The massive data breach that compromised the card account information of as many as 110 million Target customers over the holidays has raised many uncomfortable questions.
Among them: How could this happen? Why is the U.S. payments industry still using archaic and notoriously insecure magnetic stripe card technology? And will the episode change anything?
Following are frequently asked questions about the incident, its impact on the card business and the long-term ramifications.
How did hackers get access to Target cardholder data?
The full investigation is still underway, but some facts are known.
Point-of-sale malware called BlackPOS was used to infiltrate Target's network and skim card "track" data (cardholder name, account number, expiration date) from 40 million debit, credit, prepaid and proprietary Target decoupled debit cards used by Target shoppers in stores from Nov. 27 to Dec. 15. The malware was designed to intercept card data immediately after a card was swiped (while track data is in the clear) and park it in the terminal's flash memory before the data was encrypted and sent on for authorization. The malware then skimmed the contents of the card terminals' memory.
Target has said that 70 million records of consumer email addresses and phone numbers were also stolen. Because such information does not get loaded onto debit and credit cards, it must have been stolen through a separate or related hack on a marketing or loyalty database inside Target. Such information is typically sold for a song to spammers, since it is much less valuable than the card information.
What has happened to the card account data since it was stolen?
The hackers have posted much of the data on black market sites set up for buying and selling such information. The cards are sold at prices ranging from $25 for a run-of-the-mill Target card to as much as $250 for a Neiman Marcus Black Card.
"Days after the [Target] compromise, before the story had broken that Target was breached, we saw this gigantic influx in cards available on the forums," says Dan Ingevaldson, the chief technology officer of Easy Solutions, a software company that investigates security breaches for banks. "You can look up any bank and find a set of stolen cards in proportion to size of bank." Usually, the information is stolen through local skimming operatives, such as a waiter at a restaurant or a gas station attendant.
"In early December, we saw a huge spike, millions of cards dropping on these sites at once," Ingevaldson recalls. "We knew it was something big, and it looked like a retail compromise because it was spread across the U.S., there was no geographic concentration. Target is everywhere and its cards are everywhere."
There are people who make a living by using stolen card data (purchased sometimes with bitcoins) to buy things online that can be resold on eBay (DVDs, Xboxes) or to create fake plastic cards. A lot of fraud makes its way into online gaming platforms where people can use stolen card information to buy game credits.
Why doesn't the FBI or some other law enforcement agency shut down the sites on which stolen card information is sold, and/or catch the people selling and buying the data?
One reason is that this problem is global. "It's very difficult for the arms of American justice to reach into Eastern Europe," Ingevaldson points out. "Once in a while the dumb ones get caught, but often if their URL gets exposed or published, they just change it and move to a different site. And if you take out a couple of guys, and there are hundreds waiting in the wings to fill that void."
And the Internet's anonymity makes it relatively easy for card thieves to use stolen cards online. "It's very easy to change your identity and mask your location by bouncing off of a lot of botnets," says Paul Smocer, president of BITS, the security arm of the Financial Services Roundtable. "It's a difficult process to find and then prosecute the person."
If the U.S. adopted EMV chip-and-PIN cards, would large-scale card fraud such as we're seeing in the Target case be impossible?
No. "The only way to defeat such an attack is to have a POS terminal that immediately encrypts the track data at the terminal's read head so there is no point where the data is in the clear," says David Lott, retail payments expert at the Federal Reserve Bank of Atlanta. "I refer to this as end-to-end encryption." Such terminals are less available and more expensive than standard equipment.
And chip-and-PIN in its current form does not prevent card-not-present fraud, in which stolen card account information is used online. Easy Solutions estimates that 90% of card fraud in this country is of the card-not-present variety; other estimates put the ratio at 65%-70% of card fraud. Unless or until every desktop computer and mobile device is equipped with some kind of chip reader, there's no way to take advantage of the security provided by the chip in online transactions.
"EMV is a technology that was built and designed before the explosion of online ecommerce and card-not-present transactions," says Ingevaldson. "The more you dig into EMV, the more you see that it was not designed to deal with card-not-present transactions."
Any system can be gamed. Even if every point-of-sale terminal and ATM in the country were EMV chip-and-PIN only, a clever hacker who accessed the card processor's system could steal account information and erase any controls that look for information generated by the chip. Sound farfetched? It's exactly happened in the last major card breach in the U.S.: Hackers entered processors' networks and manipulated data, including erasing limits from cards.
Would chip-and-PIN provide better security than we have today?
Most people say yes. The EMV chip generates an encrypted, one-time-use digital key for each transaction. Even if the keys were stolen, they could not be used again. Stolen account information could not be used to create a fake chip card, although it could still be used to create a fake magnetic stripe card. If a card issuer's system were set up to recognize that an account was set up as chip-and-PIN and that the dynamic code the chip is supposed to generate has not been provided, it could decline a transaction.
MasterCard (MA) and Visa (NYSE: V) see EMV chip-and-PIN as the answer to payment security.
"This country is an island among EMV-compliant nations. It's the only country in the world that still uses technology that was used in eight-track tape players in the 1960s," says Chris McWilton, MasterCard's president for North American markets. The Target breach "is the wake-up call."
Why is the U.S. one of the last countries to adopt EMV, along with North Korea?
One reason is the complexity of the U.S. financial services market it's been almost impossible to get people to agree on anything.
