U.S. top 'Target' of credit fraud
NEW YORK - The U.S. is the juiciest target for hackers hunting credit-card information. And experts say incidents like the recent data theft at Target's stores will get worse before they get better.
That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes.
"We are using 20th-century cards against 21st-century hackers," said Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not."
In most countries outside the U.S., cards use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult to replicate. So difficult that crooks generally don't bother.
"The U.S. is the top victim location for card counterfeit attacks like this," said Jason Oxman, chief executive of the Electronic Transactions Association.
The breach that exposed the credit-card and debit-card information of as many as 40 million Target customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It's unclear how the breach occurred and what data, exactly, criminals have. Although security experts say no security system is fail-safe, there are several measures that can protect against these attacks.
Companies haven't enhanced security because it can be expensive. And although global credit- and debit-card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.
Another problem: Retailers, banks and credit-card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems.
U.S. credit-card companies have a plan to replace magnetic strips with digital chips by fall 2015. But retailers worry that card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number instead of a signature.
"Everyone knows that the signature is a useless authentication device," Duncan said.
Duncan, who represents retailers, said stores have to pay more - and banks make more - on transactions that require signatures because only a few of the older networks process them, and therefore there's less price competition. Several companies process PIN transactions for debit cards, and they tend to charge lower fees to stores.
"Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards," Duncan said.
Even so, there are a few things retailers can do to better protect customer data. The most vulnerable point in the transaction network, security experts say, is usually the merchant.
"Financial institutions are more used to having high levels of protection," said Al Pascual, of Javelin Strategy and Research. "Retailers are still getting up to speed."
The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems, they may expose customer data to hackers.