Search AOL Mail
AOL Mail
AOL Favorites

Weak US Card Security Made Target a Juicy Target

Target Data Breach

NEW YORK (AP) -- The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder's name, account number, the card's expiration date and one of two security codes. When the card is swiped at a store, an electronic conversation is begun between two banks. The store's bank, which pays the store right away for the item the customer bought, needs to make sure the customer's bank approves the transaction and will pay the store's bank. On average, the conversation takes 1.4 seconds.

During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security codes printed on the backs of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that the three or four-digit security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But because the magnetic strips on cards in the U.S. are so easy to generate, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

"That's where the real value to the fraudsters is," says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.

Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card with the security number printed on the back of the card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.

To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn't be able to create fraudulent cards.

Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.

"Everyone knows that the signature is a useless authentication device," Duncan says.

Duncan, who represents retailers, says banks want to preserve the higher profits they can get when a signature is needed because there are fewer signature processing networks, and less price competition. The higher profits outweigh the cost of fraud, Duncan says.

"Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards," he says.

Even so, there are a few things retailers can do, too, to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.

"Financial institutions are more used to having high levels of protection," says Pascual. "Retailers are still getting up to speed."

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say. They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully. These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs -and, likely, fees for all customers.

"Part of the cost in the system is for fraud protection," Oxman says. "It costs money, and someone's going to pay for it eventually."

Join the discussion

1000|Char. 1000  Char.
Jim Neister December 24 2013 at 6:51 PM

Protecting from the inside out…data breaches will continue to be a problem until companies realize a strong perimeter isn't enough. What they call best practices tend to really focus on the perimeter. Right now the focus is on how to keep people from the data. What people need to focus on is what happens when people get to that data.

Companies need to use technology that will ensure that data is unusable when criminals reach it. Compare this approach to the banking industry practice of putting exploding red dye packets in bags of money. They have the perimeter protection. They have vaults, silent alarms, and armed guards. But they still put red dye in the bags because they know that at some point someone is going to get to it. People need to start protecting data in the same way, because you are never going to get to the point where people can't get to it.

There is a perfect solution to safe guard the data available to companies/retailers right now:


Flag Reply +1 rate up
rbearland December 23 2013 at 2:07 PM

They can still accept cash.

Flag Reply +1 rate up
gliverson December 23 2013 at 8:40 AM

One of the sad commentaries on humanity is that there are some VERY smart crooks out there, Smart well educated people, who are good enough and smart enough to make a good living honestly and be a benefit to society....... instead, they use the gift of intelligence given to them to be the slime around the edges of the pond. What a waste of talent and skill. Sad.

Flag Reply +3 rate up
1 reply
savvylareine gliverson December 23 2013 at 9:17 AM

Quite a few of them do that not because they like to, but because they feel like they have to in order to make ends meet.

Desperate people do desperate things.

Flag Reply 0 rate up
bigerstick December 23 2013 at 9:18 AM

This is such a joke. The stores almost never ask for my I.D. even tho on the back of my cards I printed "PLEASE ASK FOR PHOTO ID" instead of my signature. The clerks just look at it and swipe it anyways. Also, some how my info was snatched about 5-7 yrs ago and charges made. At first the bank said and did reverse the charges when I PROVED (I had made charges on my card in the mid west and within that same hour charges appeared on my card for a merchant in Florida, not physically possible to be in both places at the same time). Then later they decided it wasnt worth their effort and time to pursue the criminals, so they just put the charges back on my card and told me I had to pay them. I threatened to sue them and after a few long, painful months, they removed them at which point I promptly cancelled the card. The banks dont care. They will get their money one way or another.

Flag Reply +2 rate up
vlbassett December 23 2013 at 9:08 AM

Oy Vay...

Flag Reply +1 rate up
patj5655 December 23 2013 at 8:28 AM

Never Get hacked pay cash.

Flag Reply +2 rate up
1 reply
tz1030 patj5655 December 23 2013 at 8:45 AM

I am beginning to feel like that about everything. Pay cash because even if they don't hack your card for stealing, the companies are tracking your purchases. Its kinda creepy - WAAAAAY too much data mining.

Flag Reply 0 rate up
demannmarine December 23 2013 at 8:25 AM

I went to TGI Fridays with a brand new virgin card nevr used before, Paid my tab, the next day my cGIFard was banged for $300 in 0hio, It had to have been hacked at there place OR some one there, I called h manager and they didnt care, The bank paid me back but didnt go after the purp as it cost more money to research than to pay it off.

Flag Reply +2 rate up
1 reply
gliverson demannmarine December 23 2013 at 8:34 AM

Most likely a crooked server doubled your card right there while they took your card to process it. It is again, most likely, the server who took your card who doubled it or copied the important info down. It is also likely that more than one eprson involved with this fraud, adn the uncaring manager might just be the second involved. Either way, it is an inside job to get the security numbers off of the back of the card.

Flag Reply +1 rate up
sapphire753 December 23 2013 at 8:59 AM

As usual it's all about profits and greed for the banks and the stores

Flag Reply +1 rate up
J December 23 2013 at 7:03 AM

Until losses are significant enough to overhaul the credit card infrastructure, it won't be changed. I don't agree with it, but losses/damages are still "tolerable" to the industry.

Flag Reply +2 rate up
Ed December 23 2013 at 9:26 AM

Every time you hand your card to a waiter or waitress, your information may be captured. A quick photo of the card obtains the card number, expiration date, the 3 digit code and your signature; a perpetrator's delight! This is the price we pay for the convenience of credit cards. Check your "unbilled entries" often to detect bogus charges promptly.

Flag Reply +1 rate up
aol~~ 1209600


More From Our Partners