December 23, 2013

Weak security makes U.S. cards a target

Retailers, banks and credit card issuers can do more to protect against hackers, but don’t want to bear the costs.

By Jonathan Fahey
The Associated Press

(Continued from page 1)

click image to enlarge

A customer signs his credit card receipt at a Target store. U.S. credit and debit cards are easier to copy, experts say, because of the magnetic strip they use instead of digital chips.

2008 file photo/The Associated Press

click image to enlarge

U.S. Sen. Charles Schumer, D-N.Y., pictured through a Target shopping cart, holds a news conference in New York on Sunday about the massive credit card hack that has affected 40 million Target customers.

The Associated Press

Additional Photos Below

“That’s where the real value to the fraudsters is,” says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.

Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit “black” card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.

Nearly 1,700 credit and debit card numbers stolen from shoppers at the five Target stores in Maine were selling for between $20 and $100 each Friday on at least one black market website.

To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn’t be able to create fraudulent cards.

DIGITAL CHIP CARDS COMING

Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015.

But retailers worry the card companies won’t go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.

“Everyone knows that the signature is a useless authentication device,” Duncan says.

Duncan, who represents retailers, says stores have to pay more – and banks make more – on transactions that require signatures because there are only a few of the older networks that process them, and therefore less price competition. There are several companies that process PIN transactions for debit cards, and they tend to charge lower fees to stores.

“Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards,” Duncan says.

Even so, there are a few things retailers can do, too, to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.

“Financial institutions are more used to having high levels of protection,” says Pascual. “Retailers are still getting up to speed.”

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say. They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully. These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs – and, likely, fees for all customers.

“Part of the cost in the system is for fraud protection,” Oxman says. “It costs money, and someone’s going to pay for it eventually.”

– With staff reports

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors


Additional Photos

click image to enlarge

Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear.

The Associated Press

  


Further Discussion

Here at OnlineSentinel.com we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)