90.9 WBUR - Boston's NPR news station
Top Stories:
PLEDGE NOW
The Target Security Breach And Our Vulnerable Data

Target raises the number of customers who may have had debit and credit card information stolen to maybe 110 million. We’ll look at the national implications.

A customer pushes a cart outside of a Target store, Thursday, Dec. 26, 2013, in Jersey City, N.J.  The company has said that personal consumer data for up to 110 million customers may have been stolen in a massive data security breech. (AP)

A customer pushes a cart outside of a Target store, Thursday, Dec. 26, 2013, in Jersey City, N.J. The company has said that personal consumer data for up to 110 million customers may have been stolen in a massive data security breech. (AP)

It was bad enough when the first news came from Target.  Credit and debit card data on 40 million Americans, stolen at the height of the holiday shopping season.  Then Friday, Target let it be known that that number was in fact as high as 110 million Americans’ data stolen, out there, at risk.  A third of the country.  A number that sounds like system failure.  Now it’s a waiting game to see who gets ripped off.  It will be a lot of people.  Maybe you.  What’s wrong with this system?  This hour On Point:  inside the Target scandal, the American way of credit card security, and your vulnerability.

– Tom Ashbrook

Guests

Brian Krebs, author of the blog KrebsOnSecurity.com. (@briankrebs)

Avivah Litan, vice president and distinguished analyst at Gartner. (@avivahl)

David Lazarus, consumer columnist for The Los Angeles Times. (@davidlaz)

From Tom’s Reading List

Los Angeles Times: Target hack hits home: Columnist is among fraud victims – “An identity thief ran up nearly $2,000 in bogus charges at Polo Ralph Lauren, Coach, Tommy Hilfiger and Burberry’s on Saturday — just hours after I published a column decrying the weak efforts of businesses to protect customer data. I’d appreciate the irony if I wasn’t so cheesed off.”

KrebsOnSecurity.com: Hackers Steal Card Data from Neiman Marcus — “Target released additional details about the breach today, saying hackers also compromised the names, mailing addresses, phone number and email addresses for up to 70 million individuals. But Target has so far not publicly released information that would help other retailers determine whether their systems may have been hit by the same attackers. Neiman Marcus’s Reeder said the company has no indication at this time that the breach at its stores is in any way related to the Target attack.”

Gartner Blog: Target Saga continues – too much for Fraud Detection systems? — “When I first heard of this breach, I was hopeful that the banks’ and card companies fraud detection systems could handle staving off any potential fraud. But after speaking with a few issuers, I realized I was wrong. And after hearing about Chase and Citi’s moves I realized the fraudsters are finally getting the upper hand and disrupting our holiday season.”

Please follow our community rules when engaging in comment discussion on this site.
  • Unterthurn

    Old news!
    The card companies have the technology to protect the customers, but they are not doing it.
    The consumer should be blaming their banks for saving money at the cost of their security. They need to add the cards with extra chips and better encrypted data.

  • lobstahbisque

    Could it be that American security in these matters is not up to snuff due to the complacency and greed of American companies supported by the right wing in it’s hoarding of profits in the face of a fast changing world? Oh say it isn’t so… USA
    USA….

    • John Cedar

      When your side can get a simple healthcare website to work and not have basic grotesque security flaws, then you can point your claws, with some creditability, at USA corporate ineptness and greed.

      • brettearle

        It doesn’t matter whose Ox is being gored: Security breaches are security breaches.

        It is bad in some places–both in the public sector and the private sector.

        If ACA has technology flaws it doesn’t necessarily mean that there are flaws in more areas of the public sector, by comparison, proportionally, to the private sector.

        We can point our fingers, `with some credibility’, at many places of ineptitude–in both sectors.

        • John Cedar

          Neither does it mean that the flaws in the public sector are driven by complacency and greed while the flaws in the government are driven by honest mistake.

          • brettearle

            You meant `private sector’ when you wrote ‘public sector’, correct?

