A thin magnetic stripe is all that stands between your credit-card information and the bad guys. And they've been working hard to break in. That's why 2014 is shaping up as a major showdown: banks, law enforcement and technology companies are all trying to thwart a network of hackers who are succeeding in swiping account numbers, names, email addresses and other crucial data used in identity theft. More than 100 million accounts at Target, Neiman Marcus and Michaels stores were affected in some way during the most recent attacks, starting last November.
Swipe is the operative word: cards are increasingly vulnerable to attacks when you make purchases in a store. In several recent incidents, hackers have been able to scoop up massive troves of credit-, debit- or prepaid-card numbers using malware inserted surreptitiously into the retailers' point-of-sale system--the checkout registers. Hackers then sold the data to a second group of criminals operating in shadowy corners of the web. Not long after, the stolen data was showing up on counterfeit cards and being used for online purchases.
The solution could cost as little as $2 extra for every piece of plastic issued. The fix is a security technology used heavily outside the U.S. While American credit cards use the 40-year-old magstripe technology to process transactions, much of the rest of the world uses smarter cards with a technology called EMV (short for Europay, MasterCard, Visa) that employs a chip embedded in the card plus a customer PIN to authenticate every transaction on the spot. If a purchaser fails to punch in the correct PIN at the checkout, the transaction gets rejected. (Online purchases can be made by setting up a separate transaction code.)
Why haven't big banks adopted the more secure technology? When it comes to mailing out new credit cards, it's all about relative costs, says David Robertson, who runs the Nilson Report, an industry newsletter: "The cost of the card, putting the sticker on it, coding the account number and expiration date, embossing it, the little mailer--fully loaded, you are in the dollar range." A chip-and-PIN card currently costs closer to $3, says Robertson, because of the price of chips. (Once large issuers convert en masse, the chip costs should drop.)
Multiply $3 by the more than 5 billion magstripe credit and prepaid cards in circulation in the U.S. Then consider that there's an estimated $12.4 billion in card fraud on a global basis, says Robertson. With 44% of that in the U.S., American credit-card fraud amounts to about $5.5 billion annually. Card issuers have so far calculated that absorbing the liability for even big hacks like the Target one is still cheaper than replacing all that plastic.
That leaves American retailers pretty much alone the world over in relying on magstripe technology to charge purchases--and leaves consumers vulnerable. Each magstripe has three tracks of information, explains payments-security expert Jeremy Gumbley, the chief technology officer of CreditCall, an electronic-payments company. The first and third are used by the bank or card issuer. Your vital account information lives on the second track, which hackers try to capture. "Malware is scanning through the memory in real time and looking for data," he says. "It creates a text file that gets siphoned off."