A Surprising Consequence of Target's Slip Up

 

Image Source: Wikipedia 

You have probably already heard about how between Nov. 27 and Dec. 15 credit and debit card data was stolen from 40 million of Target's (NYSE: TGT  ) customers in the second largest scam of this kind in U.S. history. The theft is second only to TJX Companies' (NYSE: TJX  ) 2007 breach, which ended in 100 million corrupted accounts and cost TJX $256 million.

Since the moment Target officially acknowledged the hack, there have been mountains of speculation and rumors regarding what the effect of this historic debacle will be to Target. 

These shocking revelations have also raised the question as to how safe America's credit and debit cards truly are. In 2013, how could it be possible that 40 million accounts could be breached before anyone noticed something wrong?

America is easy prey
Surprisingly, the answer to this question is because American credit and debit cards are years behind the rest of the world in technology. The last time the American credit cards got a significant security boost was back in the 1970's with the introduction of the black magnetic strip. 40 years later, crooks are finding it easy and lucrative to steal the data necessary to produce counterfeit cards.

The technology level of the current magnetic strips is equal to that of cassette tapes. It is simply as easy as copying the information provided clearly on the magnetic strip for hackers. Instead, the rest of the developed world uses (or is very close to using) "smart" chip-based cards.

These cards, which you can find in almost any major country excluding the U.S., use digital chips to hold account information. The chip generates a unique code every time the card is used, making it hard to nearly impossible for hackers to steal information off these cards.

Mallory Duncan, general counsel at the National Retail Federation, put the U.S. situation into perspective:

"We are using 20th century cards against 21st century hackers. The thieves have moved on but the cards have not."

Fear not, by October 2015 America will have swiped its last card
The plan has always been for the U.S. to switch over to these "smart" cards, but switching over all of the infrastructure to be compatible with this new technology is going to be very expensive. This explains why it is taking the U.S. so long to adopt "smart" cards. Additionally, the cost of fraud to big business is minuscule in the grand scheme of things. According to the Nilson Report, the record $11.27 billion in global fraud last year only accounted for $0.052 out of $100 in transactions.

Nevertheless, the major card companies, Visa (NYSE: V  ) , MasterCard (NYSE: MA  ) , and American Express (NYSE: AXP  ) , have already set October 2015 as the deadline for U.S. retailers to switch over to cards with chips.

The massive media coverage the recent Target debacle is getting could speed up this process says David Robertson, the publisher of the Nilson Report. He commented, "Because it's so high-profile and it came along right at this time of year, this could spur U.S. financial institutions to move more quickly."  

Whenever they finally do appear, these new "smart cards" will represent a long-overdue step in the right direction for consumers. The same can not be said for retailers, however.

The amount of money that retailers such as Target and TJX will have to spend updating all of their locations will result in massive costs. Yes, consumer confidence in their card security will improve, but none will gain any advantage since all retailers are required to switch over to the new system.

The plus for retailers is that the probability that something like Target's massive breach happening again will be reduced. This could be a potentially huge money saver.

For card companies, this switch-over isn't going to be a major profit-eater. While they will have to spend money to update their systems and issue new cards, in the long-run the switch is a good thing and should reassure potential cardholders that the process is secure. 

The Foolish conclusion
It had already been established that by October 2015 the U.S. would become a "smart card" nation, but now as a result of Target's major slip up, the switch could happen sooner than that. Who stands to benefit? Above all else, American consumers, who as a result of this technology should have to deal with less fraud.

On the other end is retailers, who are being forced to spend millions to accommodate to this new technology.

Somewhere in between these two are the card companies, which will have to spend money to update their infrastructure but in the long run are improving the overall credit card system. 

Swiping that iconic black strip has become something as American as apple pie, but soon enough this storied tradition will go the way of the dinosaur.

What does the future hold for the Fool's favorite stock?
There’s a huge difference between a good stock, and a stock that can make you rich. The Motley Fool's chief investment officer has selected his No. 1 stock for 2014, and it’s one of those stocks that could make you rich. You can find out which stock it is in the special free report: "The Motley Fool's Top Stock for 2014." Just click here to access the report and find out the name of this under-the-radar company.


Read/Post Comments (5) | Recommend This Article (6)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On January 05, 2014, at 6:13 PM, neamakri wrote:

    My question, and this is a big one, is WHY did target keep PIN's?

  • Report this Comment On January 05, 2014, at 8:46 PM, paymentspros wrote:

    Here are the facts:

    1) The Target breach was a compromise of the electronic cash register point of sale. The PC that sits there in each lane runs software and they are essentially Windows PCs. Retailers are required to secure these devices, but bad guys have been getting better and better at compromising them.

