US is land of opportunity for credit card fraud
If you want to commit credit or debit card fraud, the United States is the land of opportunity.
That was the lament of Illinois Attorney General Lisa Madigan this month when she testified before a Congressional committee.
"Frankly, it is negligent that the United States is behind the rest of the world when it comes to the security of our payment networks," said Madigan, who is helping to lead a multi-state investigation of the recent data breaches at Target and other retailers.
•How Target hackers hit the bullseye
Create a More Connected Minnesota
MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.
Credit and debit card issuers boast they've been very good at detecting and fighting fraud, limiting such losses to only about 6 cents of every $100 in transactions. But the massive theft of customer information from Target is changing the landscape. That theft is producing more political, consumer and industry interest in making payment cards much more secure than they have been.
•Security expert: Criminals can easily create payment card clones
So-called smart cards, loaded with computer chips to fight counterfeiting, are considered critical to upgrading the nation's defenses against cyber crooks. Even before the Target data theft, card issuers, merchants, and other industry players had largely ended their squabbling over the logistics and costs of moving to so-called smart cards. But it is a big, complex project that'll take years to pull off.
Unless payment card security is beefed up, fraudulent charges will soar, said Randy Vanderhoof, executive director of the Smart Card Alliance, a multi-industry association that advocates the widespread adoption of smart card technology.
He notes that issuers have issued over 1.2 billion cards and merchants operate more than 10 million point-of-sale devices.
Frankly, it is negligent that the United States is behind the rest of the world when it comes to the security of our payment networks.
"Since the U.S. market is the last major developed market that has yet to invest in this new chip technology, all indications are fraud rates are going to start to ramp up significantly," Vanderhoof said.
Bogus charges total $4 billion or so a year. But that doesn't include other costs, such as the expense of replacing cards and the time it takes to resolve illegal transactions.
Visa and its peers want most retailers to be ready for smart cards by October 2015, and gas stations by two years later.
Vanderhoof said achieving that goal will cost $8 billion to $10 billion, far more than the current cost of fraud.
But merchants that don't meet make the switch by the deadline will be more on the hook financially if they allow bogus transactions.
So far, only 10 to 15 million smart cards have been issued in the United States. While many retailers, including Target, have started installing chip readers in their stores, very few have actually turned them on and started using them, Vanderhoof said.
•How Target, and customers, can move on
Target expects to have smart card readers in all of its stores by the end of this year. Next year, Target will start replacing more than 16 million old-style REDcards with smart cards.
Earlier this month Target CFO John Mulligan told a Congressional committee that the retailer has long advocated a migration to smart cards.
"It certainly doesn't resolve all the issues," he said. "But it is a significant step forward for our industry in ensuring data is safe."
US Bank has issued FlexPerks Travel Rewards Visa cards with chips since 2010. Most of those cards -- aimed at frequent travelers -- now have chips It will be up to card issuers to decide if they will require PINs on smart credit cards. There's a school of thought that holds most people would have trouble remembering PINs and would end up using the same PIN on all their cards.
The CEO of credit card giant Visa, Charlie Scharf, told analysts this month that PINs for credit cards are not practical in the near future.
"People are talking a lot about chip and PIN, as if they go together. That's just not reality," he said. "And that's not going to happen. Two-thirds of the merchants today in the United States don't have PIN pads. Most consumers in the United States don't even know what their PIN is on a credit card."
Smart cards won't stop fraud but they'll make it harder to pull off. Valid credit card numbers like those Target surrendered, wouldn't be sufficient to complete a purchase at a store, said David Robertson, publisher of the Nilson Report, which tracks the payment card industry.
"You really would not be able to use it in a chip card because when a chip card is put into a POS terminal in a check-out lane, it verifies the chip has not been counterfeited," he said.
But credit cards with computer chips don't address online fraud, at least not yet. The problem is a lack of ways to verify the authenticity of a card by checking its chip. It would also be a challenge to provide card readers to consumers, though they could be built into phones and other devices over time.
"It's possible to send everybody a card reader and attach that card reader to your laptop or desktop," Robertson said. "But that would require billions of those to be distributed around the world."
Another possibility is biometric IDs such as fingerprints that could be stored on a payment card or smart phone that also holds payment card information, said Shirley Inscoe, a senior security analyst with Aite Group.
"I think the time for biometrics is here," Inscoe said. "Financial institutions see the ... real opportunity to use those smart devices to ensure better security on transactions. Each device can be tracked as associated with the particular customer."
For now, though, biometrics are still in the experiential stage.
Meanwhile, as the use of smart cards spreads in the United States, criminals are expected to focus more on online payment card fraud. But there's a lot that can be done to deter those attacks.
For one thing, retailers could require shoppers to use the security code printed on the back of cards. Thieves typically don't get those digits when they pull off data heists.
"When you shop online, many retailers ask for that code," said Douglas King, a payment systems risk expert at the Atlanta Federal Reserve Bank. "But there are still quite a few websites where when you enter your card data that code is not asked for."
Simple transaction alerts also can help prevent fraud. Consumers can set up text or e-mail warnings for certain transactions, such as overseas purchases or any purchase for more than $25.
Al Pascual, a senior analyst of security, risk and fraud at Javelin Security and Research, said text alerts sent to customers' cell phones are one of the best ways to fight fraud. He said they are very effective, typically arriving within 15 to 30 seconds after a transaction.
Pascual said Bank of America automatically enrolls every customer for alerts about questionable transactions. He said one bank, USAA, allows customers to respond to alerts and halt transactions if they're not legitimate.
"They're going to let you know those transactions are occurring so you can respond to them and let them know whether or not they are legitimate," he said.