Stories about credit-card hacks tend to have a dog-bites-man quality -- they're alarmingly common -- but the news last week was more striking than most. A data breach at Target exposed as many as 40 million customers between Nov. 27 to Dec. 15, leading to investigations from at least four state Attorneys General and three class-action lawsuits from consumers.
What I wasn't aware of, however, is that there's a problem that's largely unique to the United States that makes these incidents more common here than elsewhere.
That's in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes. "We are using 20th century cards against 21st century hackers," says Mallory Duncan, general counsel at the National Retail Federation. "The thieves have moved on but the cards have not." In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it's used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don't bother.
If you're like me, this is about the point at which you say, "It sounds like this vulnerability can be fixed rather easily. If hackers are targeting the United States because we're using easy-to-copy magnetic strips, then obviously we should move to safer digital chips."
But that would make too much sense.
Apparently, improving security measures would be expensive. The major players -- retailers, banks, and credit card companies -- would support upgrades, but none of them wants to get stuck picking up the tab.
It's worth clarifying that in other countries, where more secure cards are used, there are still some thefts. But in the U.S., the vulnerability is so severe, criminals cam capture credit card information and then duplicate it on replica cards, which are then sold illegally around the world. This is impossible with the digital chips.
Kevin Drum had a worthwhile rant on this the other day: "Oh, these breaches are a pain in the ass for card-issuing banks and for Target itself, and it will end up costing them some money. But mainly it's a pain in the ass for consumers. And if this breach causes you to be a victim of identity theft, you can be sure that neither Target nor your bank nor your credit rating agency will give you so much as the time of day. It'll be up to you to reclaim your life even though it wasn't your fault in any way."