The Holidays Bring A New Season For Credit Card Breaches
The holiday season is approaching, a time for sales and Santa and, now, credit card data breaches.
Though cyberthieves have stolen millions of card numbers this year, shoppers are heading into the heavy-spending season with no new credit safeguards in place.
When you hear about a data breach, Bryan Sartin is one of the guys who go in to investigate.
“I’ve seen my own personal information in those lots of stolen data many, many, many, many, many times,” Sartin says.
Sartin heads a team of forensic computer techs for Verizon — good-guy hackers, basically. For a while he and his deskmate had a running joke.
“How frequently, in our cases, we would find his credit cards?” he explains. “And I remember, back to back, it was like two out of three cases. And there was a third [case], and it’s not here, and he’s kind of laughing — and then all of a sudden we found his wife’s.”
How The System Is Vulnerable
Sartin says data breaches happen all the time. In fact, though, only about a third of them are ever made public. In Midtown Manhattan, that fact surprises many shoppers, like Alexandra Goodell.
“It’s upsetting; it gets me angry,” she says. “I work really hard and I don’t want to go out of my way to cancel my card and to nail down what happened.”
One reason U.S. credit card numbers are stolen so often has to do with the way we process them after the swipe, says Sartin.
“That transaction, in a text format of some kind, is sent to a server there at the store that all of the cash registers speak to,” he says.
Your credit card number then flies through the Internet to the merchant’s main national computer, then to the processor, then to the bank, and then back again.
“It returns in .06 seconds with a yes or no,” he says.
You walk out of the store while the transaction continues to ricochet across the country — using technology from the 1970s, says Jason Oxman, CEO of the Electronic Transaction Association.
“What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years,” Oxman says. “That’s how long mag stripe cards have been on the market.”
The Next Step: Tokenization
He says the magnetic stripe worked fine until the ’90s. Then came personal computers, which could counterfeit hundreds of credit cards. Because the U.S. had a strong telecom network, retailers went to an online system to verify credit cards’ authenticity. Countries where the Internet wasn’t so great adopted so-called chip cards or smart cards.
“So that’s one reason that we haven’t used the chip cards,” Oxman says. “We haven’t needed to because our online system of authorization has been a replacement for that offline chip.”