The credit and debit card data breaches at Target and Neiman Marcus compromised more than 70 million American consumers, and analysts say even more of us are at risk. That's because the technology we use to swipe for our purchases — magnetic stripes on the backs of cards — isn't hard for a skilled fraudster to hack.
"It's totally unprotected and it's static, so it's the same data that's read every single time. It's just about the worst security that you can put into a payment system," says Avivah Litan, a security analyst for Gartner, a firm retailers hire to assess their cybersecurity gaps.
Sophisticated cyberthieves got consumer data during the holiday season breaches by injecting a virus into Target's card payment terminals. From there, the bad guys systematically captured the information found on every card swiped, from Thanksgiving through just before Christmas.
"We've seen hacks as big as this before, in fact we've seen bigger, but what we haven't seen before is something this sophisticated and well-organized," Litan says. The data from the cards were turned around and sold on an underground market, where thieves can re-create credit cards using the stolen data and use them to make fraudulent purchases, she says.
Industry leaders know magnetic stripes are outdated and easily exploitable. The rest of the world moved on to a more secure, harder-to-hack payment system based on chip-enabled cards — chip and PIN. Chip-enabled cards are more secure because the data on the chip are hidden behind encryption. So even if criminals intercept what's on it, they can't reuse it.
"It's standardized all over the world and used all over the world, except in the U.S. and perhaps one country in Africa," Litan says.
It's a reality that NPR's new London correspondent, Ari Shapiro, learned quickly when he moved overseas a few weeks ago.
"Basically my American credit card is like a second-class citizen here," Shapiro says. "I can't use the self-checkout line at the supermarket; I can't use the automated machine in the subway system or the post office. Some merchants charge me an extra charge just because of my American credit card."
Shapiro's new British pal, Ben Thompson, explains how he pays for purchases without swiping — or signing.
"I put the card in the machine. The retailer, the cashier will hand me a little key pad, I type in my [PIN]. And that verifies the transaction. It means I don't have to sign, I don't have to use a pen. I literally type in four little numbers," Thompson says.
As of last May, Visa says it issued at least 3.5 million chip cards in the U.S., and it aims to get the majority of U.S. consumers on chip-based cards by 2015. But changing over all those cards and card readers costs a lot of money, which is part of the reason it hasn't happened sooner.
"You have to upgrade all the terminals that are out there that are used by the merchants; you have to upgrade all the ATM machines; you have to issue new cards to consumers. So it's a lengthy process," says Litan, who estimates that even if a concerted effort to change to chip and PIN started today, it wouldn't be standard in the U.S. for at least three more years.
Interestingly, The Wall Street Journal reports that Target actually tried to collaborate with Visa 10 years ago, to use chip cards in 1,000 stores. But executives shelved the effort over worries that chip-based cards slowed down checkout speeds.
"It's gonna take time. It's going to be extraordinarily expensive. But it's something we must do," says Mallory Duncan, the general counsel at the National Retail Federation. "What the recent breaches have done is shone a spotlight on it and now I think all of the players are recognizing that changes have to be made."
He says retailers will adjust, because the cost of more major data breaches is too great.
"If you start bringing out the new PIN and chip cards, then retailers will begin to reconfigure their point of sale equipment to accept those cards," Duncan says.
Copyright 2020 NPR. To see more, visit https://www.npr.org.