            If so, I would have to agree–at least. theoretically–that you can’t necessarily pigeon-hole and categorize.

      • lobstahbisque

        I just POINTED OUT the ineptness and greed. You and ‘your side’ can’t stop the world from evolving technologically, but you DID put up a smokescreen like an octopus and poof, you’re gone. You DO believe in evolution don’t you?

        • John Cedar

          You’re going to have to get pointy-er fingers because so far you have just pointed at a company “mistake”. It is a safe bet that Tarjay spent bundles of money trying to process their customers’ transactions and protect thier secutiry. and so far they are fairing much better than the Obamcare website.

          I believe in evolution, do you believe in the fallibility of man? Or in this case probably an affirmative action filled IT department of non men.

  • Government_Banking_Serf

    What does it matter!?

    Can we finally all just hook ourselves up to the financiooneuro-network and let the NSA, Big Brother/Nanny and the Central Bank decide what, when, and where we want and spend, and just do away with the inefficiency and insecurity of this sick “Freedom” meme?

    Pass the Soma and Manage me already!

  • stephenreal

    Target, Chase Manhattan bank, and the NSA all failed in 2013.
    Across the board failure.
    Is there anyone else out there that feels the need
    to air my banking, shopping and security records to the world?

    Anyone?

    Let’s all gather hands now
    and pray for our internet security guards.

    Lord give these geeks the power
    to take our banking, shopping and national security needs seriously,
    and protect them from themselves,
    and any other stupidity that should happen to break out.

    Amen

  • John Cedar

    Visa, MasterCard and Discover are oligopolies and they have found a profit center in having poor security and passing losses on to the merchants.

    A few years ago I spent $300k becoming “triple DES compliant”. The card companies were hoping I wouldn’t bother and would then (according to their contract) be 100% liable for fraud. The third party software for my card processing had to be approved by the card companies. They dragged their feet in approving it and I barely made the deadline.

    The card companies should have been doing oversight on Targets software. I cannot believe they had all this information stored in an unencrypted format or one that could be cracked.

  • stephenreal

    There has to be a better way (as in legal) to take on these teenage networks (along with the pros) from the former Soviet block countries.

  • John Cedar

    A few years ago my girlfriend got an email from her “bank” to sign on to her credit card account and she clicked the link and did so.
    When she discovered that she had fallen for a trick, the bank told her that their email list had been stolen. The bank tried to charge her $40 for a new card. She said, “you knew my email address had been stolen and you didn’t notify me, and now you want me to pay for a new card?”

    The bank almost made $40
    The merchant surly had the charges reversed and was out the merchandise they shipped.
    The hacker turned out to be a young adult in the next county.
    The Bank said they would not press charges against the hacker.

    There is no motivation for the criminals to stop because they usually get away with no punishment.
    There is no motivation for the credit cards companies to prevent it because they make a profit off the fraud.
    Merchants are powerless to do anything because not accepting credit cards would be the kiss of death and there are even state laws that say they can’t charge a surcharge to cover the costs associated with them.

  • AC

    my card was stolen several years ago and i recieved a call immediately because the thief was buying sneakers and jewelry and other items i never purchase so they wondered if it was me, i didn’t have to pay a penny.
    also i travel a lot, & a few times now by the time i buy 3 or 4 things in a new location, my card gets locked out and i have to call them up & tell them it’s me and i’m traveling.
    i can’t see how the consumer will be held liable for false purchases if they are outside of realm of their typical shopping behavior. of course, now would be a good time to do such a thing and blame the ‘store’…..

    • DeJay79

      I got a call the same day that a purchase in Russia was made on my credit card. The difference was that it was me who did it, as i was buying something online.

      Yet, it was great to know that they really do monitor what happens on my credit account.

    • Don_B1

      Most credit card companies act exactly as yours did. There is actually a law that limits your liability to $50 as long as you are not involved in the “stealing” of your card or information.