    2) The terminal where you swipe your card and enter your PIN was not compromised. But the data that gets captured by the PIN pad device is sent to the POS (that cash register PC) and then onto a server in the stores and then onto Target's corporate network and then onto their payment processor (First Data and Vantiv in this case).

    3) PINs have not been compromised. They are encrypted using a unique one-time key inside the PIN pad device and decrypted by Vantiv. So, yes the bad guys have the encrypted data, but could only ever decrypt one PIN at a time with a single key. They would need millennia to decrypt all of the PINs even with highly parallel processing. It would be easier to just guess the 4 digit PIN.

    4) Target does not store this data - the track data of the magnetic strip or the PIN - as described above it flows through their network as part of the payment processing flow. The data was captured in the POS or the store server by malware that pulls the data out of memory.

    These are the facts. Would EMV (chip cards) have made Target, and consumers, safer? Yes. Would it have stopped all fraud? No. Even with chip cards the PAN (that's the 16 digit number on the front of your card) is transmitted in the clear, is static, and can be used to run transactions on the web.

    EMV has no viable solution to prevent card not present fraud (that's e-commerce transactions).

    Furthermore, the dates that are listed in this article (October 2015) do not represent the time in which all retailers must accept chip cards, instead this is the date by which retailers will assume liability for fraudulent card present transactions. So, if I took the Target magstripe data, cloned it, and ran a transaction somewhere the took chip cards, then the retailer would be off the hook, so to speak, and the issuer (the bank) would take the hit. For some merchants, this date is even further out - like fuel companies. There are no plans at this time by any of the brands to announce the end of magnetic stripe cards.

    And up until the Target breach, Visa was even considering pushing the dates further out. We'll see if they keep the dates because of this high-profile issue or not.

    The smart card migration is a chicken and egg sort of scenario - retailers don't take them because less than 1% of cards issued in the US have issued chip. And issuers don't issue them because retailers don't take them. Using the rest of the world as an example of success is misleading. In most chip nations, there was a government mandate (look at the UK or Canada for example) that required migration. No such pressure exists here. Furthermore, retailers don't necessarily see that the expense of migrating (which is large) is worth the liability shift incentive. For someone like Target, it may be worth it. For smaller retailers, they just don't see enough fraud to spend the money - grocery is one vertical where fraud is very low and so the expense may not be worth it.

    Will the US eventually move to chip? Yes, of course. But EMV isn't flawless and is also attackable. And in the Target case, it would not have prevented fraud. EMV data gets captured every day in chip countries and gets turned into fraudulent ecom transactions all the time. This is the dirty little secret of chip...no ecom story.

    Sorry for the long post, but I have been very frustrated at the lack of understanding and the erroneous pontification of so-called "payments experts."

  • Report this Comment On January 05, 2014, at 9:39 PM, CharlesD wrote:

    I read in today's Star Tribune (Sunday, Jan 5) that Target had actually implemented smart cards in 2000, but abandoned them because they slowed down the checkout process and no one else joined with them in using the smart cards.

  • Report this Comment On January 06, 2014, at 7:48 AM, Riggerwo wrote:

    Duhhhhhhhhhhhhhh..finally...welcome to the 21st century....smart cards are the way to go..why do we have to wait until 40 million accounts are compromized before we do anything.....the stupidity of US banks just blows my mind...

  • Report this Comment On January 07, 2014, at 8:58 AM, SirBoss wrote:

    This story isn't about a credit industry gone funky with time though that is true. It really is about a banking industry determined at every cost to prevent the effective containment of this kind of fraud. They have resisted what should be the law that the feduciary is 100% liable for identity issues on charges and the burden of proof should be theirs. The industry makes a fortune on identity thieft.

    It is also a story about the NSA. The NSA which does view 100% of all banking transactions in the USA and runs bots on them 100% (Yes I do know about this) should have obtained the identity of the thieves almost instantly. The fact that this has not been properly cleaned up shows that the NSA is not doing what it claims to be doing and is in fact working against the people of the USA. The NSA is probably self funding itself by this stealing. Any significant thief who might have done this would have been caught already. This means that the organization doing this has the blessing or willing ignorance of the NSA. --- Look carefully folks this is proof that the NSA which is a MILITARY WEAPONS SYSTEM does in fact view itself as at war against the American People. I will use the words of a few elites to prove it.

    The Isreali Prime Minister said, "These are things that are not done among friends." Therefore if they are done, clearly there is someone who is considered as an enemy. The aim of this behavior is clearly and most determinedly against the people of the USA. Clearly we as Americans are not "friends" of the NSA. And--- Its failure to protect us in time of need, clearly shows this.

Add your comment.

DocumentId: 2783488, ~/Articles/ArticleHandler.aspx, 4/18/2014 11:54:21 AM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement