Hackers Stole 40 Million Credit, Debit Card Numbers From Target
MELISSA BLOCK, HOST:
Security analysts are asking what Target should be doing differently after it suffered one of the biggest consumer data breaches in history. The retailer says at least 40 million credit cards are at risk of fraud. This, after thieves hacked into Target's payment system during the heart of the holiday shopping season. As NPR's Elise Hu reports, these types of breaches are raising big questions about the technology used to power our purchases.
ELISE HU, BYLINE: Swiping that magnetic stripe to pay at the register may be simple but not always secure. Data from every credit card swiped at Target between Thanksgiving and December 15th got into the hands of sophisticated thieves.
BRIAN KREBS: If they have the data that's on that stripe, they can take that and re-encode it onto anything else with a mag stripe. And all of a sudden, voila, they have a credit card they can use.
HU: Cybersecurity journalist Brian Krebs first broke news of the breach on his site krebsonsecurity.com. He says banks haven't seen fraudulent purchases made from these compromised cards yet, but the scope of this breach has the industry scrambling.
KREBS: So it's not like you can - you know, the bankers can go, OK, you know, cancel all the cards of people who've shopped at Target. Well, that's probably, you know, that's - well, we already know, right, that's 40 million people.
HU: So Target and the banks say look closely at your credit card statements and report bogus purchases if you find them. At a Washington, D.C. Target store this morning, the news hadn't seemed to slow the holiday bustle. But shoppers said they felt uneasy.
BETTY SINGLETERRY-FLYTHE: It makes me a little, you know, concerned about using my credit.
HU: Betty Singleterry-Flythe says she only pays with cards.
SINGLETERRY-FLYTHE: I always use, you know, credit because I don't carry cash with me because I'm a senior citizen. So I want to feel secure when I'm shopping.
HU: Twenty-three-year-old Danielle Hanlon said she wants to see a more secure way to pay.
DANIELLE HANLON: Definitely, there should be something that's really safe but I couldn't tell you what it is.
HU: Which gets us back to the old magnetic stripe. It really is pretty old, a 30-year-old technology. Visa and Mastercard are now pushing American retailers to upgrade to a chip-and-PIN system by 2015. It's used in Europe, where microchips with encryption on them are built into credit cards. Instead of signing for your purchase, you put in a PIN.
KREBS: The beauty of this approach is it simply raises the cost for the bad guys. It's not that they can't break the system. I think they've already shown that they can. It's just considerably more expensive for them to fabricate these cards.
HU: But it's costly to change the entire system of how we make purchases.
KREBS: You know, small mom and pop stores, there's the rub, right, because these upgrades are expensive. They have to replace all their hardware, all their software, and who's gonna pay for that?
HU: For now, compromised companies and banks are paying for the cleanup that comes after big breaches of this type. Thieves stole data from 90 million cards from shoppers of the T.J.Maxx chain in 2007, and prosecutors are still going after a ring that stole 160 million card numbers over the last several years.
For its investigation, Target has the help of the Secret Service and the card companies to find out how the bad guys broke in and how to prevent it from happening again.
KREBS: Competitors of Target and, you know, other stores like it are going to be, you know, taking a hard look at their systems, going, you know, could this be us?
HU: A security breach stunning in scope during a time Americans are doing a lot of holiday swiping. Elise Hu, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.