Here’s hoping everyone who celebrates Christmas had a wonderful day yesterday or has wonderful days ahead as many are still traveling to and from celebration destinations. One of the great things about any holiday season is the chance to check in with friends and family about what’s going on in their lives and what’s important in the world around them. This Christmas holiday was no different. Of all the topics that could have been discussed during a two-day whirlwind of friend and family visits, the one that was most frequently on everyone’s lips in my circles was the Target credit card data breach.
Questions, thoughts, and concerns ranged from “how could this happen?”, to the emotional “I’m never shopping there again.” But in talking about the issue, the unscientific consensus of how the discussions evolved was one of “what happens now?”
This morning, as Christmas Day begins to fade into a memory, there are a couple of articles on the topic that I think are worth sharing while that last question continues to percolate in so many minds.
First, security blogger, Brian Krebs, who broke this story wide open, has posted another column as he continues to track the story and also track some of the thieves who benefited from the heist. In Who’s Selling Credit Card Cards From Target? he relays some of his own snooping and a conversation with a potential ringleader in the scam. Note he was offered a $10,000 bride to keep from posting the column.
Second, in this post from CIO News, the fault of this breach is being laid at the feet at the squabble between banks and retailers who don’t want to spend the money necessary to upgrade point-of-sale technology here in the US. There are some interesting data points here. First, the US lags behind Europe in upgrading the technology we have on our credit cards. We still primarily use data recorded on magnetic stripes, while a more secure method used in Europe would require digital chips on a card which generate a unique code each time the card is used.
Of course when it comes to protecting anything, especially money, those who control the protection mechanisms are going to be looking at a cost/benefit analysis. The article also points out that of the over $11 billion in credit card fraud costs last year, those costs accounted for only $5.2 cents of every $100 dollar transaction. Banks want to protect the profit stream they already earn from the outmoded technology so they want retailers to bear the costs. Retailers want banks to issue better protected cards. Hopefully the severity of this case will Target might shift some of those positions.
And lastly, there is still some confusion over what data was stolen and potentially sold. Target is denying reports Personal Information Numbers (PIN) were lifted in the hack. Your PIN is the four digit code that allows access to your card. If the thieves do have that info, they can created fake cards that can be used to take cash from bank accounts.
The reality on what we’ll know and not know going forward with this story is this: Banks, insurance companies, retailers, and their lawyers will never tell us the complete story. It does not serve their interests to do so. While the class action consumer lawsuits will continue to get attention, the lawsuits that will be filed between those holding the bag on cleaning up the mess will get much less publicity. That is where the real fight will be. And don’t be surprised as this story moves on if we don’t see a few US Congress critters trying to get in on the act once they return from their holidays.
The only sure bet here is that the story is going to be with us for awhile now given its severity, the timing of the theft, and the numbers involved.