      But most card companies want you to feel “safe” and do not charge you anything if someone else gets your card or information. But they do want you to report the loss of your card as soon as you realize it. If you regularly use it and then went a long period of not using it while a thief used it, that might be investigated.

      The card companies have treated the “hacker losses” as the cost of doing business, but the size and frequency of thefts recently is apparently large enough to make them consider better protection, even if it makes the use of the cards more difficult.

  • stephenreal

    Cooperation with Putin’s Russia and economic leverage from our friends in Europe used toward EU applicants from eastern Europe would be a great help to squash these criminal networks.

  • liminalx

    Micro-chips in the cards, like they have in Europe, and the banks not retailers should cover the cost of the system change

    • stephenreal

      I don’t think your average American wants to pay $8 to $10 dollars estimated for those fancy cards.

      Me however? I am down with any solution.

      • http://neilblanchard.blogspot.com/ Neil Blanchard

        You didn’t read the whole sentence …

        • stephenreal

          I sat in on a banking fraud thing, totally dry stuff, the banks would shift the cost back to the consumer.

          straight out.

      • sickofthechit

        CASH.

        • stephenreal

          cash? so 20th century

    • James Patrick Dwyer Jr.

      ABSOLUTELY. But I wouldn’t bet it happens.

  • http://neilblanchard.blogspot.com/ Neil Blanchard

    110 Million sounds like everybody who ever shopped there?! Certainly it seems like a longer period of time than they said at first.

    • Renee Engine-Bangger

      Yes, it is longer than the “black friday” period Target initially referenced. They acknowledged this (but in a whisper).

  • stephenreal

    Some of these stories on these internet fraud cases are like case studies out of the “Real Stories of the FBI”. They are absolutely captivating.

  • Tom

    Why manage a bank account online? Separately, buying stolen cards is the crime of receiving stolen property. All said, it appears to be the beginning of a wave of online marketplace collapse.

    • stephenreal

      Not if quantum physics has anything to say about it.

  • stephenreal

    wow! Don’t ever use your pin? news to me.

    • DeJay79

      much safer not to… but the gas station gives me a 3 cent discount to use my debt card pin.

      • stephenreal

        that woman is straight shooter. I like her realist advice to tackle the bad guys.

  • Dab200

    Because we travel to Europe I called all our cards some years ago but I was able to get only one card with a chip. In December after the Target story I requested chip cards from all. Again only one was possible. Banks were telling me that I have zero liability and for them it’s not worth while to change into chip system!
    The money liability might be theirs but ID is mine that can be stolen.

  • John Roberts

    1. Chip cards have been around for 5 years or more, why are some card companies/banks stalling on this technology?
    2. Most banks won’t prosecute card fraud under $10,000 …creating a ‘cottage industry’ for credit/debit card fraud.
    3. Limit debit card use… standing in line while everyone uses a debit card to pay for a coffee or newspaper annoys the heck out of those who take 5 minutes to withdraw a few $$ from an ATM.

  • keruffle

    Hack the hackers?
    Why not launch denial of service attacks against the websites were the credit card numbers are sold?

  • Bruce

    Why was Target holding on to customers’ PIN numbers. There is no reason or excuse for that. Incredibly irresponsible!

  • Dab200

    BTW why are shops even ask for our name, address and tel? Why is that legal for them to collect our data?

    • Bruce

      Many states now have laws that prohibit a merchant from requesting this information when a credit or debit card is used. They can ask for i.d., but they can’t capture the information.

  • AC

    what is law enforcement’s duty here? we pay taxes to have protection against crime – this is a new type, but maybe they need to have a little more responsibility here. not just the retail/banking, they’re ‘victims’ here too, sort of….
    i say law enforcement needs more budget and better ability to fuight this kind of crime…

  • hennorama

    Any consumer can get their credit report (not the FICO score, but the actual report) for FREE from each of the Big 3 reporting agencies (Equifax, TransUnion & Experian) once per year, here:

    https://www.annualcreditreport.com/cra/index.jsp

    Rather than sign up for a monthly credit report service, one simple strategy you can use is to request the free annual report from a different agency every four months, then repeat (e.g., Equifax in January, Experian in May, TransUnion in September). This allows you to see the report 3 times/year FOR FREE.

