Target breach due to weak card security say experts

Rick Moran
In recent days, I've written about the Target security breach that left 40 million customers at risk. I may have been too hasty in blaming the company for bad security, although they shouldn't be absolved of all responsibility.

Instead, it appears that most American credit cards are vulnerable to this kind of point of sale hacking because of weak security features found on the cards themselves.

Associated Press:

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't enhanced security so far because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want cards companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Nothing is going to change until we have 3 or 4 of these monster hacks that cause everyone the annoyance of getting new cards or changing their pin numbers, not to mention the hassle of getting charges taken off your account. Until we demand additional security, it will be business as usual for the banks and credit card companies.

And the hackers.



In recent days, I've written about the Target security breach that left 40 million customers at risk. I may have been too hasty in blaming the company for bad security, although they shouldn't be absolved of all responsibility.

Instead, it appears that most American credit cards are vulnerable to this kind of point of sale hacking because of weak security features found on the cards themselves.

Associated Press:

The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't enhanced security so far because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want cards companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Nothing is going to change until we have 3 or 4 of these monster hacks that cause everyone the annoyance of getting new cards or changing their pin numbers, not to mention the hassle of getting charges taken off your account. Until we demand additional security, it will be business as usual for the banks and credit card companies.

And the hackers.