Is it a full moon? Is there something in the water? What’s going on with credit cards these days? If you’ve been reading the news lately, you’ve been inundated with story after story about a million credit cards numbers stolen here, a million more there.
- Target reported the theft of 40 million credit cards during the peak holiday season (and another 70 million customer records).
- Neiman Marcus reported the theft of 1.1 million credit cards in a similar, but believed to be unrelated, cyber attack.
- Arts and crafts retailer Michaels is investigating a credit card breach affecting an unknown number of cards.
- A suspicious charge of $9.84 is appearing on hundreds, likely hundreds of thousands, of credit cards in a widespread scam that involves stolen credit card numbers used by criminal organizations in the U.K., Cyprus and India
- Reports of another 40 retailers being hit with a cyber attack designed to steal credit card and personal information.
- Local retailers aren’t going unscathed either, with stores in Washington state being hit with a cyber attack against their payment processing systems.
The FBI has issued a warning to retailers to expect more credit card attacks. Really? I could have told them that. If you or someone you know haven’t been issued a replacement credit or debit card in the past month, then you’re likely living underground somewhere transacting via old-fashioned barter.
So I’m reminded of a story once told to me about when the U.S. military installed its first network intrusion detection system many years ago. When the system was brought online, it immediately began detecting and flagging hundreds of suspicious events and possible cyber attacks. As the story goes, the general turned to the technician and said: “Turn it off! We didn’t have a problem before you installed that system.” Now, I’m sure I’ve simplified the details, but the point is that just because you aren’t looking doesn’t mean you don’t have a problem.
It is estimated that the cost of credit card fraud is anywhere from $15 billion to $30 billion each year, with hundreds of millions of credit cards being compromised annually. We’ve been in a constant state of pervasive credit card theft for years. I believe the Target breach was so public and significant that it caused hundreds of millions of consumers to do something that, sadly, most hadn’t done—actually look in detail at their credit card and bank statements. This is turn caused a spike in calls to financial institutions, which in turn caused a spike in either the investigation of possible breaches or simply the disclosure of already existing investigations.
Almost all of the breaches being reported happened some time ago, spread out over several months. If there is a spike, it is simply the expected spike during the holiday season—when more transactions make for riper targets and larger thefts.
I’m not saying we don’t have a problem. Quite the contrary—we have a big problem. As with any problem, awareness is the first step and helps create the pressure needed to change. There are many solutions being discussed and considered to address the problem. Among them is for the United States to introduce EMV chips or other technologies into credit cards, similar to what Europe has already done, to make transactions more secure. I’m a proponent of such technologies, so long as we understand the real problem: EMV chips will make it harder (but not impossible) for criminals to use stolen credit card numbers, but it doesn’t make it harder for them to steal the numbers in the first place. The theft is occurring on the computer systems that read, process and transmit these numbers. For that, we need to tackle the problem of securing those systems much more effectively.
The commercialization of malware (the ease with which criminal enterprises can develop and purchase programs that steal credit card data) and the growing sophistication of criminal operations (enabling an entire black market where millions of stolen credit cards can be bought and sold efficiently and anonymously) will naturally lead us to more frequent and larger-scale attacks. With many point-of-sale and ATM systems still running Windows XP, a 13-year-old operating system about to become officially unsupported by Microsoft, the problem in 2014 will get worse. Adopting new security programs on these systems will be more important than adopting new chip technologies for our credit cards.
That is, unless we want to go back to a moneyless system of barter.