Target, Neiman Marcus Credit Card Hacking Reveals Third-World US Payment Systems

Occasionally, we’ve commented on the shoddy state of US credit card payment infrastructure. One of the noteworthy aspects of the fiasco of recent US retailer security breaches is that the media has more or less ignored the question of what could have been done to forestall these incidents, which in the case of Target involved as many as 70 million customers, and Neiman Marcus, under (but presumably not much under) 1 million.

And make no mistake about it, the US is seriously behind world standards. I did a credit card study in 1997 in which I visited 5 continents, specifically countries that were the high end of the third world such as Korea, Costa Rica, and South Africa. Smart cards, also known as chip cards, were the norm in many and were being rapidly adopted in others.

Georgetown law professor Adam Levitin, in a new post at Credit Slips, explains the security advantages of these cards:

We don’t know all of the details about what happened at Target and Neiman Marcus, but there’s a really obvious weakspot in the US payments infrastructure that should be corrected, irrespective of whether it would have prevented the Target and Neiman Marcus breaches: the use of two-factor authentication, namely chip-and-PIN cards, which are standard outside the US and have been effective in reducing fraud.

Why don’t we have chip & PIN here? Because the banks don’t want to pay for it because they don’t bear most of the fraud costs. The banks/payment networks are the least cost avoider of identity theft, but because merchants are eating most of the fraud costs, the banks have instead have opted for a complex set of security standards for merchants (PCI Security Standards) that are of dubious effectiveness.

Chip & PIN cards have two key security features. First, these cards have a microchip inside that frustrates easy physical copying of the cards. With our current mag stripe cards, I can copy the information off the mag stripe with a small reader and then use that to make a new card. Not so easy if I also have to copy the information on a microchip embeded in the card. Second, these cards require a PIN to use. The PIN creates what is called two-factor authentication. The first factor is the information on the card itself (from the chip and mag stripe). The second factor is the PIN. Thus, even if my card is stolen, the card isn’t useful without the PIN. Chip and PIN isn’t impossible to crack, but it is a lot harder. And that’s the name of the game in identity theft.

Levitin stresses that the media accounts are making the retailers look like the ones at fault, when the banks bear considerable culpability. Very few articles have mentioned the fact that better technology exists and is standard outside the US, and the ones that go there still underplay how far the US is behind and how the banks are driving this bus. Reuters comes closer than most and still misses the banks’ responsibility, starting with the headline, With data vulnerable, retailers look for tougher security:

Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes….

It is not clear the new “Chip-and-PIN” cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.

They have met with much less enthusiasm in the United States, in part because losses to fraud – just 5 cents for every $100 spent via plastic – have been manageable for merchants and their banks. But rising fraud rates, and the risk of identity theft, could change the calculation..

Investigators believe that hackers used malware that captured data on customers from the magnetic stripes on their payment cards.

Now let’s unpack this a bit. First, I have trouble believing merchant losses are that low. The big reason is I doubt smaller merchants capture and report that information, and I wonder how many big ones do. The merchant’s loss isn’t the amount he was stiffed for (the purchase amount, which is easy to track), it’s his costs in the item (cost of goods + allocated overheads, most important, sales costs) + the cost of dealing with the fraud incident. Second, for most (again, I’d suspect all) retailers, shrinkage (inventory losses, due to theft, most often employee theft) is a bigger number, and therefore consumes more management attention. This point was made by NC regular readerOfTeaLeaves in a comment we featured in a 2011 post:

Small retailers (including every restaurant in the nation) pay when there are fraudulent cards. The system **should** notify the retailer at the instant of swipe if the card is fraudulent, but it does not always do this. But it gets worse: if a retailer swipes a card and that data is not encrypted, or the network is not fully secured, then the retailer eats the costs — at least, the retailers that I’ve heard gasping in shock have ended up eating it. One retailer that I know – a small operation – having spent tens of thousands for inventory software and a whole new cc/dbt system, just ended up spending **more** tens of thousands of dollars to purchase all new swipe machines that encrypt **at the instant of swipe**. Did the banks provide those machines for free to the retailer? Not a chance. Did the banks provide any kind of discount to retailers using those new encryption devices? Not a chance.

