The holiday season is approaching, a time for sales and Santa and, now, credit card data breaches.

Though cyberthieves have stolen millions of card numbers this year, shoppers are heading into the heavy-spending season with no new credit safeguards in place.

When you hear about a data breach, Bryan Sartin is one of the guys who go in to investigate.

"I've seen my own personal information in those lots of stolen data many, many, many, many, many times," Sartin says.

Sartin heads a team of forensic computer techs for Verizon — good-guy hackers, basically. For a while he and his deskmate had a running joke.

"How frequently, in our cases, we would find his credit cards?" he explains. "And I remember, back to back, it was like two out of three cases. And there was a third [case], and it's not here, and he's kind of laughing — and then all of a sudden we found his wife's."

How The System Is Vulnerable

Sartin says data breaches happen all the time. In fact, though, only about a third of them are ever made public. In Midtown Manhattan, that fact surprises many shoppers, like Alexandra Goodell.

"It's upsetting; it gets me angry," she says. "I work really hard and I don't want to go out of my way to cancel my card and to nail down what happened."

One reason U.S. credit card numbers are stolen so often has to do with the way we process them after the swipe, says Sartin.

"That transaction, in a text format of some kind, is sent to a server there at the store that all of the cash registers speak to," he says.

Your credit card number then flies through the Internet to the merchant's main national computer, then to the processor, then to the bank, and then back again.

"It returns in .06 seconds with a yes or no," he says.

You walk out of the store while the transaction continues to ricochet across the country — using technology from the 1970s, says Jason Oxman, CEO of the Electronic Transaction Association.

"What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years," Oxman says. "That's how long mag stripe cards have been on the market."

The Next Step: Tokenization

He says the magnetic stripe worked fine until the '90s. Then came personal computers, which could counterfeit hundreds of credit cards. Because the U.S. had a strong telecom network, retailers went to an online system to verify credit cards' authenticity. Countries where the Internet wasn't so great adopted so-called chip cards or smart cards.

"So that's one reason that we haven't used the chip cards," Oxman says. "We haven't needed to because our online system of authorization has been a replacement for that offline chip."

But by this time next year, you are likely to be using the new chip cards. What slowed them down is the chicken-or-the-egg conundrum: Banks didn't want to issue chip cards if retailers didn't have the readers, and retailers weren't going to buy readers if banks weren't issuing the cards.

"There are more than 10,000 financial institutions that issue credit cards and debit cards in the U.S.," Oxman says. "There are 8 million merchants that accept credit and debit cards in the U.S. "

But the new chip cards are expected to cut out only about 60 percent of the fraud, which frustrates merchants. Mallory Duncan, general counsel at the National Retail Federation, fears the credit card hacks will continue because at the core, the system's backbone is still the same — 16-digit account numbers flying across the Internet.

"Unfortunately all we're going to get in the near future is the not-quite-so-smart card," Duncan says. "The problem is that the product itself is fundamentally flawed. You cannot secure a house of straw."

Duncan says retailers are hoping to move toward a system called tokenization, which replaces a card number with a one-time-only, randomly generated number. Google Wallet and Apple Pay use tokenization.

"All of those potentially are much more secure for consumers than would be partially secure chip cards," he says.

Tokenization is in use now, but not yet for credit cards. Because it requires significant system upgrades for both retailers and the banks, it's that same chicken-and-egg problem: Who spends the money first?

Copyright 2015 WSHU Public Radio Group. To see more, visit http://www.wshu.org/.

Transcript

ARI SHAPIRO, HOST:

This is WEEKEND EDITION from NPR News. I'm Ari Shapiro. The holiday season is approaching, a time for Santa and sales and fears of credit-card breaches. Cyber thieves have already stolen millions of card numbers this year. Kmart and Dairy Queen are among the latest victims. Charles Lane from member station WSHU explains that shoppers are heading into the heavy-spending season with no new safeguards in place.

CHARLES LANE, BYLINE: When you hear about a data breach, Bryan Sartin is one of the guys who goes in to investigate.

BRYAN SARTIN: I've seen my own personal information in those lots of stolen data many, many, many, many, many times.

LANE: Sartin heads a team of forensic computer techs for Verizon - good-guy hackers, basically. For a while, he and his desk-mate had a running joke.

SARTIN: How frequently in our cases we would find one of his credit cards. And I remember, back-to-back, it was like 2 out of 3 cases. And there was a third. We're like, it's not here, and he's kind of laughing. And then all of a sudden, we found his wife's.

LANE: Sartin says data breaches happen all the time. In fact, only about a third of them are ever made public, which surprised many shoppers here in midtown Manhattan, like Alexandra Goodell.

ALEXANDRA GOODELL: It's upsetting. It gets me angry. I work really hard, and I don't want to go out of my way to cancel my card and to nail down what happened.

LANE: One of the main reasons why U.S. credit card numbers are stolen so often has to do with how we process them after the swipe. Again, Bryan Sartin.

SARTIN: That transaction in a text format of some kind is sent to a server there at the store that all of the cash registers speak to.

LANE: Your credit card number then flies through the Internet to the merchant's main national computer, then to the processor, then to the bank and then back again.

SARTIN: It returns in .06 seconds with a yes or no.

LANE: And you walk out of the store while the transaction continues to ricochet across the country. And that's technology from the 1970s.

JASON OXMAN: What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years. That's how long mag-stripe cards have been in the market.

LANE: Jason Oxman heads the Electronic Transactions Association. He says the magnetic stripe worked fine until the '90s. Then PCs came along that could counterfeit hundreds of credit cards. Because the U.S. had a really strong telecom network, retailers started verifying a card's authenticity online. In places where the internetwork wasn't so great, they adopted what are called chip cards or smart cards.

OXMAN: So that's one reason that we haven't used the chip cards. We haven't needed to because our online system of authorization has been a replacement for that off-line chip.

LANE: But by this time next year, you will likely be using the new chip cards. What slowed them down is the-chicken-or-the-egg conundrum. Banks didn't want to issue the chip cards if retailers didn't have the readers, and retailers weren't going to buy them if banks weren't issuing the cards.

OXMAN: There are more than 10,000 financial institutions that issue credit cards and debit cards in the U.S. There are 8 million merchants that accept credit and debit cards in the U.S.

LANE: But the new chip cards are only expected to cut about 60 percent of the fraud, which frustrates merchants. Mallory Duncan is general counsel at the National Retail Federation. He fears the credit card hacks will continue because at the core, the system's backbone is still the same - 16-digit account numbers flying across the Internet.

MALLORY DUNCAN: Unfortunately, all we're going to get in the near future is the not-quite-so-smart card. The problem is that this product itself is fundamentally flawed. You cannot secure a house of straw.

LANE: Duncan says retailers want something more. They're looking to what's called tokenization, where instead of your account number flying through the Internet, there's a one- time only randomly generated token of your account number. This is what Google Wallet and Apple Pay use.

DUNCAN: All of those, potentially, are much more secure for consumers than would be partially secure chip cards.

LANE: Tokenization is out there now, but not yet for credit cards. Because they require significant system upgrades for both retailers and the banks, it's that same chicken-and-the-egg problem - who spends the money first? For NPR News, I'm Charles Lane. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate