The Washington Post

Commentary: What consumers and retailers can learn from the Target data breach


Experts say incidents like the recent data theft at Target's stores will get worse before they get better. (Phil Coale/AP)

While few things can rile up shoppers as much as a hot Black Friday deal, it seems that widespread payments fraud at one of the nation’s largest retailers is one of them.

In the wake of a massive security breach that compromised roughly 40 million credit and debit card accounts used at Target stores during the heart of the holiday shopping season, angry consumers spoke out, expressing concern about the security of their hard-earned money as well as frustration about the hassle of dealing with fraud over the holidays.

Of course, many used Twitter to vent their frustration:

Thanks @Target, I enjoy spending hours on the phone investigating fraudulent charges on my bank account. #targetbreach — Seth Sparks (@sethmsparks) December 30, 2013

But as the emotion of the moment fades away, the commentary will undoubtedly progress far beyond immediate logistical concerns or even consumer sentiment. Moving forward, information security policy will take center stage as concerns about fraud, identity theft, and cybercrime grow in an increasingly electronic consumer environment.

Looking for answers in an increasingly complex financial environment

The first thing we need to do is consider the realities – rather than the hype – of electronic payments fraud. Remember that, despite high-profile security breaches such as that recently experienced by Target, fraud impacts only 0.025% of all non-cash payments, according to the Federal Reserve.

Existing fraud prevention protocols are therefore largely effective and our payments are, for the most part, secure. In fact, one could even make the case that security breaches are shocking simply because we’ve been conditioned to expect ironclad protection.

“No system is 100 percent secure,” B. Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security, told us in a recent interview. “This is not news for security practitioners, but for the general public, there may be a misconception that banks and financial services are particularly secure, whereas in practice, the banks and financial providers view the problem from a risk management perspective — they recognize that no system is completely secure, and they try to balance the costs of protecting systems, with the cost of inconvenience to customers of a more secure system, with the cost to banks and merchants of a security breach.”

Merchants and banks investing in a secure future

Merchants and financial institutions have the most to lose when it comes to payments fraud, as they assume nearly all of the liability for unauthorized transactions and provide consumers with liability protection guarantees. But fraudulently spent funds aren’t the only monetary loss institutional players in a large-scale data breach have to worry about.

They must also deal with class-action lawsuits, security improvements, lost revenue, and significant fines. Security experts expect the event to cost Target as much as $680 million, not including a fine of as much as $3.6 billion, per the terms of the retailer’s Payments Card Industry (PCI) compliance agreement.

In light of the financial incentives that banks and merchants have for preventing this type of data breach, it should come as no surprise that they are actually doing a great deal behind the scenes to safeguard their systems and our personal information.

For instance, banks use constantly evolving modeling techniques to identify potential instances of fraud through aberrations in spending patterns. Because these models grow increasingly accurate the more information they get, we are likely better protected now than prior to the Target breach.

Financial institutions, including major banks and the world’s largest payment networkss, are also gradually progressing toward EMV compliance (an industry standard that meets the security protocols at Europay, Mastercard and Visa), which would theoretically bring the U.S. payment infrastructure up to par with the system used in Europe and other parts of the world.

But while many have pointed to the Target breach as an impetus for expediting the transfer, security experts have cautioned against viewing the higher standard as a panacea.

“EMV has the potential to improve security, but the UK’s experience is that criminals will likely first adapt their strategies to avoid the new security mechanisms introduced, potentially increasing fraud levels in the process,” Steven J. Murdoch, a researcher in the security group of the University of Cambridge, said. “Financial institutions need to be aware of these other avenues for criminals and be ready with mitigation strategies. However, EMV does have technical limitations and flaws and criminals have shown the ability to exploit some despite requiring a high degree of sophistication to do so.”

With blame to go around, a look in the mirror is wise

Ultimately, while the curators of big data must do a much better job of protecting our personal information, we need to re-think some of our own information sharing and security habits, as well, starting with our use social media. Sure, criminals aren’t going to be able to mine 40 million credit and debit card numbers from our Facebook, Twitter, and Instagram pages, but they certainly can cobble together enough information from those and other sources to steal your identity.

And from an individual’s perspective, that’s just as bad.

“As long as people use social media, consumers can expect a dramatic increase in the loss of their personal information,” according to Randall K. Nichols, professor of practice in cybersecurity at Utica College and former chief operating officer of INFOSEC Technologies. “Assume you are talking to the NY Times every time you are sending a message, picture, video, etc. The problem is tactical not strategic. No one can get away from it.”

In addition to limiting disclosures on social media, there are a number of steps that consumers can take to make themselves much harder targets for fraudsters, both big- and small-time. For example, shredding financial documents before trashing them will thwart opportunistic dumpster-divers. Keeping your anti-virus software up to date, deleting emails from unknown senders, and only visiting trustworthy websites will help protect you online. And limiting the amount of personal information that you provide to retailers will help mitigate the damage stemming from any large-scale data breach.

On top of that, regularly reviewing financial account transaction history and your major credit reports will enable you to spot, report, and handle fraud as quickly as possible should it ever crop up. Simply using a credit card to make most purchases and signing for debit card transactions rather than using a PIN will also ensure that you get the best fraud liability protections.

Looking forward

The Target breach is far from our first rodeo. Similar attacks have been levied against the likes of T.J. Maxx and Marshall’s, Heartland Payment Systems, and Playstation in recent years, and while the world has kept turning, it’s clear that we need to learn our lesson.

The necessary changes should not derive from Washington. Though many will undoubtedly clamor for stricter laws and regulations, we should allow the financial incentives already in place to foster improvements to the current, largely effective system in order to shore up our defenses against other attacks. Two behemoths — the financial services and retail industries — have a lot of money riding on the safety and security of our personal information, and the combination of their bottom-line perspectives and liability-sharing agreements will naturally promote better security practices moving forward.

Odysseas Papadimitriou is the chief executive of personal finance Web sites CardHub and WalletHub. He previously served as a senior director of the credit card division at Capital One.

Follow On Small Business on Twitter.

Comments
Show Comments

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.