IF YOU worry about your privacy and carry a credit card, the Target data breach ought to be a startling wake-up call. A massive theft from card-swiping machines between Nov. 27 and Dec. 18 took information such as numbers and names from about 40 million customers and compromised personal information — names, addresses, e-mail addresses or phone numbers — from about 70 million. Although there may be overlap, perhaps one in four people in the United States were exposed to fraud and potential loss of privacy. The data were siphoned off by crooks and sent abroad.
How did it happen? According to John Mulligan, Target’s executive vice president and chief financial officer, who testified Feb. 4 before the Senate Judiciary Committee, intruders crept into Target’s network and installed malware designed to skim off credit- and debit-card information. How they did that is not known, although cybersecurity sleuth Brian Krebs has reported that they may have gotten into the network through a vendor to Target; the vendor said it was a “victim of a sophisticated cyber attack operation.” The crooks then spread the stealthy malware to the point-of-sale machines. The data were skimmed off in the seconds after customers swiped their cards during the busy holiday season.
Chastened, Mr. Mulligan told the Senate panel that Target was accelerating a $100 million investment to convert to so-called chip-and-PINtechnology that is more secure. He pledged that Target would have it in place early next year, six months earlier than planned. Mr. Mulligan’s response raises a larger question: Why isn’t the United States as a whole moving more quickly toward chip-and-PIN technology?
The answer is that it is coming, next year, but the transition involves costs that stores, card companies and banks have been reluctant to bear. When Europeans adopted the technology more than a decade ago, they lacked a continent-wide online verification system, so the new approach made sense, allowing verification on site. But such an online verification system did exist in North America. Since then, however, the magnetic swipe cards have become much more vulnerable.
The chip-and-PIN technology is now widely used in Europe and is being adopted around the world. These cards have data embedded on a chip, and the user inserts the card and inputs a personal identification number. This two-step verification process is more secure, although not ironclad, since the data still can be transmitted through networks and subject to theft. American Express, Discover, MasterCard and Visa have all announced plans to move toward a chip-and-PIN payments system, and after October 2015 merchants who don’t use the more secure technology will face greater liability for fraud and higher penalties. A next-generation technology, contact-less cards, is on the horizon.
Consumers in the United States have generally been shielded from liability for fraud on their cards and have grown complacent. They ought to be angry at the industry’s lag. Privacy needs to be protected.