As for ‘innovating banks’, that’s an oxymoron.

I’ve written eComm code, and I’ve worked in the eComm layer and the very notion that banks innovate is ridiculous. They have done their utmost to control and capture eComm technologies, but that does **not** make them innovators. Nor does it make the credit card companies innovators (!). It makes them what they always were and always will be: agents who cream profits from transactions. They happen to be at the point where the money changes hands, and they take advantage of that fact (in an exploitive fashion, I will add).

What Congress does not appear to understand is that if they side with the banks, they are damaging the vitality of small and medium sized businesses who actually **innovate** — whether it is a local farm that wants to offer an organic produce service, whether it is someone setting up a new merchant site via Amazon’s services, or whether it is a salon chain that wants to offer people the chance to buy a Mother’s Day gift card online. All those people actually **innovate**, provide personal services, and create the economic exchanges that allow for cities to have budgets that pay for schools, roads, cops, etc.

There is no reason — economically — for banks to stick businesses with the costs of fraud over which they have no control, to stick businesses with extractive ‘percentage’ fees of transactions, or to play both sides of every transaction by charging BOTH the payer and the payee.

But even if “5 cents out of every $100” figure were accurate, notice how the blame is “oh those cheap merchants aren’t upgrading to the new systems” as opposed to what is really going on: the banks have been putting a steep price (you can be sure artificially high) on new equipment (the point of sale devices that swipe your card) so they can squeeze as much profit out of the old infrastructure. Why am I so confident the banks are overpricing? How the hell could merchants in vastly smaller markets like South Africa and Korea (and most of Europe pre-Euro, meaning specific-currency payment systems) afford earlier generations of these cards (when the chips and all the other elements of technology implementation cost more) if they were natively that pricey? The impediment is almost assuredly the price point the banks have set, and it’s a no-brainer, given the outcome here versus the rest of the world, that they’ve set it so as to discourage implementation. Similarly, most foreign markets have far higher security protections on debit cards. Smart cards with PIN protection are the norm. For instance, here is an incredulous comment on a post describing US payment card options:

I cannot believe how far behind the US are in terms of the CHIP & PIN technology…..I have a great card. It is a DEBIT card/Prepaid MasterCard from Bishopstown Credit Union in Ireland. I need a PIN to make a purchase in Europe and everywhere that recognises CHIP & PIN. I even get a text message to my mobile phone/cell each time I use it – CLEVER. All this from a Credit Union

By contrast, here in the US, we are only now discussing implementation of smart card technology, as a result of really bad press and consumer upset, for the banks’ most profitable card service, credit cards. Pathetic.

Print Friendly, PDF & Email

46 comments

  1. BusyBody

    Companies like Target are not blameless in this fiasco. Target outsourced it’s IT to India and what was not outsourced is done by cheap H1b Visa people from India. Target’s data security system is third world. On the other hand, Target’s CEO made $22M last year. He had no problem sacrificing the data of 70 million people to line his own pocket.

      1. Field in Texas

        From your article;
        “Levitin stresses that the media accounts are making the retailers look like the ones at fault, when the banks bear considerable culpability.”

        1. RepubAnon

          If the banks bear “considerable” responsibility, that means they don’t bear “complete” responsibility. Does this not mean that there’s some extra responsibility left over for the other players?

    1. Punchnrun

      Off topic. The people who write the code and push the buttons have no say in policy and procedure. Indian, Mexican, Japanese, Inuit or Pennsylvanian makes no difference.

      As to data security, quite right, large retailers seem to have little concern. Well, Target is no longer on my list of places to shop, not that I’ve seen the inside of a Target in the past 3 years or so. OTOH I took positive note of the regional grocery chain that shut down all its card readers and advised all customers to use cash or a special secure reader they set up in the manager’s office when there was a suspected breach at regional service provider URM last year.

      My wife and I have dealings with four credit unions. None offer such a chip & pin card. I might have better luck pressuring them though, than I would pressuring BOfA.

      So let’s see here, the banks are complacent, check. The retailers are complacent, check. The consumers are complacent, check. The crooks are making big bucks, check. Where is enforcement? Why is there not more effort? See a & b &c? Is that all?

