 2013 at 12:46 PM

Thumbprint(s), and I guess I would add my children (if necessary), how long will that take to 'master'/steal.

Reply Flag as Abusive rate up rate down
Jim Neister December 24 2013 at 6:51 PM

Protecting from the inside out…data breaches will continue to be a problem until companies realize a strong perimeter isn't enough. What they call best practices tend to really focus on the perimeter. Right now the focus is on how to keep people from the data. What people need to focus on is what happens when people get to that data.

Companies need to use technology that will ensure that data is unusable when criminals reach it. Compare this approach to the banking industry practice of putting exploding red dye packets in bags of money. They have the perimeter protection. They have vaults, silent alarms, and armed guards. But they still put red dye in the bags because they know that at some point someone is going to get to it. People need to start protecting data in the same way, because you are never going to get to the point where people can't get to it.

There is a perfect solution to safe guard the data available to companies/retailers right now:


Reply Flag as Abusive +1 rate up rate down
rbearland December 23 2013 at 2:07 PM

They can still accept cash.

Reply Flag as Abusive +1 rate up rate down
rbearland December 23 2013 at 2:04 PM


Reply Flag as Abusive rate up rate down
SRJimVal2 December 23 2013 at 9:51 AM

"The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have."
Having read this statement above, how can recommendations be made about credit card use?

Reply Flag as Abusive rate up rate down
jar0297 December 23 2013 at 9:49 AM

As always businesses do not give a damn about consumers. All they want is to gain the maximum dollar amout by outputting the least amount of money; never mind if it hurts the consumer. Why not issue the cards with the technology that will make it harder for the thief to compromise the cardholder . . . it will cost the business more money, so do it the cheapest way possible. What a world we live in; what a world. Businesses just do not care; they do not care.

San Antonio, TX

Reply Flag as Abusive rate up rate down
Mavenah December 23 2013 at 9:46 AM

It's plain to see where this is all going. The RFID chip of course, we will all be forced to receive our own personal ID in our bodies via the implanted chip, the only fool proof system so far. No one will be allowed to buy or sell except those who have the chip(mark) in his forehead or his right hand. . Wow what a time we are living in. The fact that this was all prophesied thousands of years ago in a book (holy bible) that is increasingly being rediculed and attempts are being made to discredit it and force it out of society is just mindboggling. Of course various forms of this chip has already been implanted in some humans and many many animals for over a decade now, it's just a matter of time and soon it will be mandatory for all humans and animals.

Reply Flag as Abusive rate up rate down
2 replies to Mavenah's comment
dad December 23 2013 at 9:50 AM

Yes, and by getting the chip has dire ramifications, such as a digital virus in your body that cannot be stopped, just for starters.

Reply Flag as Abusive rate up rate down
1 reply to dad's comment
Jennifer December 23 2013 at 11:34 AM

You are both idiots.

Flag as Abusive rate up rate down
lynne66nc December 23 2013 at 11:41 AM

No chip necessary, just pay with cash or use prepaid cards.

Reply Flag as Abusive rate up rate down
Kimberly December 23 2013 at 9:43 AM

Although may not apply in this case, sometimes it's also about the company you charge with, too. A few Christmases back someone I know wanted the DVD of that cartoon "Mr. Hell". I scoured the internet and could only find it on one obscure website. I purchased it and within 24 hours someone tried to use my card in Paris . . . I live in the U.S. My bank stopped the charge because I had used my card here as well during that 24 hours and the charge looked suspicious. I did get the DVD but had my account been hacked it wouldn't have been worth the aggravation.

Really feel for all those affected. This is not a good time of year to have to replace cards, especially if you planned to use them for Christmas shopping. Target really should do better by those directly affected than the 10% discount offered last weekend. A friend shopped at Target last weekend just to get the extra 10% off but was not one of those who suffered a loss.

Reply Flag as Abusive rate up rate down
Rosemarie December 23 2013 at 9:35 AM

I have worked within the credit card processing arena for 19 years. Fraud is prevalent. My clients all complain about the security standard requirement they have to complete each year, but no one understands why this is so necessary. This breach, as well as other past breaches, should give them a new perspective on the importance of handling credit card data with more secure measures. In the olden days the full credit card numbers were shown on both receipts. Then it went to just the merchant copy. Now it is just the last 4 digits on both copies. If your terminal receipt exhibits otherwise, you are putting your business at grave consequence. In the event that the card associations trace back card data was compromised, for any reason to you, the retailer, (anyone allowing payment by credit card), the fines are so prohibitive, they will put you out of business! It is very frustrating for the (good) long term agents to keep tabs on their merchants to insure their protection. Certain unscrupulous processing companies are soliciting merchants over the phone to badger them to change services based on the assumption they are not compliant to the latest security protocols. Many terminals are at the end-of-life. If you are putting off the upgrade, you are putting your business at risk. If you have an agent that is helping you, stick with that person. Good agents are few and far between. Do your due diligence as a responsible merchant and protect yourself and your customer as much as possible. This is your responsibility as a business owner. If you haven't yet completed your questionnaire, you are being charged a late fee, which vary depending on your processor. The easiest way to determine this is to check your monthly statement. If you do not recognize a fee, contact your agent. If you don't have an agent, email me, Rosemarie at dowserone@aol.com. My team and I will guide you in the right direction! Remember one thing, SERVICE shouldn't be a thing of the past. If you are getting it now, you are among the lucky ones.

Reply Flag as Abusive rate up rate down
~~ 2592000


More From Our Partners