IBJNews

U.S. credit card info is easy pickings for hackers

Back to TopCommentsE-mailPrintBookmark and Share

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: Retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder's name, account number, the card's expiration date and a security code different from the three or four-digit security code printed on the back of most cards.

When the card is swiped at a store, an electronic conversation is begun between two banks. The store's bank, which pays the store right away for the item the customer bought, needs to make sure the customer's bank approves the transaction and will pay the store's bank. On average, the conversation takes 1.4 seconds.

During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security code printed on the backs of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But the security code on the back of a card is not needed for in-person purchases. And because the magnetic strips on cards in the U.S. are so easy to make, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

"That's where the real value to the fraudsters is," says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.

Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.

To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn't be able to create fraudulent cards.

Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.

"Everyone knows that the signature is a useless authentication device," Duncan says.

Duncan, who represents retailers, says stores have to pay more — and banks make more — on transactions that require signatures because there are only a few of the older networks that process them, and therefore less price competition. There are several companies that process PIN transactions for debit cards, and they tend to charge lower fees to stores.

"Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards," Duncan says.

Even so, there are a few things retailers can do, too, to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.

"Financial institutions are more used to having high levels of protection," says Pascual. "Retailers are still getting up to speed."

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say. They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully. These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs —and, likely, fees for all customers.

"Part of the cost in the system is for fraud protection," Oxman says. "It costs money, and someone's going to pay for it eventually."
 

ADVERTISEMENT

  • PCI DSS Compliance
    Sean, many merchants do not take security seriously. Many merchants who accept credit/debit card payments are not PCI DSS compliant which means they don't adhere to even the minimum suggested measures for how best to handle credit card information given their particular business environment. Being PCI DSS compliant does not ensure a merchant will never be breached but does reduce the probability. There are different measures based on whether the card is present or not present, whether a card is transmitted over an analog or data connection. When a breach happens to a small business, it potentially could put the merchant out of business either due to the fines or due to the time period of the investigation or both. Merchants - do the right thing. Become PCI DSS compliant and take it seriously.
  • Cyber Liability
    It is incredible how many business owners ignore this exposure in terms of purchasing insurance. The theft of credit card data and private information is not the only exposure. Hackers can take down a network or someone elses network using a business owners site as a launching point causing business interruption and losing large amounts of income or they can take over a social media site and promulgate misinformation, etc. All these issues bring exposure to liability to the business owner but most businesses do not purchase cyber liability and privacy breach insurance leaving them to deal with this exposure on their own. In the Target example, 40,000,000 cards were stolen. If they take just $1 per card, their is $40,000,000 stolen and Target is liable....most likely with very little insurance relatively speaking. Business owners need to wake up to this threat and protect themselves and their assets.
  • Fraudulent Processing Accts.
    And...the crooks can set up fraudulent merchant credit card processing accounts. I know because my business name and (now former) EIN were stolen and combined with the SSN of an 83 year old woman to set up fraudulent accounts that processed stolen credit cards. So, it's not just using a stolen card; the processing can also be fraudulent. It's not been a happy story.

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
 
Subscribe to IBJ
  1. Good Day I am Mr (Victoria Wright) from United state of America, i stayed in NEW YORK, and i have a broke up business, until i found this company email who help me to gain a loan for business,, and now i want to used this short medium to congratulate the below company for the fast and safe money they loan to me without any form of collateral, i loan 500,000USD from the company to save my business and lots more, i saw their mail on the internet, everyone always give testimony for what they did, so i quickly contacted them and they all did everything for me without stress and my money was sent to my account just 3 days later, i was surprise and i feel so glad, now i have a standard business control agent who help me, now i will advice those who need urgent loan to contact him at the bellow email:zenithfirm12@gmail.com

  2. NOTICE:This is to inform the general public that Vampires are real. My name is James Franklyn.,am an agent of vampire,am here to introduce our new world trend to you,a world of vampire where life get easier,we have made so many persons vampires and have turned them rich,you will be assured long life and prosperity,you shall be made to be very sensitive to mental alertness,stronger and also very fast,you will not be restricted to walking at night only even at the very middle of broad day light you will be made to walk.In case you are wildly oppressed by some unscrupulous persons we can still help you fight them.Your protection is assured immediately you join.Just contact the bellow email if you are interested we are here to attend to you anytime you want us. Contact the bellow email for more details. Email:vampirescreed@hotmail.com Sincerely: James Franklyn.

  3. Bravo! Someone else that is willing to speak the truth! Bravo!_____NBCSN is available in almost 2 MILLION more homes than just a few years ago, but Indycar STILL gets less total viewers than it did just a few years ago when NBC took over Versus. Attendance and ratings cratered with the end of season races (just when the title battle got "interesting" HAH!__________And now...new race in Basilia, where Miles celebrated the "rich history" of Indycar racing there. Rich history? What, 7 events in the 100 years of AOW? Yep, some history. Well, at least its an oval. It's not??? Are you kidding me??? Gosh darn road racin furriners.

  4. PURITY RAY LOAN OFFER........ Have you been denied by your banks,or are you in need of of an urgent loan to pay of your bills we are capable of giving loans @ cheaper rate to interested individuals, student, companies and members of the public in need of finance to settle bills, we do offer considerable loans which you can count on. For more information on our various types of loan,then you will have to contact PURITY RAY LOAN FIRM, to help you achieve your desire LOAN APPLICATION FORM TO BE FILLED BORROWERS INFORMATION * Full name:………………………. * SEX * ……………………………. * Country………………………….. * State:……………………………. * Land:…………………………….. * Occupation:…………………….. * phone number:…………………. * Telephone: ………………………….. * Age:………………………………. * Amount needed as loan:……… * Loan Duration:………………….. * Propose of Loan:……………….. * Annual revenue:………………… * Monthly Income:……………….. * Guarantee:………………………. * Payment: monthly or annually Email.....purityrayloanfirm@gmail.com Thank you and God bless Mr Purity Ray PURITY RAY LOAN FIRM we tend to serve you better

  5. Problem: most of the people responding to this article don't know about this service AT ALL! Why? Lack of awareness. This isn't IndyGo. This is CIRTA: might as well be the mattress company because they are asleep at the wheel - something like 3 directors over the last year? Playing with federal grant money is great! This "region" wants commuter rail service, has spent MILLIONS on Transportation studies yet can't even support a commuter bus line? This is largely for suburban riders to get to downtown - not for "service people to work in our hotels and restaurants" ! Get your head out of your backside!! These are professionals, students etc. that don't want to fight traffic, save some money on parking, gas, stress.... if CIRTA would put their federal money into widely promoting the sevive to Greenwood, Fishers & Carmel instead of finding directors and studies - this would be a successful service. Our family uses(d) it daily for the last several years - but the recent uncertainty & now unreliability due to cuts from Carmel has been a problem. Now, costs us an additional $350/month for gas & parking ( $4200/year) plus vehicle wear, service, environmental impact ... YES - this REGION needs this this type of service in order to keep growing and getting the people it needs to fill skilled positions in downtown Indianapolis. Think outside of your own car !!!

ADVERTISEMENT