  2. ambrit

    Maam;
    Do also note how many banks are further pushing these obsolete credit and debit cards to their customers by offering slightly higher rates of return on “Super” checking accounts, one glaring provision of which is a minimum number of card transactions per cycle to be eligible for the “higher” rate of return. Who says all the crooks are in jail?

    1. diptherio

      Exactly. The CC companies have become masters of creating and exploiting externalities in the payments system. The costs of fraud and id theft are borne by the consumers and/or merchants, not the banks, so they have no financial incentive to improve the security of the system (which is ironic, since providing a secure system is supposedly their raison d’etre).

    2. PeonInChief

      A lot of hassle. Even if you don’t lose any money, you will spend several hours cancelling the card, and then waiting for a new one. Then comes the fun of changing the account number everywhere you have accounts. There was one upside in our case, however. A magazine I subscribe to tried to charge the renewal (I don’t renew without notification), and discovered that the card number was bad.

  3. Kevin Smith

    Here in Canada the chip & pin system has been working fine for many years, and as an added bonus our chip & pin cards are accepted worldwide. I have heard of Americans whose non-chipped cards were refused in Europe, for example.

    Another bonus is that there is less risk of my cards being compromised, so less risk that I will have to waste hours of my valuable time [or staff time] replacing compromised cards.

  4. washunate

    Yves, great article. I would like to add another component: the use by the private sector of government-issued Social Security Numbers.

    The original point of the SS card was that it was two factor authorization: something the bearer knew (the number) and something the bearer possessed (the card). This is why even today, the government demands presentation of a physical document with SSN for government identification (such as the I-9/E-verify employment system or the passport system for reentry into the country).

    However, the private sector built upon this incredibly efficient government program for its own purposes and stripped away the second factor. The inherent conflict in the American context of whether SSNs are ‘user names’ or ‘passwords’ is another layer of obstacle in addition to technical issues about how transactions work.

    After all, consumers are protected against credit card fraud by the credit card companies themselves, and if it was that much of a hastle to retailers, they would give their customers a discount for paying with cash.

  5. washunate

    Yves, great article. I would like to add another component: the use by the private sector of government-issued Social Security Numbers.

    The original point of the SS card was that it was three factor authorization: something the bearer knows (the number), something the bearer possesses (the card), and something the bearer is (the signature). This is why even today, the government demands presentation of a physical document with SSN for government identification (such as the I-9/E-verify employment system or the passport system for reentry into the country). It is why government forms have statements to the effect that you are signing this document under penalty of perjury.

    However, the private sector built upon this incredibly efficient government program for its own purposes but stripped away three factor authorization. The inherent conflict in the American context of whether SSNs are ‘user names’ or ‘passwords’ is another layer of obstacle in addition to technical issues about how transactions work. After all, the whole point of electronic payments is to be able to pay electronically, in 1s and 0s, with no physical piece of the real world required. That necessitates some override of the chip, no matter how fancy of a technogadget it may be, in order to do something as simple as buy a movie from Amazon.

    Beyond that, consumers are protected against credit card fraud by the credit card companies themselves, and if it was that much of a hastle to retailers, they would give their customers a discount for paying with cash. To me, that’s the huge red flag that Something Else is going on. The obvious solution – if retailers really are hurting – is to pay customers to not use electronic methods of payment.

    1. Punchnrun

      This may be dated, but I recall the credit card companies penalizing retailers who offered cash discounts.

      1. washunate

        Sorry about the double post yesterday. I ran into one of the cloudfront errors and didn’t realize the first comment went through.

        Personally, I would love to see Visa and MasterCard threaten to cut off Target and Walmart and McDonalds and so forth. That might actually spur some real discussion on matters such as anti-competitive practices, the financialization of the economy, and the authoritarian drive to track everything (which, after all, is the fundamental reason the government likes powerful plastic companies while being highly suspicious of cash transactions).

        As far as small operations, many (most?) of them require physical presentation of the card (like gas stations where there are no ‘online’ orders), they can run as cash/check only (like entertainment destinations such as ice skating rinks), prefer cash specifically (like people working on tips), and/or the labor cost of dealing with cash/check is higher than the fraud cost of plastic (like grocery store checkout lines).

