A huge breach of credit- and debit-card data from Target stores dampened the holiday spirit for as many as 40 million people nationwide last week.
But experts and banking industry officials say a design change in credit cards might have prevented the breach and may be able to stop similar data thefts in the future.
"The credit cards we have are 30 or 40 years old," said Robert Siciliano, a Boston-based identity theft expert. "The magnetic stripe is in the dark ages."
The newest technology for credit cards is a higher-security microchip embedded into the cards. That feature is widely used in Europe and more than 80 countries around the globe, but it's been slow to take hold in America.
In the U.S., if you take out your credit card and turn it face down, you'll see a black or silver stripe along the top of the card. That's the magnetic stripe, and it transmits financial data when you swipe your card to pay for a set of fancy headphones or the hot new toy this Christmas.
Target department store officials said last week that as a result of the breach, shoppers who used a credit card or a debit card -- either from a bank, or the red store cards from Target -- between Nov. 27 and Dec. 15 were in jeopardy of being hacked and their credit cards used to pile up other people's purchases.
The outdated and obsolete magnetic stripe, according to industry observers, is leaving millions of Americans vulnerable to such data breaches and holding the nation years behind the rest of the shopping world.
Siciliano, the security expert, runs the identity theft prevention website BestIDTheftCompanys.com and has studied credit card breaches for the last 15 years.
He said the major problem with magnetic stripe cards is that they transmit data that is unencrypted. That makes it much easier for data thieves to steal the information from a transaction and copy it to fake credit cards, which can be used to make illegal purchases.
The embedded microchips, which dramatically improve security measures, would help reduce the chance of data and financial theft.
"You don't roll this out in a week," said Lindsey Pinkham, president of the Connecticut Bankers Association. "It's supposed to significantly make the cards more secure."
Europe has used microchip-embedded credit cards since 2002. But Pinkham and others said the U.S. has resisted the change because it would cost millions of dollars to issue new microchipped cards and create new equipment to process them.
Pinkham said MasterCard and Visa have agreed that by Oct. 15, 2015, their cards will use microchips to authorize transactions instead of the magnetic strips now on the back of debit and credit cards.
"We have asked Visa and MasterCard for a quicker timeline, but we have sensed that it's about retail pushback," Pinkham said. Read Full Article
Both she and Siciliano said pressure from the banks might force a new card into American wallets sooner rather than later. Right now, banks reimburse customers for fraudulent charges on their cards, a major cost to the institutions.
As the microchip-embedded cards replace the old ones with magnetic stripes, retailers will become responsible for paying fraudulent charges if they decline to upgrade their systems.
"This is an industry decision," Pinkham said. "The banks pay for the system and pay for the fraud now. It's an advantage for them to have a more secure system."
James Heckman, a spokesman for the Connecticut Department of Banking, said state law does not require banks to switch to microchips.
"We don't regulate it and it's not in the statutes," he said. "But I imagine this may turn into a federal thing after Target."
Swamped by calls from the media and complaints by angry consumers, Target has released few details about the breach and hasn't given an official estimate of how many people in Connecticut might be affected by the data theft.
State Attorney General George Jepsen has asked Target for an estimate by Jan. 7 and his staff said Friday it will keep tabs on Target until the state gets more details.
For now, the retail chain is urging people to check their statements and to contact their banks if they notice any fraudulent charges.
Mary Ellen O'Neill, who leads the state banking department's financial institution division, said she used a card at Target during the period when information was stolen.
"I'm going to be watching my statements and watch for anomalies. They often make a small charge and see if it goes through. You take a chance with everything. This is not the first time there was a breach," O'Neill said.
Siciliano called for similar vigilance, saying that consumers should use mobile banking apps on smartphones to keep tabs on their cards during the busy holiday shopping season, when thieves might try to sneak a purchase through unnoticed.
"Every time you give out your credit card number, it risks being compromised," he said. "This time of the year, you should be looking at your charges daily to confirm that you haven't been victimized by the Target breach."