The theft of 40 million credit and debit card numbers from Target (TGT) in the middle of the holiday shopping season is renewing pressure on the credit card industry to improve its defenses against fraud.
Credit card companies such as Visa (V), Mastercard (MA) and American Express (AXP) could do more. Most cards in Europe, for example, incorporate tiny computer chips and require a PIN code to secure transactions and virtually eliminate counterfeiting.
But so-called smartcards aren't scheduled to be widely available in the United States for at least another two years.
Banks and retailers have resisted paying for more-expensive cards, transaction terminals and back-office systems. The Target breach, which inconvenienced millions at the height of the Christmas shopping season, will add pressure to improve the system sooner, says David Robertson, publisher of the Nilson Report, a newsletter that follows the industry.
A high-profile breach
"Because it's so high-profile and it came along right at this time of year, this could spur U.S. financial institutions to move more quickly," Robertson says.
A typical credit card's security features haven't changed much since magnetic stripes were introduced in the 1970s, making it easy for crooks with stolen data to gin up counterfeit cards. And the ease of cloning makes pilfered credit card numbers quite valuable — accounts stolen from Target stores over the past few weeks are already being offered for sale on underground websites for $20 to $100 each.
The major credit card companies have set October 2015 as a deadline for U.S. retailers to switch over to cards with chips. After that date, stores that process fraudulent sales from old-style mag stripe cards could get stuck with the losses.
Target hasn’t said how hackers were able to penetrate its network and steal the card information but a future attack wouldn’t give the criminals much valuable booty if most consumers used smartcards.
That’s because the embedded microchip generates a unique code to accompany each transaction headed to a credit card processor for approval. The secret code proves the transaction is coming from a specific, legitimate card without giving away the method to validate future purchases, explains Clifford Neuman, the director of USC’s Center for Computer Systems Security.
“If card transactions were uniformly processed in this manner, these kinds of massive credit card fraud would be more difficult,” Neuman says.
Not all fraud eliminated
Still, smartcards don’t eliminate all fraud. Visa has said it may not require its customers to use PIN codes, possibly making it easier for crooks to use stolen cards. Visa says it’s confident its transaction-approving supercomputers can stop fraud in real time.
Also worrisome, security researchers have already started to devise ways to crack the smartchips and even payments made wirelessly via mobile phones.
“Banks are planning to roll out such already broken technologies soon in the United States,” warns Kevin Fu, a computer science professor at the University of Michigan who has helped identify some of the flaws.
He’s worried card companies are putting too much reliance on new security measures, while trying to shift liability for losses to retailers and consumers. “Consumers need more-meaningful protections in terms of both technology and policy,” Fu says, arguing that consumer-rights groups should be more involved in drafting future requirements.
Mobile phones eventually may become more common payment devices than plastic cards. Many phones already have Near Field Communications, or NFC, chips that can be used in new payment networks such as ISIS, a joint venture of credit card companies and telephone networks. Consumers haven’t yet seen many benefits but phone-based transactions could be protected by some pretty science-fiction sounding techniques.
Nitesh Saxena, a professor of computer science at the University of Alabama, is working on a means for verifying payments using short sound recordings from within a store. Both an NFC-enabled phone and the store’s own terminal would separately send sound clips of the background noise to the payment verifier, thwarting some of the theorized weaknesses in mobile phone payment systems.
Crooks wouldn’t be able to reproduce those sounds from other locations. Who knew that annoying guy’s banter at the coffee shop could be so valuable?