Outdated Magnetic Strips: How U.S. Credit Card Security Lags
Criminals may have stolen information from 40 million credit and debit cards used at Target. A possible weakness? The magnetic stripe on credit cards — which fraudsters can pull credit card numbers and expiration dates from to make counterfeit cards.
Other countries moved beyond this technology years ago. The U.K., Canada and Hong Kong are already using chip-based cards, which are considered more secure. (Magnetic stripe technology is decades old.) Cards using the chip-and-PIN system have an embedded microchip. Instead of swiping the part with a magnetic stripe, you put the card into a terminal, then enter a PIN or sign your name. It's more expensive for criminals to forge these cards, says Brian Krebs, a security journalist who writes for Krebs on Security and broke the story on the breach at Target.
Target didn't give details on how the breach occurred. But Krebs, citing credit card industry sources, reported that it involved "the theft of data stored on the magnetic stripe of cards used at the stores."
The newer chip-and-PIN technology "simply raises the costs for the bad guys," Krebs told NPR. "It's not that they can't break the system — but it makes it more expensive for them to fabricate these cards."
That's the wrong question to ask, says Ross Anderson, who has worked on payment technology for almost 30 years and is a professor of security engineering at the University of Cambridge.
"Simply blocking off one of the avenues of attacks by fraudsters isn't enough to make fraud vanish," he says.
It can be a game of cat and mouse. Anderson says after it became common to pay with chip-based cards in the U.K., around 2003, the level of fraud went up because thieves turned to schemes involving mail and telephone orders.
Eventually, criminals figured out how to make fake terminals that steal information from the card. Also, the cards still have magnetic strips, in case European cardholders want to travel abroad. According to Krebs, some criminals simply steal the information from the cards in Europe, and because they can't pay with magnetic stripe cards over there, they send the information to crooks in the U.S. for illegal shopping sprees.
Americans are actually lucky, says Anderson, because they have the thing that matters more than technology — consumer protection.
"If there's fraud, the issue is who pays for it; is it me or is it the bank? And if the bank is running the system, then I want the bank to pay for the fraud," Anderson says. "American citizens are lucky because [since the 1970s and early 1980s, they have] very strong consumer protection in the form of Regulation E, Regulation Z and various decided court cases."
If U.S. cardholders become victims of credit card fraud, they can call their bank and be done with it, losing at most $50 or so. In the U.K., for instance, cardholders have to write a letter to file their claim.
"The U.S. is ahead in terms of consumer protection, and if you're thinking about the public interest and how things affect you as a bank customer, that's by far the most important thing," Anderson says. "How the banks use technical mechanisms to limit their own exposure then simply becomes an engineering problem for them to solve."
He says this consumer protection is why online shopping took off in the U.S.
Starting Oct. 1, 2015, Visa will encourage the use of the new chip-embedded cards in the U.S. After that, if someone uses a chip card at a store that hasn't adopted the new terminals for reading chip cards, the store may be responsible for any fraud that happens.
Anderson also says this is an exciting time for payment technology. There hasn't been much innovation for the past 30 years or so, but he says mobile payment systems like Google Wallet could be widely used in five to 10 years.