The security breach over the Thanksgiving holiday season of Target's customer card processing system demonstrates how easy it is to compromise the U.S. system. It is an easy ‘target’ for hackers, especially sophisticated international rings, reports NBC News this morning.
The reason that the U.S. market is such an easy target to access our data from credit and debit cards is that, ‘We are using 20th century cards against 21st century hackers,’ says Mallory Duncan, general counsel at the National Retail Federation. ‘The thieves have moved on but the cards have not.’
What does the U.S. business merchant not do that Europeans and others around the world do in processing their cards? It is simple.The U.S. market is still relying upon the magnetic strip on the card. The card is swiped into the terminal machine and that is where the hackers capture the data while it is on route to the computer processing center.
In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. As the level of difficulty rises, hackers lose interest and move on to score elsewhere.
Because we are still in the old system of magnetic strip, ‘The U.S. is the top victim location for card counterfeit attacks like this,’ says Jason Oxman, chief executive of the Electronic Transactions Association.
Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.
Online orders were not affected in the Target theft as it was only the magnetic strip cards in store. The slick hackers knew to quickly and efficiently capture the data in the server while on route to the computer center. Since the security code on the back of the customer credit card is not needed for an in-store purchase, the thieves can simply reproduce the cards and issue fraudulent cards that look and feel like the real thing.
Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.
Although the U.S. has been behind Europe, change is coming with new security encrypted machines. Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.
Ingenico, a French based firm with a U.S. main office in Georgia has begun supplying this year to merchants the credit/debit card terminal with encryption for the cards issued with the embedded chip. The encrypted cards began in Europe as the 'EMV' or Euro-Mastercard-Visa card.
The New Year will bring more security tools such as the EMV card available to the merchant and higher levels of difficulty for the thieves of the Internet. The next round will bring international rings to search for new targets.