Home » Money » Credit Card System: Fail

Credit Card System: Fail

As we head into the holiday shopping season, one thing that everyone is looking forward to is the flash of plastic sliding out of wallets all across America. It’s the make or break time for retailers everywhere and season for dedicated shoppers to show their prowess for hunting down bargains. All of it is fueled by credit cards, both online and in person.

But before you whip out the card is there someone waiting to give the term “swipe a card” a different meaning? You may think you can trust a retailer, but can you be sure that they aren’t already a victim of a hacker? The short answer is no, you can’t be sure of anything this year. And a series of high profile hacks throughout 2014 have shown us that the entire credit card system needs to be judged as insecure by everyone.

And hardly anyone in the mainstream media is talking in these terms, probably to avoid the reasonable panic that would ensue.

The whole system has to be regarded as insecure at this point.

The whole system has to be regarded as insecure at this point.

The problem with credit cards is a simple one. In order to complete the transaction, the retailer has to have all the available information necessary to report the sale to the credit processing company they use, which will then take the money from your account. At that moment all the information is available and ready to be copied.

It’s even worse online, where there isn’t even a physical card that has to be in the buyer’s possession, but not by much.

In the past year there have been many high profile breaches of security at retailers that have caught the media’s attention. This starts with the problems at Target stores last year, right after Black Friday, which ultimately involved the theft of 40 million credit card numbers. But that wasn’t even the largest. Home Depot reported the theft of 56 million this last September.

It isn’t just the numbers that are staggering. Malware that steals numbers from a retailer’s credit system often goes undetected for months, meaning that absolutely no one has any indication that there is a problem. PF Chang’s, a restaurant chain, apparently was hacked for nine months before it was detected by outsiders looking for patterns in credit card fraud.

Here are some of the higher profile thefts of credit cards that took place in the last year. Some are notable for the size, others for the duration of the events.

Company Hacked # Affected Discovery Date Start Date Est
PF Chang’s 7M 11-Jun-14 13-Sep-13
Target 40M 13-Dec-13 28-Nov-13
UPS 105k 20-Aug-14 14-Jan-14
Home Depot 56M 2-Sep-14 1-Apr-14
Signature Systems 25M 5-Sep-14 16-Jun-14
Supervalu 5M (est) 17-Jul-14 22-Jun-14
Dairy Queen 5M 6-Oct-14 15-Aug-14
KMart 20M (est) 15-Oct-14 1-Sep-14
You swipe your card, they swipe your card.

You swipe your card, they swipe your card.

This hardly accounts for all credit card theft, however. Any place that takes credit cards can, and should, be considered a chance to have your card swiped in every meaning of the word.

Total fraud worldwide was $11.3 billion in 2014, with about half of that in the US. In 2013 it jumped to $11B in the US alone.  No one knows just how much there is in 2014, but it is generally agreed that the problem is growing. It could easily top $15 billion just in the US this year based on the sheer number of credit cards stolen on a daily basis, especially with the problems not detected for months.  That would be $128 for every household in the US.

How is this possible? The ultimate security for most cards in the US is the knowledge of a few pieces of information that have to be stored at the credit card processor for comparison. There is nothing that can’t be easily stolen and pressed into a new credit card, as described by a former thief.

There is a new system that involves a chip on the card, which holds the pin needed for the card to be activated. That’s a big improvement, but it isn’t mandatory until 2015 – and is only now rolling out. Plus, this does not stop online theft where nothing more than a 16 digit number is all that is needed to make a purchase. Nothing can stop fraudulent use of a credit card number in those cases.

All the equipment needed to make a fake credit card with a stolen number.

All the equipment needed to make a fake credit card with a stolen number.

It is entirely possible to secure online purchases by only using PayPal or some related service. With a “chip card”, as the new system is often called, in person fraud is certainly reduced dramatically. But without these systems the stealing of credit cards is a big business that cannot be stopped. The numbers themselves are collected by large operations, most operating out of Russia and Ukraine (thus away from US law) who parcel out the stolen numbers to small-time operators who use them at gasoline and convenience stores.

A stolen number may have been sold and pressed into a fake card long before anyone detects there is a problem. That’s when the charges pile up.

While we wait for a more secure process to be put into place, theft of credit cards has to be considered so endemic that the entire system should be considered insecure. Yet this reasonable conclusion has not been talked about publicly, probably out of fear of creating a panic.  Forbes, however, has a weekly column on the issue that is always full of the latest news of security breaches.

This holiday season and beyond there is only one way to protect yourself if you don’t have a chip card and want to buy something in person, and that is to use cash. The only way you can be sure that your information is not stolen is to never provide it in the first place, given the demonstrated complete vulnerability of the system that is in place now.

11 thoughts on “Credit Card System: Fail

  1. It is totally disgusting that they haven’t fixed this yet. They must have thought it was cheaper to just pay the fraud. Now that its growing quickly they are panicing. Stupid.

    • Yes, a calculation like that seems to have been done. This was a largely fixable problem but nothing has been done about it despite Europe having a way of at least tamping down the level of fraud, the chip cards, for years.

    • They should be rolling out the fix immediately. It’s way, way too slow. I understand the chip cards are coming out, but there is no excuse for this.

  2. I heard of most of these but to see them all together is ridiculous. How the credit card companies can allow this to continue is beyond belief. I agree that the whole system is broken. Unbelievable.

    • I think Jim nailed it – the cost of fraud was less than the cost of fixing it until this year. They never thought it would accelerate or become a PR nightmare, which it is both now.

  3. Pingback: Holiday Shopping, 2014 | Barataria - The work of Erik Hare

  4. Pingback: Credit Cards – Still Failing? | Barataria - The work of Erik Hare

Like this Post? Hate it? Tell us!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s