On December 19, Target (NYSE:TGT) disclosed that as many as 40 million credit and debit cards were compromised during a nineteen-day period spanning the early part of the holiday shopping season. Later, the retailer added that at least 70 million customers’ personal information, including names, mailing addresses, telephone numbers, and email addresses, was also stolen from its database, even though many of those individuals had not shopped at any of the company’s brick-and-mortar locations during that time frame.
Similarly, Neiman Marcus announced late last Friday that the company was informed in the middle of December by its credit-card processor of possible unauthorized charges on the accounts of some customers. Additionally, as Reuters reported Sunday, data security breaches have occurred at three other well-known U.S. retailers as well, although those attacks have not yet been publicly disclosed.
As American shoppers increasingly use credit or debit cards instead of cash, retailers are creating huge stores of personal information that cyber thieves are anxious to acquire, and as credit and debit card use has grown in the United States, the incidence of fraud has correspondingly risen. Not only are fraud rates on the rise, but the absolute fraud numbers are massive. Only about 6 cents per every $100 spent using plastic is lost to fraud, but United States businesses lost $11.27 billion in fraud in 2012, an increase of 14.6 percent from 2011. The breaches of customer data at Target and Neiman Marcus this year illustrate in sharp relief the problem with United States credit system; even though fraud rates are increasing, businesses have yet to adopt widely-available technology that would make credit card fraud much harder to commit.
Most other countries have abandoned the use of the magnetic stripe on the back of a card to locate data. Instead, credit cards are designed with an embedded chip that generates a new code for every transaction, making them very hard to counterfeit. That technology for computerized cards — known as EMVs — has been around since the 1990s. Magnetic strips are comparatively much easier to fake, and the United States now has the highest incidence of credit card fraud.
Last year, this country experienced 47 percent of global fraud, while processing only 24 percent of global payments by volume, according to the Nilson Report, an industry publication. Still, after the data breaches at Target and Neiman Marcus, 2013 could be a watershed moment for the industry as more consumers call for their personal information to be better protected. Of course, it must be noted that the technology that protects EMV cards in the physical world does not prevent them from being vulnerable to fraud online.
The National Retail Federation has urged its members to upgrade to the higher-security cards even though they are more expensive to use than the credit cards with magnetic strips, as Mallory Duncan — general counsel of the industry trade group that represents Target, Wal-Mart (NYSE:WMT), and other large chains — explained in an interview with Reuters. The data breaches are “unfortunate but we’re not entirely surprised,” he said this week at the trade group’s annual convention. “The technology that exists in cards out there is 20th-century technology and we’ve got 21st-century hackers,” Duncan added. But the National Retail Federation has only made public its backing of the more technologically advanced and secure card system after the Target cyber attack was revealed.
While Target did not detail how the security of its network was breached and important data siphoned away, but investigators believe the hackers installed Memory parser malware on cash registers or servers to extract encrypted magnetic-stripe data as it moves through the live memory of the computer, where it appears in plain text. Credit-card company Visa (NYSE:V) issued two warnings last year about the increase in cyber attacks, but it is unclear whether Target implemented the recommended protection measures. However, a law enforcement source did inform Reuters that the security measures Visa outlined may not have been enough.
The United States Secret Service, which has jurisdiction over credit-card fraud, is investigation both the Target and Neiman Marcus incidents. Even though banks typically are responsible for the financial losses tied to fraudulent transactions, Target has also paid a price for the data breach. The retailer lowered its fourth-quarter profit forecast on Friday, in part because sales are expected to have been weaker-than-expected since reports of the cyber-attack emerged.
Follow Meghan on Twitter @MFoley_WSCS