The criminals who cracked Target’s defenses, stealing debit and credit card information of as many as 40 million shoppers who swiped at the retailer’s stores, exposed a major vulnerability in the way Americans pay.
“The credit card system is inherently broken,” said Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security. “It’s a shared-secret system, in which everyone has the secret every time you swipe your card in the U.S.”
That secret is the data encoded on the back of magnetic-stripe cards: the name of the cardholder, plus the account number, security code and expiration date, among other vital bits.
Banks and other card issuers — not individual consumers — will absorb whatever direct losses result from the Target security breach. That’s a fundamental part of how plastic works: consumer protections shield individual cardholders from liability.
But there’s still the hassle of watching for bogus charges or requesting a new card and updating any automatic payments associated with the old one.
For card issuers, data thefts on the scale of the Target breach, which occurred between Nov. 27 and the middle of this month, represent a major headache and possibly substantial expenses. To combat would-be thieves, payment networks, banks and retailers are already shifting to new technologies, but the transition will take years.
Target admitted Thursday that hackers had infiltrated the payment system used in all its brick and mortar stores. The admission came a day after digital security reporter Brian Krebs broke the story.
The nationwide retailer stressed that its estimate of the number of people affected, 40 million, is just an approximation. Many of those shoppers will probably never experience any fraud on their accounts.
For now, exactly how this particular breach happened is unclear. Target had little to say on that subject.
“Clearly this was a sophisticated crime,” Target spokeswoman Molly Snyder said in an email. “However, it is an active and ongoing investigation so I cannot comment further.”
Still, experts are fairly sure how these schemes take shape.
Hackers do business on forums in the deep recesses of the Internet. These meeting places act as eBays for criminal activity. There, malicious actors buy and sell stolen information.
After that, crooks can work with separate groups that replicate the stolen card information and place lifted data onto pieces of plastic. Eventually, mules on the street get hold of the finished product and spend the cash. Criminals can also buy goods online.
Sometimes criminals bolster the price of their wares by validating that the card is still active — a telltale sign that your account has been compromised. They do that by initiating a micro-charge of $2 or less, “something that you’re not going to call your issuer about,” said Yaron Samid, chief executive of startup BillGuard, which monitors its users’ card accounts for fraud.
That means cardholders should be vigilant for months, he said, or at least change their PIN codes if they think they’ve been affected.
Criminals, he explained, can hold on to cardholder data for a long time before selling it on the black market. And even more time may elapse before the transactions that bilk cardholders at the ATM or the virtual or physical point of sale.
This all puts the affected banks, payment networks (American Express, Visa, MasterCard and Discover) and merchants in a tight spot.
Banks have to make a decision on whether or not to either issue their customers new cards or just put tighter fraud controls on the accounts of customers who might have been impacted.
“When such incidents occur, Visa works with the breached entity to provide card issuers with the compromised accounts so they can take steps to protect consumers through fraud monitoring and, if needed, reissuing cards,” a spokeswoman said in an email. “Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows.”
Bank of America and Wells Fargo provided similar statements, emphasizing that customers will not lose money if their cards are used for bogus charges.
As they scramble to deal with the Target breach, financial services companies are already looking to shift the system.
The most prominent way they’re doing this is with the chip card standard that’s being used by issuers of cards in just about every country in the world outside the U.S.
Those cards — known as “Europay, MasterCard and Visa,” or EMV — are armed with encrypted chips. EMV technology, experts explain, is just more secure than the magnetic stripes used on American cards.
“This case exposes the reality that payment networks are only as strong as their weakest link,” said Wedbush senior analyst Gil B. Luria. “The bad guys find that weakest link and exploit it, and then generate very substantial gains.”
Visa and MasterCard have said that all merchants except gasoline retailers that don’t have the equipment to accept EMV cards by October 2015 will be liable for any fraudulent transactions made on their terminals, Luria said.
“It’s a matter of trying to squeeze fraud out of the system,” said Randy Vanderhoof, the director of the EMV Migration Forum, a nonprofit with more than 150 participating organizations.
But EMV only protects against fraud at brick-and-mortar retailers, not online. In cyberspace, the payment networks are focusing on other methods to cut fraud.
Until EMV takes hold, or something more resilient takes the place of the current payment system, consumers will just have to live with the headaches caused by breaches.
“It’s ultimately not the consumers who face the liability here. That’s the one beautiful thing about the credit card system,” said Robert E. Lee, a security business partner at Intuit. “If my card is stolen and used like this, I’m not out of pocket.
“There are all these consumer protections in place, even though the entire system is stupid.”