The criminals who cracked Target's defenses, stealing debit and credit card information of as many as 40 million shoppers who swiped at the retailer's stores, exposed a major vulnerability in the way Americans pay.
“The credit card system is inherently broken,” said Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security. “It's a shared-secret system, in which everyone has the secret every time you swipe your card in the U.S.”
That secret is the data encoded on the back of magnetic-stripe cards: the name of the cardholder, plus the account number, security code and expiration date, among other vital bits.
Banks and other card issuers — not individual consumers — will absorb whatever direct losses result from the Target security breach. That's a fundamental part of how plastic works: Consumer protections shield individual cardholders from liability.
But there's still the hassle of watching for bogus charges or requesting a new card and updating any automatic payments associated with the old one.
Target's CEO Gregg Steinhafel apologized in a statement issued Friday. Target also said it's adding more workers to field calls and help solve website issues. And the discounter began offering 10 percent off for customers who shop in stores today and Sunday and free credit monitoring services to those who've been affected by the issue.
The Minneapolis-based discounter said that while it's only heard of “very few” reports of fraud, it's reaching out to customers who made purchases by swiping their cards when the scam occurred.
For card issuers, data thefts on the scale of the Target breach, which occurred between Nov. 27 and the middle of this month, represent a major headache and possibly substantial expenses. To combat would-be thieves, payment networks, banks and retailers are already shifting to new technologies, but the transition will take years.
Target admitted Thursday that hackers had infiltrated the payment system used in all its brick and mortar stores. The admission came a day after digital security reporter Brian Krebs broke the story.
The nationwide retailer stressed that its estimate of the number of people affected, 40 million, is just an approximation. Many of those shoppers will probably never experience any fraud on their accounts.
For now, exactly how this particular breach happened is unclear. Still, experts are fairly sure how these schemes take shape.
Hackers do business on forums in the deep recesses of the Internet. These meeting places act as eBays for criminal activity. There, malicious actors buy and sell stolen information.
After that, crooks can work with separate groups that replicate the stolen card information and place lifted data onto pieces of plastic. Eventually, mules on the street get hold of the finished product and spend the cash. Criminals can also buy goods online.
Sometimes criminals bolster the price of their wares by validating that the card is still active — a telltale sign that your account has been compromised. They do that by initiating a micro-charge of $2 or less, “something that you're not going to call your issuer about,” said Yaron Samid, chief executive of startup BillGuard, which monitors its users' card accounts for fraud.
That means cardholders should be vigilant for months, he said, or at least change their PIN codes if they think they've been affected.
Criminals, he explained, can hold on to cardholder data for a long time before selling it on the black market. And even more time may elapse before the transactions that bilk cardholders at the ATM or the virtual or physical point of sale.
As they scramble to deal with the Target breach, financial services companies are already looking to shift the system.
The most prominent way they're doing this is with the chip card standard that's being used by issuers of cards in just about every country in the world outside the U.S.
Those cards — known as “Europay, MasterCard and Visa,” or EMV — are armed with encrypted chips. EMV technology, experts explain, is just more secure than the magnetic stripes used on American cards.
Until EMV takes hold, or something more resilient takes the place of the current payment system, consumers will just have to live with the headaches caused by breaches.
“It's ultimately not the consumers who face the liability here. That's the one beautiful thing about the credit card system,” said Robert E. Lee, a security business partner at Intuit. “If my card is stolen and used like this, I'm not out of pocket.
“There are all these consumer protections in place, even though the entire system is stupid.”
This report includes material from the Associated Press.
Q: I shopped at Target during that time. What should you do?
A: Check your credit card statements carefully. If you see suspicious charges, report the activity to your credit card companies and call Target at 866-852-8680. You can report cases of identity theft to law enforcement or the Federal Trade Commission.
You can get more information about identity theft on the FTC's website at consumer.gov/idtheft, or by calling the FTC at 877-IDTHEFT (438-4338).
Nebraskans can file a complaint online at ago.ne.gov, or by calling the Consumer Protection Hotline at 800- 727-6432, State Attorney General Jon Bruning said.
Iowa Attorney General Tom Miller said his Consumer Protection Division has posted identity theft information at www.IowaAttorneyGeneral.gov.
Q: Who pays if there are fraudulent charges on my account?
A: The good news is in most cases consumers aren't on the hook for fraudulent charges.
Credit card companies are often able to flag the charges before they go through and shut down your card. If that doesn't happen, the card issuer will generally strip charges you claim are fraudulent off your card immediately.
And since the fraud has been tied to Target, it'll be the retailer that ultimately compensates the banks and credit card companies.
Q: How can I protect myself?
A: Like they say, cash is king. You can only lose what you're carrying, though admittedly many people may not feel safe walking around with a wad of bills in their pocket.
As stated before, credit card companies don't hold consumers liable for charges they don't make. Usually the worst thing consumers have to deal with is the hassle of getting a new credit card.
And the paper trail generated through credit card transactions can often make it easier do things such as return items you've purchased, or keep track of work-related expenses. It's worth noting that while debit cards offer many of the same perks as credit cards, without the worry that you'll spend more than what's in your bank account, they often don't come with the same kind fraud protections.
As a result, those card holders may have a tougher time getting their money back if their number is stolen.
Q: How did the breach occur?
A: Target isn't saying how it happened. Industry experts note that companies such as Target spend millions of dollars each year on credit card security, making a theft of this magnitude particularly alarming.
Avivah Litan, a security analyst with Gartner Research, says given all the security, she believes the breach may have been an inside job.
Litan says Target's breach suggests that current security standards aren't working.
"It's really a wake-up call to the banking industry, but they never seem to wake up," she said.
James Lyne, global head of security research for the computer security firm Sophos, says something clearly went wrong with Target's security measures.
"Forty million cards stolen really shows a substantial security failure," he says. "This shouldn't have happened."
Q: Why is the Secret Service investigating?
A: While it's most famous for protecting the president, the Secret Service also is responsible for protecting the nation's financial infrastructure and payment systems. As a result, it has broad jurisdiction over a wide variety of financial crimes. It isn't uncommon for the agency to investigate major thefts involving credit card information.
Target's statement on the security breach Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.