Target Hit by Massive Card Breach
Hackers Swoop in for Holidays
In the world of payment systems, the unthinkable happened during the holiday season at one of the biggest retailers in the US. A massive breach of more than 70 million credit and debit cards at Target calls attention to the fact that the industry needs to raise their standards.
Beginning on November 27, the day before Thanksgiving, hackers broke into the payment systems inside Target stores’ point-of-sale systems, and over the course of the next three weeks, stole credit and debit card information of about 70 million customers. The data includes names, expiration dates, and three-digit security codes of their cards.
The New York Times (Nicole Perlroth, Dec. 28) reported that Target customers’ data was popping up in the black market. Target is working with private forensics experts to investigate the breach. Also involved in the investigation are the Secret Service and Justice Department.
Senator Robert Menendez of New Jersey, head of the Senate Banking Committee, spoke on CNBC (Dec. 27) saying, “We need to send a message to the retail industry: Set a clear standard to apply to security. The Federal Trade commission is looking at the standard that Target had.”
Target reported that the PINs are encrypted and should be safe. Actually, the safety of the data is reportedly in doubt. But security experts say encryption may provide only temporary relief. Hackers can find a way to get into encrypted data, even if it takes computers guessing the codes one by one.
Continue reading this article
Please enter your email address:
Eric Chiu, president and co-founder of HyTrust, a cloud control company, said, “The Target breach, on the heels of Adobe, Vodafone, and Snowden, is another wake up call to the new threats in a connected world. POS systems run software and are connected to networks as well as transmit credit card data to central repositories in the data center.”
How do hackers get access to the data? Martin Ferenczi, president of the North America region of Oberthur Technologies, said, “It seems that data from mag stripe cards was breached, and when hackers get access to the data, they can duplicate a card with the same data.”
Whether the card used was a credit card, debit card, or Target branded red card, the hackers can get information from those transactions.
Moving to Chip Technology
Given the technology in place, what can limit the fraud? Although there are multiple layers of security, hackers can breach the data, according to Ferenczi. What about the deployment of chip technology?
“When chip technology is used, the level of fraud declines. If the data is breached in a chip technology environment, data is dynamic as opposed to static.” Ferenczi explains: A chip contains an operating system in it and solid cryptology. A chip card reader would recognize data from a prior transaction and would not accept it.
In other words, the system recognizes that data is from that particular card and if it is, it is unique information. Then the system does not authorize the card as a valid card and does not authorize the card to make a transaction.
Fraudsters focus on countries which have not yet moved to chip technology. “In the US, we are already issuing chips to US issuers,” said Ferenczi. “There has been growth in 2013 and we expect growth in the US to accelerate in the next three to four years. Mexico, Canada, and of course, Europe, have moved to chip technology. China is rapidly moving to chip technology.”
Banks Mitigate Risk, Businesses Follow
Banks are aware of the Target breach and want to mitigate the breach. Wells Fargo notified banking customers online about the Target breach and reassured them that the bank is watching account activities. JPMorgan Chase enacted debit restrictions in the wake of the Target breach. The restrictions affect 2 million debit cardholders, who will be limited to $300 in daily purchases and $100 in ATM withdrawals. Santander Bank also took steps to limit fraud.
The Target breach is one more call to action for improving security. CSI Enterprises has a secure mobile solution for businesses that could be better than the proposed chip-based cards. The CSI globalVCard is a mobile solution for businesses on the go enabling busy CEOs and executives to create a single use MasterCard account number again and again. The virtual MasterCard can be used to pay vendors electronically. It integrates with existing account software.
Heather Stone, Global EVP, CSI Enterprises, said “CSI has created a number of mobile payment solutions for business use. A one-time virtual single-use card can be used to pay vendors. The virtual card carries a merchant category code (MCC) and is set for specific limits with a specific expiration date and does not have a static number.”
For example, the card can be set up by the company to send a vendor $100, and it can be set for three times. It is restricted to an MCC. After the three transactions take place, the virtual card and data disappears into cyberspace. The data goes to the Treasury in real-time. CSI’s technology is patent-pending.
The CSI Fleet Fuel Card can be set up for fleet drives. It is set up with a PIN and mileage reporting and can have a vehicle description. It can be set for fuel only or fuel and maintenance. It restricts or allows what the card can be used for.
CSI is exploring the use of virtual one-time cards for consumers. Stone said, “The technology is better than chip technology. It offers a wider range of uses and provides more security than the chip.”