    Any inaccurate info can be disputed, including background info.

    For more on understanding credit reports, see:

    http://www.consumer.ftc.gov/topics/money-credit

  • sickofthechit

    Infuriating?! I”ll tell you what’s infuriating, it’s having to stand in line behind all you card holders and having to wait while you fumble for your card, have to decide whether you are using this card or that card? debit or credit?, cash back or not? etc. etc. While I stand with cash in hand, with the very real realization that I am having to pay a higher price due to vendor fees on your transaction than I would have if everyone was paying cash, plus the insult that you are getting”cash back” adds further insult to my injury. Sick of not getting a cash discount for paying with cash. Charles A. Bowsher (one of the real “suckers”)

    • JGC

      I am usually on board with your thoughts, but here is something I have to share with you. I am one of those people you despise (with all the various loyalty cards and so forth) BUT I do try to make that exception for the small business owner, knowing that they take it in the kneecaps for the “gold” or “platinum” level credit card.

      I have asked my local “depanneur” (corner store) owners if they prefer cash or debit, and both have said debit. If you are a small business that ordinarily takes in a lot of cash, the banks have found a way to punish you for that. They view “cash handling” as an expense (physical money to be verified, having to hire those GARDA trucks to transport the huge bags of loot) and, at least here where I live in Canada, it is cheaper for the small merchant to do transactions in debit cards rather than cash.

  • Corvus A

    Two points – 1st, on why Target didn’t go public immediately. I believe I have an accurate and simple explanation – I’d like to hear your guests thoughts. Use this parallel: this break-in is not like somebody breaking into a bank vault and taking money – which should be countable. It is like termites – we see the termite evidence of attempted online break-ins every second of every day – and have for well over a decade. And, like termite evidence, the real damage is not immediately available. I’d like to hear if your guests think this is inaccurate.
    2nd – chips on card – they represent a security risk themselves. This is a major reason, imo, they have not been adopted – a chip can be “read” from a distance – so you are vulnerable to somebody walking past you with a reader.

  • derek_1

    Could Target buy some POS antivirus software?
    If it can’t work they should not be selling the PC antivirus software.

    • http://neilblanchard.blogspot.com/ Neil Blanchard

      That is not good enough – it would be hacked in a second.

  • Justin Folkers

    Have to agree with @davidlaz. I’ve spent many years advising companies on their security strategies and can tell you that there is a cost benefit discussion every time. Frighteningly enough I’ve watched over and over again as senior executives underestimate the risk in order to avoid paying for a higher cost, read: more effective, solution. This is the inevitable outcome of the quarter-by-quarter outlook that dictate how U.S. firms run their operations. We need to figure out how to take the longer view and do the right thing to protect consumers.

    • northeaster17

      I think the quarter by quarter outlook you used is way to generous. In some companies I’ve seen it’s more of a minute by minute outlook.

    • jefe68

      That would work if credit card companies and corporations did not look at consumers as marks, or just rubes. As you stated they take a calculated risk because it’s about the bottom line, period.

  • stephenreal

    My RSA chip card was weaken so bad by my good friends in the NSA I had to drop E-Trade after that bonehead maneuver tanked the whole RSA system.

    Chip cards are hardly a secure vehicle either.

  • Rob_Verdasys

    This is crazy. ENDPOINT security technology is here to stop this. The executives at these companies are too short sighted and don’t listen to the experts. For anyone that didn’t want the hassle of installing an ENDPOINT security solution learn from Target’s mistake. It will cost them dearly for this. I hope others take note.

