If you live in the U.S., you've probably heard about the theft of as many as 40 million credit and debit card numbers from Target customers between November 27th and December 15th. As with so many of these thefts, the first public disclosure came not from the merchant or card processor that lost the data, but from a third-party source. In Target's case, it was security researcher Brian Krebs who pieced together the story. Krebs buys credit and debit card numbers and other personal information from "darknet" sources on behalf of banks and other clients, and he noticed that a flood of numbers that apparently came from Target were available for sale. Theft of credit and debit card information has become a common occurrence in the U.S., and some researchers claim that as few as 5% of thefts ever get detected and disclosed publicly.
When I heard about the Target theft, I checked my banking records, and sure enough, I used my debit card there a couple of times during the period in question. So, yesterday, I drove over to my local bank branch, cancelled my debit card and got a new one. That was the third time in a little more than a year, and the second time in two months, that I had to cancel my debit card and get a new one. The first time was a scam at Barnes & Noble stores that involved replacement of point-of-sale credit card terminals in dozens of stores with hacked versions that sent complete transaction information, including PIN numbers, to hackers. The second time was due to the hack of Adobe's transaction processing system earlier this year, and now, it's Target for the trifecta.
Barnes & Noble, Adobe and Target are responsible for their security failures, but banks share some responsibility as well. These kinds of data losses are almost unheard of in Europe, where banks issue smart cards to their customers. Smart cards use two-factor authentication to insure that only the proper owner is using it, and encryption to keep anyone except the bank authorizing payment from either intercepting or saving the account information. Smart cards aren't in wide use in the U.S. because they're significantly more expensive than magnetic stripe cards, but, using me as an example, I have to believe that a single smart card has to be less expensive than six magnetic stripe cards (three temporary and three permanent replacements) plus the time of bank tellers, managers and phone customer service personnel spent processing and issuing those replacements. (Update, 12/22/13: According to Brian Krebs, reissuing a magnetic stripe credit or debit card costs from $3 to $5; Gemalto, one of the biggest smart card vendors, says that the average cost for a smart card with a microprocessor is $3.72. Even if that number is on the low side, it means that banks would be ahead of the game, or would at least break even, with smart cards vs. replacing mag stripe cards.)
Whether it's an encryption-based system or a "one-time pad" approach where the customer gives the merchant an account number issued by their financial institution that's good for only one transaction and is useless if anyone tries to use it again, the U.S. needs to move to a more secure and reliable method for credit and debit card transactions. The system we have now is no more secure than the weakest transaction system used by any merchant--which means that we have almost no security at all.