March 10, 2014
How to duck another Target debacle
January 13, 2014 5:38PM
Every day, more of our financial identities migrate online, which demands that banks and businesses do a much better job of protecting us from credit and debit card fraud.
On Friday, the retailer Target revealed that hackers had stolen names, phone numbers email and mailing addresses from as many as 70 million customers. That comes on top of Target’s Dec. 19 announcement that some 40 million credit and debit card accounts had been compromised in a holiday season data breach. Incredibly, the total could reach a third of the adult U.S. population.
Target isn’t alone. Neiman Marcus said Saturday that holiday cyber-Grinches stole some of its customers’ payment card information and made unauthorized charges. And the online Snapchat service last month said hackers made off with user names and phone numbers of about 4.6 million of its users.
Customers’ information already has turned up for sale on the black market. And it’s a big market. By one estimate, credit and debit card fraud alone reached $11.3 billion in losses worldwide last year.
Since its data breach, Target appears to be making many of the right moves, telling customers what it knows, apologizing, offering a year of free credit monitoring, promising customers it will cover any losses and even working to get waiting times down for those who call for assistance.
But the episode also reminds us we can’t continue to accept the parade of online thefts. Once our personal information is compromised, we are never safe. Identity theft can occur months, or years, after information is stolen — long after, that is to say, Target’s free year of credit monitoring. Pretty soon, the only people who will be safe will be teenagers with phony IDs.
Security experts say too many companies refuse to spend the money to strengthen their information security. Europe and other places outside the United States already have moved to EMV cards, which are harder to counterfeit because they use a chip embedded in cards and require personal identification numbers to be entered.
The EMV system isn’t perfect; it’s costly and still can be beaten by chips sneaked into point-of-sale readers. But U.S. cards are in the electronic Dark Ages, using magnetic strips that are easy to duplicate. That invites scammers frustrated by safeguards elsewhere in the world to look to the United States. Only 1 percent to 5 percent of U.S. cards now have EMV chips.
The United States is lagging partly because it’s left the job of securing online identities to the private sector, where every player wants someone else to pay the cost, estimated at $8 billion for new cards and readers.
Target actually tried to take the lead in reforming the system 10 years ago, Target Chairman and CEO Gregg Steinhafel says, but the rest of the industry would not join in. “It takes a village,” Steinhafel said in a Monday interviw with CNBC, “and there wasn’t enough of the village that came along at that time.”
Credit card companies have set a goal of updating to EMV cards by October 2015, but it’s unclear whether retailers and other businesses, who would have to install new card readers, will join the effort in large numbers. By some estimates, it will take up to 10 years to complete the transition.
Obviously, as any burned Target customer will tell you, that won’t do. While the expense of conversion to EMV should be borne entirely by the private sector, the federal government could force the issue by setting strict security standards and deadlines for the repositories of our online identities. Washington also should draw up rules for notifying customers when data breaches occur.
The future of the financial world is online. It must be secure.