Tuesday, December 24, 2013

Off Target

Related: Targeted by Hackers

Back on Target:

"Outdated credit card systems giving hackers big edge; US slow to adopt the digital-chip system others use" by Jonathan Fahey |  Associated Press, December 23, 2013

NEW YORK — The United States is the juiciest target for hackers hunting credit card information. And experts say that problems like the recent data theft at Target stores will get worse before they get better.

That’s in part because US credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology that is employed in cassette tapes.

‘‘We are using 20th-century cards against 21st-century hackers,’’ said Mallory Duncan, general counsel at the National Retail Federation. ‘‘The thieves have moved on, but the cards have not.’’

In most countries outside the United States, people carry cards that use digital chips to hold account information. The chip generates a unique code every time it is used. That makes the cards more difficult for criminals to replicate — so difficult that they generally do not bother....

Let's chip every thing!

The breach that exposed the credit card and debit card information of as many as 40 million Target Corp. customers who swiped their cards between Nov. 27 and Dec. 15 is still under investigation. It is unclear how the breach occurred and what data, exactly, criminals have.

Although experts say no security system is fail-safe, there are several measures stores, banks, and credit card companies can take to protect against these attacks.

So who will benefit (makes you wonder who is ultimately behind the hacking)?

Companies have not further enhanced security because it can be expensive. And while global credit and debit card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions, according to the Nilson Report, which tracks global payments.

Another problem: Retailers, banks, and credit card companies each want someone else to foot most of the bill. Card companies want stores to pay to better protect their internal systems. Stores want card companies to issue more sophisticated cards. Banks want to preserve the profits they get from older processing systems. 

See: Battling Big Banks a Moot Point in Massachusetts

Card payment systems work much the way they have for decades. The magnetic strip on the back of a credit or debit card contains the cardholder’s name, account number, the card’s expiration date, and a security code different from the three- or four-digit security code printed on the back of most cards.

When the card is swiped at a store, an electronic conversation is begun between two banks. The store’s bank, which pays the store right away for the item the customer bought, needs to make sure the customer’s bank approves the transaction and will pay the store’s bank. On average, the conversation takes 1.4 seconds.

During that time the customer’s information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security code printed on the backs of cards or other personal identification numbers.

Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it is stored. Target says there is no indication that security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But the security code on the back of a card is not needed for in-person purchases. And because the magnetic strips on cards in the United States are so easy to make, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.

‘‘That’s where the real value to the fraudsters is,’’ said Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards....

The simple, square, card-swiping machines that consumers are used to seeing at most checkout counters are hard to infiltrate because they are completely separate from the Internet. But as retailers switch to faster, Internet-based payment systems they may expose customer data to hackers.

Maybe you should just use cash. 

Related: App Impul$e 

Hey, don't worry about it.

Retailers need to build robust firewalls around those systems to guard against attack, security experts say.

They could also take further steps to protect customer data by using encryption, technology which scrambles the data so it looks like gibberish to anyone who accesses it unlawfully.

These technologies can be expensive to install and maintain, however.

Thankfully, individual customers are not on the hook for fraudulent charges that result from security breaches. But these kinds of attacks do raise costs — and, probably, fees for all customers....

--more--" 

Let me just charge this last purchase and we can get out of here and head home.

"Target reveals Justice Dept. looking at data breach" by Anne D’Innocenzio |  Associated Press, December 24, 2013

NEW YORK — Target Corp. said Monday that the Department of Justice is investigating the credit and debit card security breach at the retailer.

The investigation comes after Target revealed last week that data connected to about 40 million credit and debit card accounts were stolen between Nov. 27 and Dec. 15. Security specialists said it’s the second-largest theft of card accounts in US history, surpassed only by a scam that began in 2005 involving Massachusetts retailer TJX Cos. That affected at least 45.7 million card users.

The Justice Department declined to comment on whether it’s investigating the breach at Target, the nation’s second-largest discounter. But Target said that it’s cooperating with the department’s probe.

The news came as Target also said that it is working with the Secret Service in the retailer’s own investigation and that its general counsel held a conference call on Monday with state attorneys general to bring them up to date on the breach.

‘‘Target remains committed to sharing information about the recent data breach with all who are impacted,’’ Molly Snyder, a Target spokeswoman, said in a statement.

Target has been trying to deal with fallout from the breach during what is typically the busiest shopping season of the year. By Monday evening, more than a dozen Target customers had filed federal lawsuits around the country, with some accusing Target of negligence in failing to protect customer data.

Target has said that it told authorities and financial institutions once it became aware of the breach on Dec. 15. The company issued an apology to customers and doubled the number of workers taking calls from customers around the clock. It also offered 10 percent off to customers who wanted to shop in its stores on Saturday and Sunday and free credit monitoring services to those who are affected by the issue.

But there are early signs that some shoppers are scared off by the breach. Scotty Haywood, who lives in Smiths Station, Ala., said he plans to stop shopping at the store. He said his debit card number had been stolen after he used it at Target the day after Thanksgiving.

He said the card was denied when his wife tried to use it Thursday at a grocery store. He said the couple knew something was wrong because they had $2,200 in the account.

‘‘The possible savings of a few dollars are nothing compared to the money that has been stolen from us,’’ he said.

Overall, Customer Growth Partners LLC, a retail consultancy, estimates that the number of transactions at Target fell 3 percent to 4 percent on Saturday, compared with a year ago. The Saturday before Christmas is usually one of the top busiest days of the season.

‘‘Before this incident, Target had a chance of at least a decent Christmas. Now, it will be mediocre at best,’’ said Craig Johnson, president of the firm.

Related: 

'Twas the Week Before Chri$tmas....

After strong seasonal start, US store sales continue to slide

Slow Saturday Special: Same Old Horse $hit 

And here I thought Santa farted.

Meanwhile, consumer perception about the Target brand has dropped steeply since the news broke Wednesday night, according to YouGov BrandIndex, which surveys 4,300 people daily. The index ranges from 100 to negative 100 and is compiled by subtracting negative customer feedback from positive customer feedback.

Before the breach, Target’s index was 26, higher than the rating of 12 of its peer group of retailers that include Walmart. Now, it’s negative 19....

--more--"