The appalling news that as many as 40 million Target customers were exposed in the last few weeks to credit card data theft is the latest wake-up call for America to get its cybersecurity up to speed.
The problem long ago ceased to be a matter of isolated cases of malicious mischief. The perpetrators are no longer just the stereotypical lone teen geeks whose idea of fun is to see how much havoc they can wreak with their cyber-cleverness. The stakes are very high now — state secrets and huge illegal profits. Rogue states, terrorist organizations and criminal gangs are sponsoring the most sophisticated teams of computer experts to out-think their counterparts on the right side of the law.
Actually, they don’t have to be so sophisticated — in America, at least. As Mallory Duncan, general counsel at the National Retail Federation, commented in response to the Target fiasco: “We are using 20th-century cards against 21st-century hackers. The thieves have moved on but the cards have not.”
In most other countries, credit cards contain digital chips that hold account information. The chip generates a unique code every time it’s used, making it difficult for criminals to replicate.
So they prefer the more vulnerable American targets, which continue to use the decades-old technology of the magnetic strip on the back of a credit card containing the essential information. When the card is swiped at a store, and that information is transmitted to a bank, it’s relatively easy for hackers to “listen in” and swipe the cardholder’s name, account number, expiration date and security codes. In the Target case, millions of the card accounts stolen have begun showing up for sale on the black market.
Why haven’t U.S. credit card companies switched to the more secure system?
They are operating on the principle: Crime pays, security doesn’t. A better system would cost too much, and it isn’t worth it to them. While global credit- and debit-card fraud hit a record $11.27 billion last year, those costs accounted for just 5.2 cents of every $100 in transactions. Profits far outweigh the losses incurred by theft.
Even the fix now being contemplated will not be enough. Experts warn that the plan to replace magnetic strips with digital chips will be a waste of money if they use signatures instead of a personal identification number, or PIN. Of course, PINs cost more…
But the corporate profit-loss calculation may have to be revised in light of the outcry over the Target thefts.
Three class-action lawsuits have so far been filed, two in California and one in Oregon, seeking over $5 million in damages. Furthermore, attorneys general in four states — Connecticut, Massachusetts, New York and South Dakota — are reportedly looking into the possibility of a multi-state investigation.
At stake are not only potentially large, court-assessed damages, but that invaluable commodity known as the company’s good name. It would seem short-sighted for them to risk losing millions of customers by cutting corners on security.
Unfortunately, Target isn’t the only target. The retail chain joins the elite company of government agencies and corporations who have been digitally burglarized in recent years: NASA, the Pentagon, the National Security Agency, VISA, Dow Jones, Sony, Citigroup, Nasdaq, JetBlue, IBM, Cisco, Intel. In 2011, some 760 organizations were hacked in one massive breach, a list of victims that included about a fifth of the Fortune 100.
To be sure, there is an awareness of the problem, and they’re trying do something about it. An estimated $1.4 billion has been invested in cybersecurity firms and more than 1,100 technology start-ups are focused on cybersecurity innovation. The Obama administration established the Executive Branch Cybersecurity Coordinator in 2010, and federal investment in cybersecurity is projected to reach $13 billion by 2015.
But the Target breach and others demonstrate that something more is needed.
To call for a NASA-like, man-on-the moon-by-the-end-of-the-decade type of program to inspire the nation might be naive. Cybersecurity does not lend itself to the kind of glamorization that propelled NASA’s Apollo program. The dramatic visuals and the allure of a new era of exploration just aren’t there.
But a way will have to be found to attract some of the best minds in American technology — in government, industry and academia — to take on the challenge of providing the country with the cybersecurity it must have.
It’s not just a matter of consumer protection; it’s a matter of national security.