  6. slothrop

    Yves I love the granular detail but how can you write this without mentioning the obvious takeaway, bitcoin? One-way, irreversible transactions. Zero merchant risk. A fraction of the cost. The new system to upgrade to is bitcoin, not smart cards.

    What going on? Krugman is at the top of the blogosphere beaming down from his spaceship the boundaries of acceptable discourse. In jest or not he’s declared bitcoin “evil” using his own cowardly passive-agressive style of defending the status quo. I wonder, Are you within his range? Is bitcoin now off limits?

    Of course this blog defends the status quo as well by cheerleading for out-of-their-depth and (after reading AA Bender) incompetent regulators, and now by staying well within the framework of the legacy banking system advocating smart cards in response to the massive waste that results from the use of a 1950’s technology. I wonder why you do not see bitcoin as a viable, free-market alternative to regulation and credit cards.

    This blog had a mild libertarian bent back in the day (when ZeroHedge was still in the blogroll), but you’ve clearly moved toward the center. Why, Yves, why?

    1. Yves Smith Post author

      I’m not and have never been a libertarian, so I don’t know where you got that impression. I’ve always been in favor of strong regulation and progressive taxes. In ECONNED, I have an entire chapter savaging anti-regulatory propagandizing (“How ‘Free Markets’ Were Sold”).

      Payment systems also cost, which means users do wind up bearing their costs. And you are under a misapprehension regarding Bitcoin. I linked to an Adam Levitin post on it today in Links:

      http://www.creditslips.org/creditslips/2014/01/the-behavioral-economics-of-bitcoin.html

      I regard one of the big appeals of Bitcoin to its users as the ability to evade taxes. I believe people should pay their taxes. Moreover, the volatility of Bitcoin makes it unusable as a currency. Finally, there’s ample reason to believe Bitcoin is simply a large scale scam (I provided lots of links on that early on re the Bitcoin “exchanges”). I’ve regarded, and continue to regard them as prosecution futures.

      1. slothrop

        I didn’t mean to curse by using the word ‘libertarian’.

        Prosecution futures because 90% of people who try to evade taxes with bitcoin will get caught, as it is the most traceable currency in the history of the world. This is a very tired argument. It will be a revenue generator for the IRS.

        Levitin is trying to understand bitcoin and he says there will be fees. Yes, there will be fees. There are fees now and they will exist in the future on a float to ensure the best price.

        1. OpenThePodBayDoorsHAL

          Let’s review what Bitcoin does and how it can solve all of this. It puts the cryptography protecting identity up in the network itself, instead of out at the edge of the network (merchants, cardholders). It automatically verifies account balances instead of needing to ping bank accounts in a two-step asynchronous authentication/settlement cycle that will always struggle to stay reconciled. To pay for the network transaction processing power, it combines the central bank function (currency issuance) with the processing function, so public computers are recruited and rewarded for processing transactions, not expensive private computer networks like Visa and Mastercard. And Bitcoin gains are fully taxable, and yes there is a record of every single transaction. Mexican drug cartels would have a MUCH harder time hiding Bitcoin transactions than they did with their premiere global business partner HSBC, using the #1 currency for financing money laundering & terrorism: The USD.

    2. Massinissa

      MMT was Libertarian in, uh, what universe exactly? Because it sure was never libertarian in this one.

  7. lyman alpha blob

    The cost to merchants is much higher than $.05 per $100 although there may be some weasel words involved here as the cost specified is for “merchants AND their banks” combined. The merchants take a big loss but from what I can tell the credit card companies still make a profit on transactions they know to be fraudulent.

    Several years ago the company I worked for took a $10k order from a customer over the phone who wanted to pay by credit card. Something did not smell right so we called AMEX to determine if the card had been stolen and were told it was not. Since you won’t stay in business long accusing potential customers of being crooks, we charged the card and shipped the product only to be told a few days later that the card was reported stolen and AMEX would be yanking back $10K from our account. I called to ask how this could be as we had done our due diligence and I was told it was because the product was shipped not to the billing address on the card but to a 3rd party address. I then sarcastically asked if I could do my Xmas shopping for free by getting an AMEX and having gifts sent directly to the recipients and then calling in claiming the card was stolen and the customer rep said she was not at liberty to answer that question. I told her she just had.

