The attack on millions of customers’ credit cards at retailer Target has exposed the outdated security tools used in banking. And while the US is scheduled to switch to more modern card protection in 2015, not all parties are interested in modernization.
“We are using 20th century cards against 21st century hackers. The thieves have moved on but the cards have not,” Mallory Duncan, general counsel at the National Retail Federation told AP.
Target has refused to specify the means by which fraudsters managed to steal the data of up to 40 million customers between November 27 and December 15. But almost all experts, citing industry sources and existing fraud cases, say most likely the data was siphoned with special devices attached to payment terminals, which scanned the magnetic strips on the back of the card.
This type of hacking would not have been possible had Target used Chip and PIN cards, officially known as EMV, which encrypt the data, making it much harder to intercept at the point of use. In contrast the technology on magnetic stripes is similar to that of cassette tapes, which became obsolete more than a decade ago; they can also be easily reproduced.
More than 90 percent of all cards in the EU and four out of five in Canada use EMV. In total there are 1.6 billion of them around the world. Contrastingly, about 1 percent of US cards have the technology, and even those are not secure, as only one in ten American payment terminals can actually process information from the chip.
“The US is one of the last markets to convert from the magnetic stripe. There are fewer places in the world where that stolen data could be used. So the US becomes more of a high-value target,” Randy Vanderhoof, director of the EMV Migration Forum told UPI.
Major credit card issuers have told the US to fall in line with the rest of the world by October 2015. From that date onwards, whoever is responsible for the weakest link in the security chain will be left to foot the bill for a fraudulent transaction, which should theoretically incentivize banks and retailers to provide better security measures.
Only it isn’t that simple.
US banks have calculated that the amount they lose from fraud – on average – is smaller than paying for a rollout of brand new terminals and cards across the country. They also enjoy better fees for processing the cumbersome and ineffectual signature verifications than they would if the system was converted to PIN as elsewhere.
“Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay for is small compared to the profit they are making from using less secure cards,” said Duncan.
Meanwhile retailers do not want to foot the bill either, and have engaged in legal battles with banks, which are only likely to intensify as the new data networks need to be created.
In the rest of the world the changeover was either mandated by the government, or brand new payment systems were put in where cards had not been used before at all, as in developing markets.
Experts estimate that by the October 2015 only 60 percent of cards will be compliant with new technology requirements.
In the meantime, it is likely the customers will have to pay for the increased susceptibility to fraud – in the form of higher banking charges needed to cover the theft. Though the situation simply can’t carry on as now, particularly as US citizens are now often struggling to have their old-fashioned credit cards accepted in parts of the world.
“Part of the cost in the system is for fraud protection. It costs money, and someone's going to pay for it eventually,” Jason Oxman, chief executive of the Electronic Transactions Association, told AP.