Giant retailers Target and Neiman Marcus found themselves in the middle of a security firestorm after it was revealed that customers’ credit card information were stolen.
Image: flickr.com/photos/saxonmoseley
Black Friday
Target admitted late last year that 110 million customers were affected by the breach that occurred between 27 November and 15 December 2013, around Black Friday. This is by far the busiest shopping day of the year.
Neiman Marcus suffered a similar attack in January this year, with 1.1 million customers’ information compromised.
Cyber security blogger Brian Krebs broke the story on the massive hack on 15 December. Krebs’ sources called it one of the “largest retail breaches to date.”
Hackers had installed malware at the stores’ Point-of-Sale (POS) devices, or the machines used to swipe credit and debit cards. The malware collected personal information, which was then stored inside Target’s internal system. The hackers, who were able to bypass Target’s security by stealing vendor credentials, later stole this data.
Consequences
Records stolen were “track data”, which allows hackers to essentially create clones of credit cards by encoding the information onto any card with a magnetic stripe. If they were also able to steal PIN data for debit transactions, the thieves would, in theory, also be able to reproduce debit cards and use them to withdraw cash from ATMs.
Target later revealed that the hackers were also able to steal data that might have included names, phone numbers, mailing addresses, and email addresses. Other data that might have been stolen include financial history and shopping habits.
The worry here is that the information will be used to steal even more sensitive information from victims. Hackers might pose as bank representatives and extract data like mother’s maiden names or social security numbers.
Amid these attacks, banks and retailers have been slugging it out over who should shoulder responsibility. Retailers pay “swipe fees” of about 2% of the purchase price to banks, which they will then use to fund rewards programs and cover fraud costs. Banks say they have been absorbing two-thirds of the cost generated by fraud, which they have nothing to do with.
Retailers hit back, saying banks force them to use obsolete and fraud-prone technology, even asking that banks issue an apology.
Solutions
In 2002, Europay, MasterCard, and Visa rolled out a system for authenticating credit card and debit card transactions. Instead of the traditional magnetic strip, the new procedure used a combination of an integrated chip card (or “IC card”) and PIN.
With the “chip-and-pin” cards, cardholders enter PINs to verify their identities, instead of the traditional swipe-and-pay system. Cardholders’ information, like name, number, and card expiration date, is stored in the chip.
The EMV, named for its three founders, has been credited for a massive reduction of credit card fraud across Europe. It provides better protection of consumer information because the cards are difficult to counterfeit and the chips are encrypted.
The US has been slow to adopt, with banks and processors saying that the shift will be expensive because new readers will be required. Visa and MasterCard are pushing for the shift, however, with an October 2015 deadline. After this, they will no longer accept liability for fraud.
Despite its high level of security, the EMV system is not perfect. In 2010, a group of students at Cambridge University found a flaw so serious they suggested that the whole system be rewritten. A team from BBC, with permission, was able to use a fake card, coupled with a fake PIN, to pay at the university cafeteria.
EMV published a response, saying that while such an attack was theoretically possible, it would be very difficult and expensive to successfully carry out. On the other hand, the risk of a declined transaction or getting caught is huge.
Tech expert Craig Mathias suggests taking out the retailer altogether, and having the customer deal directly with the credit card company or a proxy, which should include end-to-end encryption or two-factor authentication. Providing information to the retailer, other than a record that a transaction occurred that day, should be optional and authorized by the customer.
What can you do ?
Credit card thieves are only getting more sophisticated, but you don’t have to stand by and watch while the banks play catch-up with their security. Here are a few things you can do on your own to protect yourself.
Monitor your bank and credit card statements. This is another reason you should avoid mindless spending. It’s easier to detect suspicious activity on your account if you know exactly what you bought.
Be very careful about your online activity, especially since most of us regularly purchase things online, or have done it at least once. Check to make sure that the website you’re entering your credit card information into isn’t fake. Phishing scams work by imitating banks or businesses and trying to make you enter your information. Don’t store your passwords online, especially if you’re using a public computer, or even if you’re using a personal device. It could get stolen, and then not only would you have lost a very expensive gadget, you’ll have left yourself open to credit card theft, too.
Regularly verify your mailing address. Thieves will try to fill out change-address forms to keep statements from coming to your house. This gives them a better chance of staying under the radar.
Destroy sensitive documents. Any piece of paper, like old statements or even junk mail, which contains your personal information, is a risk. Burn or shred them.
Investigate and report any suspicious activity as soon as you notice. Thieves move very fast; they won’t stand around and risk getting found out.
The credit card security problem is far from getting solved. While Target has promised to step up its security game and even offered a year of free credit monitoring for its customers, eternal vigilance is still the best defense for our personal safety.
Why Haven't We Solved the Credit Card Security Problem Yet?
11:30 PM
Prow