  • SherylT

    It’s the merchants who take it on the chin for the cost of customer convenience with credit cards. We have no choice but to take them in this day and age, and the fees are the second highest cost to my business after payroll. Sorry if I have little sympathy for people who refuse to carry cash anymore.

    • sickofthechit

      Do you offer cash discounts?

      • SherylT

        Yes I do, on gas.

      • JGC

        Some jurisdictions make it impossible to offer cash discounts on credit card purchases. Not a legal option.

      • JGC

        Is there a serial downvoter in the neighborhood?

  • stephenreal

    The NSA is still chasing the ghost of Bin Laden.

    They swear they’ll find that ethereal thing somewhere.

  • sickofthechit

    Uh, How secure is CASH?!

    • stephenreal

      not very, if you travel the world.

  • AC

    i tried to let it go, but that cop out response about ‘took me a day to find out who robbed me’ bothers me….what does that have to do with scoffing over justice and getting a criminal caught and prosecuted?
    i don’t care where he’s from, a thief shouldn’t be allowed to hide from his crime, and i don’t care how ‘on top’ and changing the protective measures may be, a crime is a crime is a crime. period. create a consequence for engaging in it…

    • stephenreal

      talk to the Russians

  • mairelena

    Is the Target system sophisticated enough to say definitively that there were 110M different customers? They may be saying that there were that many transactions. I myself went 3 times within the past two weeks. Of course, I used only cash because of this story.

  • http://neilblanchard.blogspot.com/ Neil Blanchard

    Greedy lazy corporations. If corporations were “people” then they would get prosecuted and punished. But, like BP they barely get a slap on the wrist, and we *real* people get screwed.

  • sickofthechit

    I think it’s dumb to think that “smart” phones are safe. Cash is safer and deserves larger discounts than the selfish cardholders get.. I am sick of paying for your convenience. Rise up cash payers and revolt! Demand cash discounts now! Get a cart full of stuff at the local grocery store, let the clerk total it all up then demand a cash discount at least equal to what the cardholder gets. if they refuse, walk away and find another store. It is the only way we (cash payers) will ever get the respect we deserve.charles a. bowsher

    • AC

      way more crime with cash (& violent crime at that) than electronic asset tracking. it’s much harder to commit fraud these days….
      or even things like abuse of power and traffic jams, etc….i like the new world.

      • tbphkm33

        Yep, electronic is more secure than large amounts of cash. Sweden has plans to do away with cash completely. Of course, their banking system is consumer focused and thus much more secure than the US system. There is a price to pay to be serfs of the corporations.

        • Government_Banking_Serf

          tangible gold gone, tangible fiat paper money going, now you want to trust them with electrons? One keystroke and your gone. Would make IRS allegations, hit lists, and traffic jams look like small potatoes.

          But then again, I’m probably being paranoid. We have good folks at the NSA, and the executive branch under both parties always keeps its promises.

          Not to mention, I know that the Rubin/Summers/Geithner/Paulson/
          Greenspan/Bernanke crowd has the little guys best interests at heart, and even though they are unaccountable technocrats, we can trust them!

  • sickofthechit

    You all do realize that nearly every transaction on your credit/debit card is sent wirelessly and is hackable don’t you?

  • http://www.CayerComputing.com/ Melissa A. Cayer

    One of my first jobs was a cashier at Kmart. We used a metal device that ran a heavy weight over a card and carbon paper copies to get the card information. We had to look in a booklet for bad credit card numbers. The books were issued periodically.
    How come I never hear a very technical explanation of the steps that were taken to cause the breach? There were a lot of leaps of logic in the explanation.
    Do credit card companies limit Merchants like they do with customer credit limits? So, a merchant cannot sell over a certain dollar amount of merchandise for a particular credit card company (or other payment method) in a 24 hour period.
    I get the feeling merchants and payment providers are too comfortable together over-extending the customers.
    The credit card chip explanation did not make sense to me – I cannot convince myself that those cannot be counterfeited.
    US Constitution Article 1 Section 8
    ….
    To coin money, regulate the value thereof, and of foreign coin, and fix the standard of weights and measures;
    To provide for the punishment of counterfeiting the securities and current coin of the United States;

    Finally, what is the 2013 yearly salary of the invited guests?

