Cyber attacks on U.S. merchants can be cut down

Adam Levitin. Photo Credit: The Law & Economics Center at George Mason University School of Law

WHEN THIEVES hack a luxury retailer like Neiman Marcus, you know the apocalypse has begun.

I mean, security breaches only happen at retailers where struggling working stiffs and the shrinking middle class shop, right? But after the luxury merchant, which operates more than 79 upscale and clearance stores (including three in the Philly area) confirmed that thieves stole some of its customers' payment-card information and made unauthorized charges over the holiday season, it appears that even the flush shoppers are no longer immune from personal-data theft.

On Thursday, Neiman Marcus CEO Karen Katz apologized to customers compromised by the data breach in a letter to the store's customers: "We want you always to feel confident shopping at Neiman Marcus, and your trust is our absolute top priority."

The retailer said the breach - which appears to have been executed at the same time as a more-massive one at Target last month - affected customers who used both debit and credit cards and shopped in stores, but not online. (Neiman Marcus said that more information from investigators was needed to determine which stores were affected, but that steps were being taken to make sure another data breach never happens again.)

But experts say such breaches are likely to continue until the shoddy state of U.S. credit-card payment infrastructure is fixed.

Georgetown Law prof Adam J. Levitin recently said on the blog Credit Slips that use of two-factor authentication - namely chip-and-PIN cards, which are standard in Europe - have been effective in reducing fraud.

Levitin says chip-and-PIN cards have two key security features that frustrate easy physical copying of the cards. "With our current magnetic stripe cards, I can copy the information off the mag stripe with a small reader and then use that to make a new card," Levitin wrote, adding that it's "not so easy" if you have to copy information on a microchip embedded in the card.

The cards also require a PIN, creating two-factor authentication. A stolen card isn't useful without the PIN. "Chip-and-PIN isn't impossible to crack, but it's a lot harder," says Levitin.

That begs the question: Why don't we have chip-and-PIN? "The banks don't want to pay for it because they don't bear most of the fraud costs," says Levitin.

Congress isn't likely to pass legislation anytime soon to correct this problem, because the banks own Washington. But let's not forget that this is an election year.

So, if you're worried about personal info being stolen every time you swipe, here's a thought: Call your local D.C. pol and demand that he/she do something about chip-and-PIN cards. Don't like guvmint and want less regulation? Then don't whine when a hacker steals your identity.


On Twitter: @MHinkelman