The credit and debit card data breaches at Target and Neiman Marcus compromised at least 70 million American consumers, and analysts say even more of us are at risk. That's because the technology we use to swipe for our purchases — magnetic stripes on the backs of cards — isn't hard for a skilled fraudster to hack.
"It's totally unprotected and it's static, so it's the same data that's read every single time. It's just about the worst security that you can put into a payment system," says Avivah Litan, a security analyst for Gartner, a firm retailers hire to assess their cybersecurity gaps.
Sophisticated cyberthieves got consumer data during the holiday season breaches by injecting a virus into Target's card payment terminals. From there, the bad guys systematically captured the information found on every card swiped, from Thanksgiving through just before Christmas.
"We've seen hacks as big as this before, in fact we've seen bigger, but what we haven't seen before is something this sophisticated and well organized," Litan says. The data from the cards was turned around and sold on an underground market, where thieves can recreate credit cards using the stolen data and use them to make fraudulent purchases, she says.
Industry leaders know magnetic stripes are outdated and easily exploitable. The rest of the world moved onto a more secure, harder-to-hack payment system based on chip-enabled cards — chip and PIN. Chip-enabled cards are more secure because the data on the chip is hidden behind encryption. So even if criminals intercept what's on it, they can't re-use it.
"It's standardized all over the world and used all over the world, except in the U.S. and perhaps one country in Africa," Litan says.
It's a reality that NPR's new London correspondent, Ari Shapiro, learned quickly when he moved overseas a few weeks ago.
"Basically my American credit card is like a second-class citizen here," Shapiro says. "I can't use the self-checkout line at the supermarket, I can't use the automated machine in the subway system or the post office. Some merchants charge me an extra charge just because of my American credit card."
Shapiro's new British pal, Ben Thompson, explains how he pays for purchases without swiping — or signing.
"I put the card in the machine. The retailer, the cashier will hand me a little key pad, I type in my [PIN] number. And that verifies the transaction. It means I don't have to sign, I don't have to use a pen. I literally type in four little numbers," Thompson says.
All Tech Considered
Analysts: Credit Card Hacking Goes Much Further Than Target