cloudy
Wednesday February 10th, 2016 9:31PM

Weak US card security made Target a juicy target

By The Associated Press
NEW YORK (AP) -- The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.

That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.

"We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."

In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.

"The U.S. is the top victim location for card counterfeit attacks like this," says Jason Oxman, chief executive of the Electronic Transactions Association.

The breach that exposed the credit card and debit card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures stores, banks and credit card companies can take to protect against these attacks.

Companies haven't further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: retailers, banks and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder's name, account number, the card's expiration date and a security code different from the three or four-digit security code printed on the back of most cards.

When the card is swiped at a store, an electronic conversation is begun between two banks. The store's bank, which pays the store right away for the item the customer bought, needs to make sure the customer's bank approves the transaction and will pay the store's bank. On average, the conversation takes 1.4 seconds.

During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security code printed on the backs of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But the security code on the back of a card is not needed for in-person purchases. And because the magnetic strips on cards in the U.S. are so easy to make, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

"That's where the real value to the fraudsters is," says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.

Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.

To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn't be able to create fraudulent cards.

Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.

"Everyone knows that the signature is a useless authentication device," Duncan says.

Duncan, who represents retailers, says stores have to pay more - and banks make more - on transactions that require signatures because there are only a few of the older networks that process them, and therefore less price competition. There are several companies that process PIN transactions for debit cards, and they tend to charge lower fees to stores.

"Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards," Duncan says.

Even so, there are a few things retailers can do, too, to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.

"Financial institutions are more used to having high levels of protection," says Pascual. "Retailers are still getting up to speed."

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say. They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully. These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs -and, likely, fees for all customers.

"Part of the cost in the system is for fraud protection," Oxman says. "It costs money, and someone's going to pay for it eventually."
© Copyright 2016 AccessWDUN.com
All rights reserved. This material may not be published, broadcast, rewritten, or redistributed without permission.
S&P 500 index has its best year since 1997
The stock market closed out a record year with more all-time highs on Tuesday, giving U.S. indexes their biggest annual gains in almost two decades.
6:56PM ( 2 years ago )
Colorado readies for 'Green Wednesday' pot sales
Police were adding extra patrols around pot shops in eight Colorado towns that plan to allow recreational sales to anyone over 21 on Jan. 1.
1:52PM ( 2 years ago )
Kerry seeks framework for Mideast peace talks
A senior State Department official says Secretary of State John Kerry will try this week to get Israel and the Palestinians to agree on a framework for negotiating a final peace agreement, yet cautions against raising expectations for Kerry's latest round of shuttle diplomacy.
1:35PM ( 2 years ago )
U.S. News
Missing Ga. bank director arrested in Brunswick
A bank director accused of losing millions of investors' dollars before vanishing last year was arrested Tuesday during a traffic stop in a city in south Georgia.
7:00PM ( 2 years ago )
Amtrak to suspend some Crescent service in Jan., Feb.
Amtrak service will shut down in parts of the Southeast for several days in January and February for rail maintenance by Norfolk Southern Railway.
9:00AM ( 2 years ago )
Lung cancer scans urged for some smokers, not all
Certain current or former heavy smokers should start getting yearly scans for lung cancer to cut their risk of death from the nation's top cancer killer, government advisers said Monday - even as they stressed that the tests aren't for everyone.
7:26AM ( 2 years ago )
Business News
Sex offender held in Hall County for failing to register
A 47-year-old man was booked into the Hall County Jail Tuesday, being held without bond for allegedly failing to register as a sex offender, his second such arrest.
6:09PM ( 2 years ago )
Pharmacy robberies may involve same suspect
Oakwood Police Tuesday afternoon released details in a pharmacy robbery they're investigating, similar to one that happened in the Hall County Tuesday morning.
5:46PM ( 2 years ago )
Victim critical following apartment fire
A 41-year-old woman was in critical but stable condition Tuesday after being rescued from an apartment fire in Forsyth County late Monday afternoon.
3:16PM ( 2 years ago )
Local/State News
New details about the possible effects of the Zika virus on the fetal brain are emerging
WASHINGTON (AP) — New details about the possible effects of the Zika virus on the fetal brain emerged Wednesday as U.S. health officials say mosquito eradication here and abroad is key to protect preg...
6:22PM ( 3 hours ago )
President Barack Obama is asking Congress for more than $1.8 billion in emergency funding to help fight the Zika virus
WASHINGTON (AP) — President Barack Obama is asking Congress for more than $1.8 billion in emergency funding to fight the Zika virus and the mosquitoes that spread it here and abroad, but says "there s...
10:40PM ( 1 day ago )
Search for Missouri couple wanted for crimes across the South, including Ga., ends with one suspect dead and the other wounded
A weeklong search for a Missouri couple wanted in a series of robberies and abductions across the South ended with one suspect dead and the other wounded Friday, after authorities say they chased the pair across the highway and through a rural neighborhood and exchanged gunfire with them in Florida's Panhandle.
By The Associated Press
9:57PM ( 4 days ago )
Cheap oil will be sticking around for a while, buoying consumers, frustrating oil producers
Cheap oil will be sticking around for a while.That reality is wreaking havoc and causing uncertainty for some governments and businesses, while creating financial windfalls for others. Less expensive...
6:18PM ( 1 week ago )
Cruz (R) expected to claim conservative Iowa caucus victory, with Clinton (D) and Sanders (D) deadlocked among liberal vote
Texas Sen. Ted Cruz swept to victory in Iowa's Republican caucuses Monday, overcoming billionaire Donald Trump and Florida Sen. Marco Rubio. Among Democrats, Hillary Clinton and Bernie Sanders were deadlocked in a tight race.
By The Associated Press
10:55PM ( 1 week ago )