SEATTLE – The criminals behind the theft and underground brokering of some 40 million Target credit and debit card account numbers can lay claim to one of the largest, most sophisticated hacks in modern times.
Yet as pervasive and costly as the Target databreach will turn out to be, it is unlikely to alter the two fundamental reasons such cyberattacks have become almost routine.
First, the U.S. stands alone as a modern nation that continues wide use of magnetic striped payment cards designed more that 40 years ago to mechanically store payment card account numbers.
In the Internet age, the rest of the world, led by Europe, Asia and Canada, has moved to chip-embedded payment cards, which are much more difficult to counterfeit.
And secondly, American corporations and consumers have become inured to public disclosures of massive databreaches and sophisticated cash-out capers.
Retailers and financial institutions use media specialists and lawyers to absorb any associated losses as an extraordinary cost of doing business. Massive databreaches have been disclosed and weathered by Sony, CitiBank, BankAmerica, TJX, Heartland Payments Systems, Google, Yahoo and scores more.
Meanwhile, convenience-obsessed U.S. consumers are happy to accept new account numbers and PINs, then continue banking and shopping online in ways that leave them vulnerable.
"The Target breach, like so many others over the last few years, highlights that consumers need to take a more active role in their own security," says Dr. Hugh Thompson, chief security strategist at network security firm Blue Coat
To be sure, Target is weathering reputational damage. Three consumer class action suits have already been filed and the Attorneys General of Connecticut, Massachusetts, New York and South Dakota have launched formal inquiries.
Target's consumer perception cratered over the past weekend, as news and social media postings of the massive breach proliferated.
As a mea culpa, Target CEO Gregg Steinhafel on Friday offered a 10% discount on most store items, as well as free credit monitoring services for any to customers. Still, the retailer on Monday reached its lowest level of consumer perception point since June 2007, according to brand consultancy YouGov BrandIndex.
In response, the Greater Minnesota Credit Union abruptly suspended debit card accounts of members who shopped at Target. A day earlier, JPMorgan Chase imposed spending limits on about 2 million debit cards used at Target.
"Chase clearly wants to mitigate the hassle for its customers -- and its own liability for fraudulent purchases," says Adam Levin, Chairman of consultancy IDentity Theft 911.
Cybersecurity blogger Brian Krebs, who forced Target to publicly disclose the massive breach with his investigative news postings, says the retailer and its partners probably would have preferred delaying any disclosures until after New Years Day.
"I don't know whether they would have been able to keep it a secret that long," Krebs says. "The current situation puts them a bit over a barrel, because they risk incurring the ire of customers at this very busy time of year when everyone is shopping and traveling, and they likewise will be blamed for not canceling cards when fraud does occur."
Target spokeswoman Molly Snyder sent reporters an update Monday afternoon confirming that the company is cooperating with inquiries from state AGs, the U.S. Secret Service and the U.S. Department of Justice.
Snyder acknowledged "a high volume of calls" and noted that the company has more than doubled the number of service reps.
"We have communicated to 17 million guests via email and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call," Snyder says. "We also continue to push tips to our guests via social media."
Time is of the essence. It could take weeks or months for Target and all bank card issuers to identify, cancel and replace 40 million credit and debit card account numbers that are now in play in the cyberunderground.
Criminals realize they have a small window to cash in. One glimpse of how complex and efficient payment card fraud has become in the Internet age came May. Authorities disrupted a cybergang that stole an estimated $45 million by attacking ATMs with hackers and a global ring of accomplices. A handful of lower-level operatives were arrested. But the ringleaders got away scott free.
The thieves very likely gained access into a payment card processing firm by targeting certain individuals for a spear-phishing attack, getting them to click on a tainted file or Web link. With a foothold on the company network, the crooks were able to locate and steal account logons and PINs, and also boost the ATM withdrawal limits on hundreds of accounts.
The account information was then embedded on blank mag stripe cards distributed to a small army of cash-out mules — recruits who then used the faked cards to withdraw thousands of dollars in cash from ATMs in several cities.
One reason the U.S. has fallen behind in adopting chip-embedded cards is because so many taxis, restaurants and small retail businesses rely on mag-stripe systems that would cost a fortune to replace, says Blue Coat's Thompson.
Martin Ferenczi, the North American president of French chip card maker, Oberthur Technologies, says wide use of chip cards in the U.S. is three to four years out. In the meantime, the best and brightest cybercriminals will take as much advantage as they can.
"With a chip card, if data is stolen, it is useless because it was only relevant for that previous transaction," Ferenczi says. "The U.S. is now the weakest link as migration to chip cards is in its infancy."
The implication for U.S. consumers is clear: each individual assume responsibility for deflecting fraud.
"This is one of few countries where you can create an online bank account, and use just a password to access the account," says Thompson. "It's a market where convenience heavily trumps risk."