As we head into the holiday shopping season, one thing that everyone is looking forward to is the flash of plastic sliding out of wallets all across America. It’s the make or break time for retailers everywhere and season for dedicated shoppers to show their prowess for hunting down bargains. All of it is fueled by credit cards, both online and in person.
But before you whip out the card is there someone waiting to give the term “swipe a card” a different meaning? You may think you can trust a retailer, but can you be sure that they aren’t already a victim of a hacker? The short answer is no, you can’t be sure of anything this year. And a series of high profile hacks throughout 2014 have shown us that the entire credit card system needs to be judged as insecure by everyone.
And hardly anyone in the mainstream media is talking in these terms, probably to avoid the reasonable panic that would ensue.
The problem with credit cards is a simple one. In order to complete the transaction, the retailer has to have all the available information necessary to report the sale to the credit processing company they use, which will then take the money from your account. At that moment all the information is available and ready to be copied.
It’s even worse online, where there isn’t even a physical card that has to be in the buyer’s possession, but not by much.
In the past year there have been many high profile breaches of security at retailers that have caught the media’s attention. This starts with the problems at Target stores last year, right after Black Friday, which ultimately involved the theft of 40 million credit card numbers. But that wasn’t even the largest. Home Depot reported the theft of 56 million this last September.
It isn’t just the numbers that are staggering. Malware that steals numbers from a retailer’s credit system often goes undetected for months, meaning that absolutely no one has any indication that there is a problem. PF Chang’s, a restaurant chain, apparently was hacked for nine months before it was detected by outsiders looking for patterns in credit card fraud.
Here are some of the higher profile thefts of credit cards that took place in the last year. Some are notable for the size, others for the duration of the events.
|Company Hacked||# Affected||Discovery Date||Start Date Est|
This hardly accounts for all credit card theft, however. Any place that takes credit cards can, and should, be considered a chance to have your card swiped in every meaning of the word.
Total fraud worldwide was $11.3 billion in 2014, with about half of that in the US. In 2013 it jumped to $11B in the US alone. No one knows just how much there is in 2014, but it is generally agreed that the problem is growing. It could easily top $15 billion just in the US this year based on the sheer number of credit cards stolen on a daily basis, especially with the problems not detected for months. That would be $128 for every household in the US.
How is this possible? The ultimate security for most cards in the US is the knowledge of a few pieces of information that have to be stored at the credit card processor for comparison. There is nothing that can’t be easily stolen and pressed into a new credit card, as described by a former thief.
There is a new system that involves a chip on the card, which holds the pin needed for the card to be activated. That’s a big improvement, but it isn’t mandatory until 2015 – and is only now rolling out. Plus, this does not stop online theft where nothing more than a 16 digit number is all that is needed to make a purchase. Nothing can stop fraudulent use of a credit card number in those cases.
It is entirely possible to secure online purchases by only using PayPal or some related service. With a “chip card”, as the new system is often called, in person fraud is certainly reduced dramatically. But without these systems the stealing of credit cards is a big business that cannot be stopped. The numbers themselves are collected by large operations, most operating out of Russia and Ukraine (thus away from US law) who parcel out the stolen numbers to small-time operators who use them at gasoline and convenience stores.
A stolen number may have been sold and pressed into a fake card long before anyone detects there is a problem. That’s when the charges pile up.
While we wait for a more secure process to be put into place, theft of credit cards has to be considered so endemic that the entire system should be considered insecure. Yet this reasonable conclusion has not been talked about publicly, probably out of fear of creating a panic. Forbes, however, has a weekly column on the issue that is always full of the latest news of security breaches.
This holiday season and beyond there is only one way to protect yourself if you don’t have a chip card and want to buy something in person, and that is to use cash. The only way you can be sure that your information is not stolen is to never provide it in the first place, given the demonstrated complete vulnerability of the system that is in place now.