January 30, 2014

"The U.S. has become the preferred target for criminal hackers"

If you were one of the 40 million Target customers whose credit or debit card  may have been hacked just before Christmas, Target Offers Free Experian Credit Monitoring for One Year.    Head over to creditmonitoring.target.com

Target has revealed that a sales assistant's stolen credentials helped cyber criminals pull off a massive theft of customer data during the Christmas shopping season last year.

Around 40 million credit and debit card details and 70 million other private records were stolen by hackers accessing the US retailers' payment system using an unidentified vendor's details.
The disclosure of how the criminals were able to pull off the crime comes as U.S. Attorney General Eric Holder confirmed that the Department of Justice was investigating the massive hacking at Target.
On January 23 it was reported that the FBI also warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases over the past year that involved the same kind of malicious software used against Target during the holiday shopping season

Target Tried Antitheft Cards  Years Ago Retailer Halted Rollout of Chip-Based Payment System

Chip-based credit cards—in which a smart chip in the card works with special readers installed at stores—are widely used in Europe and Canada, making it more difficult for thieves to profit from the sort of massive data breach that hit Target over the holidays.

Target CEO Gregg Steinhafel is calling on retailers and banks to adopt chip-based credit-card technology to better protect shoppers. But a decade ago, Target pulled the plug on a $40 million, three-year program that did just that. Paul Ziobro reports. Photo: Getty Images.  But the technology has yet to be embraced in the U.S., and as a result, the U.S. has become the preferred target for criminal hackers.
"A lot of the fraud has migrated from international markets to the U.S. because the U.S. is the weakest link," said Rick Oglesby, a senior analyst at Aite Group LLC, a Boston consulting firm that specializes in the payments industry.
Of the 5.6 billion credit and debit cards in circulation in the U.S., only an estimated 15 million to 20 million are chip cards--issued mainly to people who travel overseas frequently.

Magnetic stripes have been used on plastic since the 1970s. Hackers find it increasingly easy to copy the data on them because the information in the magnetic stripe doesn't change, and criminals can easily produce fake cards, because the technology is readily available.

Chip cards, on the other hand, take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. Payment and security experts say the technology wouldn't have prevented the attack at Target, but it would have made it more difficult for thieves to counterfeit the cards and make fraudulent purchases.

Adoption of the cards in Britain has helped reduce fraud from counterfeit cards by 70% from 2007 to 2012, according to the U.K. Card Association. By contrast, breaches have more than doubled since 2007 at U.S. retailers, affecting more than 5,000 records, according to a survey by the Ponemon Institute, a Traverse City, Mich., research firm.

A typical large issuer will spend about $1.30 to buy a chip card, compared with 10 cents for a traditional magnetic-stripe card, according to Aite Group. But if the chip cards were used in the U.S., fraud losses could be halved, Aite Group estimates. U.S. merchants and banks had 2012 losses of $11.3 billion due to credit-card fraud, or 5 cents on every $100 spent, according to the Nilson Report, a payment-industry newsletter based in Carpinteria, Calif.

The economics of credit card security.  Who bears the cost of more secure, chip-based credit cards?  The government made it harder for companies to recoup costs of added card security .

Moreover, even if investments in card security are recoverable, they are capped under the Durbin Amendment at one cent per transaction under 12 CFR 235.4(a). Indeed, I argued some time ago that one unintended consequence of the Durbin Amendment became effective that it would likely discourage investments in card security and other features (such as processing speed) by making it more difficult for issuers to recoup those costs.

Security Expert Hacks Obamacare Website In 4 Minutes; Accesses 70,000 Records with nothing more than a standard browser. “You can literally just open up your browser, go to this, and extract all this information without actually having to hack the website itself,” he said.  Mr. Kennedy testified before Congress Thursday that HealthCare.gov was “100 percent” insecure, Washington Free Beacon reported.

Posted by Jill Fallon at January 30, 2014 10:46 PM | Permalink