    So our company was out $10K plus all the time spent dealing with the mess. Meanwhile we never got the whole $10k deposited to our account in the first place once you factor in the $300 or so fee AMEX charged on the transaction, but the whole $10K was yanked back out, leaving AMEX with a tidy profit on a transaction they knew was fraudulent. Nice work if you can get it.

  8. J.

    Chip and pin is somewhat better security than what we have here, but it is often poorly implemented and is probably currently being cloned, e.g. http://www.theregister.co.uk/2012/09/13/chip_and_pin_security_flaw_research/

    Since it is supposed to be secure, that means the customer will get blamed instead of the retailer, and the bank still cashes in on fraud.

    Apparently Target’s point of sale systems got owned. That indicates poor network security on their part and is hard to fix on the payment side – I’m not sure anything would be secure that was swiped through an owned cash register, particularly if combined with the card security issues indio007 linked above.

    Somebody really needs to design a secure payments system from the ground up, IMHO.

  9. Mary S.

    My Wells Fargo credit card was just compromised – a physical dupe of it was being used and the bank caught it on fraud alert. When they sent me a replacement card, lo and behold it is a PIN & Chip Card – don’t know if they are just replacing certain cards/customers with PIN & Chip technology but they weren’t offering it just a few months ago when I specifically inquired as to its availability.

  10. Waking Up

    Excellent, must read post!

    Regarding the incredulous comment from the person in Ireland, he/she may have fallen victim to “American Exceptionalism” and made the assumption that the United States always has the best systems. Bank bailouts, obamacare (which puts insurance profits over healthcare of actual people), and our endless spying on everyone around the world (which shows how pathetically paranoid our military and government is) are just a few things which indicates how “unexceptional” we are. Will the rest of the world recognize this? Can we become a better “country of the world” without being “exceptional”?

  11. John

    The article is not correct when it states that merchants are responsible for most of the fraud, at least for brick and mortar or card present retail. If a merchant follows card brand rules, swipes a card and gets a signature (if needed) the bank card issuer is responsible for the fraud. This of course is not true for online or card not present transactions.

    EMV or chip card implementation is scheduled for US implementation with a liability shift 10/1/15. This is the stick to force merchants to convert equipment. A merchant will be responsible for all fraud whan a card is not processed using chip technology.

    Open issues for chip implementation are whether it will be chip and pin or chip and signature and how to comply with debit card routing options required in the US. Merchants want chip and pin.

    Where chip and pin has been implemented online fraud has increased so solutions are needed in this area to protect consumers.

    1. Yves Smith Post author

      What you are stating is not true in practice. Multiple reports from merchants indicate that when they’ve followed the card associations’ rules, they’ve nevertheless been stuck with the loss. The network has all the power. They can withhold payment and the merchant cannot afford to quit the network.

      1. Eric

        John is correct. I’ve been managing the Visa portfolio at a large Credit Union in Texas for the last 15 years. Merchants have never been responsible for fraudulent/counterfeit purchases done in-person with a signature. In fact, nearly a year ago Visa alterted their regulations and no longer allow issuers to even file a chargeback in cases of in-person counterfeit card usage. Consumers are protected by Regulation E which places the liability squarely on the issuer (and the consumer in some cases)–never the merchant. US issuers have ZERO chargeback rights when a counterfeit Visa debit card is used in person. Merchants who have told you otherwise are either confused or have somehow mishandled their internal procedures as to allow chargeback “loopholes” for issuers–internal procedures such as securing a signature and truncating the card number on the receipt.

  12. BondsOfSteel

    Chip and PIN are so much better than what we have… magnetic strip. OTOH, if we have to upgrade, we should go further… biometric. It’s not like it’s new technology.

  13. Ninguna

    I’d be more convinced of Target’s concern if the Red cards issued by Target itself were already chipped. To me, it’s a convenient distraction to the fact that Target’s system was hacked, and so much data was available to the hackers.

  14. dearieme

    But it’s normal for the US to be backward in retail banking. It’s in investment banking that she is a great innovator. Alas.