"We have so many banks and so many retailers and such a large infrastructure in place, we don't have a governing body like in Canada or Europe that could dictate to all the member banks in the region that it's time, we're going to go to EMV," says Dan Heimann, vice chairman of the EMV Migration Forum, an industry group, and a solutions consultant at the software vendor ACI. Many of these countries were required to make the shift, they did not volunteer. "In the U.S., we still have thousands of financial institutions issuing cards and hundreds of thousands of retailers."
There are also close to 20 independent U.S. debit networks, including STAR and NICE. None of them are ready for EMV and none of them have announced plans to get ready. And card issuers, of course, would have to replace all magnetic stripe cards with chip-and-PIN cards.
Upgrading all point-of-sale terminals and ATMs would cost a lot of money, which is the other big reason the U.S. has not adopted EMV.
How soon will we have chip-and-PIN on every point-of-sale device and ATM in the U.S.?
Visa, MasterCard, Discover (DFS) and American Express (AXP) have all agreed to a "liability shift" date of October 2015. After this, merchants that have not upgraded their equipment to be EMV-compatible will bear greater responsibility for losses from card fraud taking place on their terminals using EMV cards. ATM owners accepting MasterCard have until October 2016 to upgrade their machines to chip-and-PIN; Visa has given ATM owners until October 2017 to be compliant. Gas station owners have until October 2017 with both networks.
In spite of these announcements, doubts remain over merchants' willingness to do what is needed support EMV. The deadlines have been extended before and could be again.
"Both issuers and merchants come back and say, 'where's the business case on this?'" McWilton says. "The finance people say 'What are our fraud costs? What's the cost of re-terminalizing?' The answer has been, across the industry, 'there is no business case for this, up to this point in time.'"
Lott argues that the EMV business case is an insurance premium at this point. "It's a willingness to pay extra costs now guarding against a major negative financial impact in the future," he says.
In 10 years there will still be some magnetic stripe only devices out there, Heimann predicts.
"In any country, it's taken quite a while to shift the entire infrastructure over," he says. "I do think we're seeing good progress." Walmart is enabling its point-of-sale equipment to read chip-and-PIN cards, for instance, and some big banks are doing so with their ATMs.
Why haven't Visa and MasterCard established data security systems that make these breaches impossible?
According to McWilton, they can't.
"If you think of payments in the U.S., it's an ecosystem of issuers, payment networks, MasterCard, Visa, American Express, Discover, merchant acquirers and the merchants themselves," he says. "The ecosystem is all interconnected but individual decisions have to be made on security standards." For MasterCard, Visa or anybody else to say unilaterally that this is the standard that the whole industry is going to use would not be acceptable. "You have to have everybody pulling in the same direction."
McWilton also blames banks, which for years have told the card associations that their in-house fraud detection capabilities sufficed. "Their response is, 'we don't need it, everything is good, we keep our fraud rates at manageable levels,'" McWilton.
Target now has a business case to implement EMV. "It's amazing how a billion-dollar loss in market cap will focus the mind," McWilton says.
How can the industry protect against card-not-present fraud?
MasterCard and Visa are betting on tokenization - turning card credentials into a one-time-use digital code a consumer can use to make an in-store purchase. Combined with some means of authenticating the customer, this would prevent card account information from being passed through retail systems and provide less opportunity for hackers to steal it.
"That's the strategy to cure the digital world," McWilton says. It could also help deter card-present fraud.
In October MasterCard, Visa and Amex agreed to an industry-wide standard for tokens - what they will look like, data elements that will be included, how they're configured and the sizes of the fields.
Online merchants could also protect themselves by asking customers to enter the CVV2 code on the backs of cards, which is not included in the magnetic stripe data and therefore is much harder to steal, Lott points out.
What else is being done to try to prevent another Target-sized card security breach?
BITS is pushing Washington to press other governments to cooperate on law enforcement. "This is an issue that often involves foreign nationals, so that makes it difficult," says Smocer. "In the world of the Internet, it's easy to change your identity and mask your location by bouncing off of a lot of botnets. It's a difficult process to find and then prosecute the person."
BITS is also pushing for a bill that encourages and provides legal protections for banks, retailers and others that share information about data breaches.
"The ability to share the nature of the malicious software, and maybe the IP addresses from which it came, might have prevented additional attacks that have occurred since the Target one became known," Smocer says. The bill BITS supports would help alleviate any liability concerns banks, retailers and others have about sharing information about security breaches.
"You can be very cautious when you share information or you can be more proactive," Smocer explains. "You see a piece of what appears to be malicious code coming in. You can wait and say 'I want to make absolutely sure before I say to anyone else this is inappropriate, because I don't want to be liable if I made a mistake and said an address was trying to implant malicious code. Or I can act quickly, hoping to prevent what I believe to be, in good faith, an attack that's about to happen.'" With liability concerns lifted, a company could report such suspicions without fear of reprisal.
The Financial Services Information Sharing and Analysis Center in Washington gathers threat information from bank and card processor members, anonymizes the data and sends back reports for manual reading. It's now working to automate these reports, so information about cybercriminal tactics, techniques, and procedures will be sent to members electronically so it can be directly used by security software.
Will we ever be rid of card fraud?
"The criminal element will always be trying to find a way to break our next best thing," Smocer says. "If you think about how robbers used to break into safes, and safes became stronger, we eventually got to the point where there are few physical bank robberies. But we still have some. We haven't gotten rid of this completely because determined criminals will find way to keep matching us on technology."