nb_cid nb_clickOther -tt-nb this.style.behavior='url(#default#homepage)';this.setHomePage('http://www.aol.com/?mtmhp=acmpolicybanner081514 network-banner-promo mtmhpBanner
14
Search AOL Mail
AOL Mail
Video
Video
AOL Favorites
Favorites
Menu

Weak US Card Security Made Target a Juicy Target

Target Data Breach



NEW YORK (AP) -- The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder's name, account number, the card's expiration date and one of two security codes. When the card is swiped at a store, an electronic conversation is begun between two banks. The store's bank, which pays the store right away for the item the customer bought, needs to make sure the customer's bank approves the transaction and will pay the store's bank. On average, the conversation takes 1.4 seconds.

During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security codes printed on the backs of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that the three or four-digit security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But because the magnetic strips on cards in the U.S. are so easy to generate, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

"That's where the real value to the fraudsters is," says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.

Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card with the security number printed on the back of the card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.

To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn't be able to create fraudulent cards.

Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.

"Everyone knows that the signature is a useless authentication device," Duncan says.

Duncan, who represents retailers, says banks want to preserve the higher profits they can get when a signature is needed because there are fewer signature processing networks, and less price competition. The higher profits outweigh the cost of fraud, Duncan says.

"Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards," he says.

Even so, there are a few things retailers can do, too, to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.

"Financial institutions are more used to having high levels of protection," says Pascual. "Retailers are still getting up to speed."

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say. They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully. These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs -and, likely, fees for all customers.

"Part of the cost in the system is for fraud protection," Oxman says. "It costs money, and someone's going to pay for it eventually."

Join the discussion

1000|Char. 1000  Char.
ajwhitneyrt December 23 2013 at 12:00 AM

So what! Find those hackers and let justice say what's right.

Flag Reply +2 rate up
1 reply
suzanne b fine ajwhitneyrt December 23 2013 at 12:15 AM

yes let's wage war on these theives

Flag Reply 0 rate up
'57mad December 22 2013 at 7:01 PM

just a thought- did you ever wonder why they(sold their customers information) were "hacked".............like all the other sites and stores who also claimed to be hacked, but? no one is ever caught . just when the stores and sites need some extra revenue/cash every six months to year???? I believe they were not hacked ,but? they sold the information on their customers just like all these sites do once they build up a client list big enough to make some real money off of selling the list. then they tell the police/fbi/the government they were hacked/robbed. who better to get away with it than the people on the" inside" of the company/ies. : ) the big question is why americans are letting them get away with it???

Flag Reply +1 rate up
house40doc December 22 2013 at 6:59 PM

We have traveled to Europe on many occasions and always use our chip card. Retailers always ask for them and sometimes refuese to take the regular card without a chip. The U.S. is WAAAAY behind Europe. It's a shame that retailers and banks here can't get together and get these cards out. If the Europeans can do it so can we....but only if there is pressure from consumers. Pester your banks, folks, enough and maybe they'll hurry up and make the change.

Flag Reply +1 rate up
2 replies
moudsie house40doc December 22 2013 at 7:00 PM

It's probably something to do with either the Koch Bros. or the GOP and money--it usually is.

Flag Reply 0 rate up
Donald house40doc December 22 2013 at 7:15 PM

Contrary to popular belief, Congress cannot just pass a law....we all want smaller government, but when government passes a law to be able to do something, people complain. Yes European countries are way ahead of us in many things, but yet, they are not perfect.

Flag Reply 0 rate up
Denise December 22 2013 at 6:57 PM

Better yet, no freakin' strips! Not debit cards, credit cards, store cards, driver's license, etc. Let's start doing things like humans. Computers can be screwed up, and it's far more difficult to unravel computer problems than human errors. Not to mention, STOP TRACKING US!

Flag Reply +2 rate up
1 reply
Donald Denise December 22 2013 at 7:16 PM

YES!! Cash only.

Flag Reply 0 rate up
michelletlopez December 23 2013 at 12:33 AM

Amazing! I live in a small town in Mexico (a country some people consider to be Third World) - we only have two banks for the whole town, yet BOTH banks have debit cards with a chip. Amazing that they can't do that in the US.

Flag Reply +1 rate up
crrunch December 22 2013 at 6:55 PM

by 2015? they could have it done in 2 months if they wanted to badly enough.

Flag Reply +3 rate up
busboy2111 December 22 2013 at 6:54 PM

Tell me again, I forgot, the reason that all these people are not using cash is because ...?

Flag Reply +1 rate up
3 replies
rmansker December 22 2013 at 6:54 PM

It's not the first time Target has been hacked. It happened to me and my partner, and the security people didn't care at the time. After the second hacking, I threatened to go to the President of the company and report the firm's security personnel's indifference to the matter; only then did the mysterious charges on my credit card statement get taken off. The card had never been activated, and for two months charges were piling up on it. After that, I schreded the damn thing.

Flag Reply +1 rate up
fearymoo December 23 2013 at 12:43 AM

USE CASH !

Flag Reply +1 rate up
gilda49 December 22 2013 at 6:51 PM

My question to Target is what are you doing to protect the information from customers drivers licenses, that you insist on swiping. I won't buy anything at Target that requires them to swipe my license. That has my address and birthday. Won't do it. Target is absolutely ridiculous with their policy on what you need an ID to buy. And they insist that you would have to do the same at any store. No - I have managed to buy compressed air, OTC drugs that are on the shelf - not behind the counter, and wine at many other stores without being "carded". If looking at me doesn't settle that I am WAY over 21, then I will be happy to show you my ID, but you are not swiping it into your system.

Flag Reply +2 rate up
aol~~ 1209600

Voting...

Back to School Deal

1409268415815

A new item every day in August
Back to School deal

More From Our Partners