ALBUQUERQUE, N.M. — The criminals who cracked Target’s defenses, stealing debit and credit card information of as many as 40 million shoppers who swiped at the retailer’s stores, exposed a major vulnerability in the way Americans pay.
“The credit-card system is inherently broken,” said Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security. “It’s a shared-secret system, in which everyone has the secret every time you swipe your card in the U.S.”
That secret is the data encoded on the back of magnetic-stripe cards: the name of the cardholder, plus the account number, security code and expiration date, among other vital bits.
For card issuers, data thefts on the scale of the Target breach, which occurred between Nov. 27 and the middle of this month, represent a major headache and possibly substantial expenses.
To combat would-be thieves, payment networks, banks and retailers are already shifting to new technologies, but the transition will take years.
Target admitted that hackers had infiltrated the payment system used in all its brick-and-mortar stores. And experts are fairly sure how these schemes take shape.
Hackers do business on forums in the deep recesses of the Internet. These meeting places act as eBays for criminal activity. There, malicious actors buy and sell stolen information. After that, crooks can work with separate groups that replicate the stolen card information and place lifted data onto pieces of plastic. Eventually, mules on the street get hold of the finished product and spend the cash. Criminals can also buy goods online.
Sometimes criminals bolster the price of their wares by validating that the card is still active. They do that by initiating a micro-charge of $2 or less, “something that you’re not going to call your issuer about,” said Yaron Samid, chief executive of startup BillGuard, which monitors its users’ card accounts for fraud.
That means cardholders should be vigilant for months, he said, or at least change their PIN codes if they think they’ve been affected.
This all puts the affected banks, payment networks and merchants in a tight spot. They have to decide whether to issue their customers new cards or just put tighter fraud controls on the accounts of customers who might have been impacted.