  15. John Yard

    “And make no mistake about it, the US is seriously behind world standards”. As a recently retired systems administrator , I am glad that someone has pointed this out. A lot of problems are the legacy of the dot-com bubble, which left the US with huge amounts of state-of-the-art-hardware-circa-2000 that the telecoms which the telecoms were still deploying recently (2012!).

  16. Fazal Majid

    Please don’t insult the Third World by comparing it to the US. Countries like Kenya have shown that despite near civil war and repeated terrorist attacks they can deliver useful (as opposed to bankster-enriching) financial innovation with their M-PESA payment system, which allows consumers to do an end-run around a banking system almost as corrupt and entrenched as ours.

    Another externality of poor payments security is that credit card fraud is used by terrorists to fund their operations. When I wrote this blog post in 2003, I was fully expecting the Feds to impose the same kind of controls they did for money laundering, but I guess I was too optimistic:

    Former officials of the CIA and the FBI say Mr bin Laden has been receiving secret donations from rich well-wishers in the Middle East and from Islamic charitable organisations. He may also take a cut from the Taliban’s sales of opium. Units of his organisation are believed to raise money through financial and other sorts of crime. For example, Ahmed Ressam, an Algerian who plotted to bomb Los Angeles airport but later co-operated with American authorities, says he was given $12,000 of seed-money to set up his operation. When he asked for more cash, he was advised to finance himself by credit-card fraud.

  17. Bridget

    Some musings.

    My husband’s business has for years often taken him way off the beaten path. The credit card company’s fraud department often calls me to check on the validity of the transactions, since my phone number is on the account. If they can’t get ahold of me in a reasonable period of time they cancel the card. Which is a real pain, but better than the alternative. He carries a backup AMEX just in case so he can get home if the main cars is cancelled when he’s in Timbuktu.

    The real credit card number is on file with a very small number of online vendors, those that I hope have effective anti hacking strategies in place. For all other vendors I use a virtual credit card number that I can generate from software downloaded from my credit card company. So far so good.

  18. ozajh

    Regarding the sarcasm about ‘innovating banks’, I had a sudden thought a few years back and asked whether I could have a capped ‘Full Balance’ Transfer as my CC payment option. In other words, pay the entire bill, but if the bill is greater than $x, pay x. This would be useful after holidays or Christmas, I thought, to pay down the outstanding balance relatively quickly without any inordinately large individual repayments. Also TRIVIALLY easy to programme into the bank’s system; we’re literally talking about a single extra field in the customer record (and associated update screens), plus a single ‘IF’ test when calculating the amount to be swept.

    The staff member I was dealing with instantly understood what I meant, but after doing a fair bit of checking (she was herself intrigued) stated it wasn’t an available option.

    When I went back to work I asked some people who use their Credit Cards a lot more than I do (for various reasons), and none of them said they had ever heard of such an option. Several of these people immediately stated they would choose that option if it were available, and a couple took the trouble to check that it WASN’T available on their own Credit Cards.

    Maybe this question is country-centric (I don’t live in the US), and such an option is freely available elsewhere, but I live in a First World country and if the Financial industry is so all-fired innovative I would have thought that SOMEONE would be offering this option and indeed advertising it as a differentiator.

  19. Countdown

    Has Target said exactly what element of its system was hacked ? Honestly, with 110 mm accounts somehow accessed, I am wondering if the “big data” analytic people who (presumably) work at Target were the data aggregators who were attacked. Who else would store this much data so conveniently ?

    1. Yves Smith Post author

      I have a link in 1/14 Links. They said it was their point of sale system that was hacked.

  20. Countdown

    Has Target said exactly what part of its system was hacked? I was wondering if the “big data” analysts who (presumably) work at Target were the ones whose large, nicely assembled files were attacked.

  21. CJ

    For Target- What is the definition of POS (point of sale) system? Is it just the card reader and cash register? Is it everything between the purchaser and the monthly payment by the customer? It seems unlikely that the thieves managed to upgrade (patch) every swipe device in every Target store.

    Clearly, the incentives need to line up. The people who can upgrade the system need to be the ones who bear the fraud costs. (For example – Moving the costs to the consumer will take away the incentives to make the various systems more secure).

Comments are closed.