  • Grove

    Why are we a security stone age?
    Greed – It’s all in the name of profits.
    Who cares about about the security/ It’s more important that a CEO can have a gold plated toilet

  • Sandstone3

    Why have I not heard anyone propose a solution of cardholders putting a credit freeze on their accounts with all 3 credit agencies? No one would be able to open a card if they weren’t you. If you needed to acquire credit, you would need to lift the freeze for the time period needed to get the credit approved. I have a freeze on my accounts. If you’ve not been a victim of fraud, it costs ~ $10 per agency.

    • hennorama

      Sandstone3 — that’s fine for new accounts opened with your personal info, but not for charges made using existing ccount info.

      • Sandstone3

        Agreed. But it’s a stronger step than others I’ve heard mention to prevent new accounts being opened.

  • Maureen Roy

    Obviously our laws are outdated to the point of being irrelevant when it comes to cyber crimes. I had ID theft years ago as well, did some digging and tried to report “my findings” to the local FBI bureau. Never heard a thing back. Had people in Russia and Texas using my info. for sometimes bizarre purchases.

  • jefe68

    I hope you realize that in the US that we are years behind other nations in security. EMV stands for Europay, MasterCard and Visa and is the technology standard that involves placing an integrated circuit of some kind into a credit card. Most European and Asian countries began adopting the technology a decade ago, pushed by regulators in those countries.

    About 80 countries use smart credit cards, which allow for greater encryption and security. By comparison, only about 1 percent of credit cards issued in the U.S. contain such technology.

  • hennorama

    Dagnabbit.

    Just got an email from Target stating that my info “may have been taken during the intrusion.”

    Only after a great deal of thought did I recall that I had shopped on the Target website, over a year ago. It might even have been two years ago.

    Yikes.

ONPOINT
TODAY
Jul 30, 2014
Smoke and fire from the explosion of an Israeli strike rises over Gaza City, Tuesday, July 29, 2014. Israel escalated its military campaign against Hamas on Tuesday, striking symbols of the group's control in Gaza and firing tank shells that shut down the strip's only power plant in the heaviest bombardment in the fighting so far. (AP)

Social media is changing how the world sees and talks about Israel and Gaza, Israelis and Palestinians. We’ll look at the impact.

Jul 30, 2014
Janitta Swain, Writer/Exec. Producer/Co-Director Dinesh D'Souza, John Koopman, Caroline Granger and Don Taylor seen at the World Premiere of 'America: Imagine The World Without Her' at Regal Cinemas LA Live on Monday, June 30, 2014, in Los Angeles, CA. (AP)

Conservative firebrand Dinesh D’Souza says he wants an America without apologies. He’s also facing jail time. We’ll hear him out.

RECENT
SHOWS
Jul 29, 2014
This April 28, 2010 file photo, shows the Colstrip Steam Electric Station, a coal-fired power plant in Colstrip, Mont. Colstrip figures to be a target in recently released draft rules from the Environmental Protection Agency that call for reducing Montana emissions 21 percent from recent levels by 2030. (AP)

A new sci-fi history looks back on climate change from the year 2393.

 
Jul 29, 2014
The U.S. Senate is seen on Capitol Hill in Washington, Wednesday, July 16, 2014. (AP)

The “Do-Nothing” Congress just days before August recess. We’ll look at the causes and costs to the country of D.C. paralysis.

On Point Blog
On Point Blog
This 15-Year-Old Caller Is Really Disappointed With Congress
Tuesday, Jul 29, 2014

In which a 15-year-old caller from Nashville expertly and elegantly analyzes our bickering, mostly ineffective 113th Congress.

More »
2 Comments
 
Our Week In The Web: July 25, 2014
Friday, Jul 25, 2014

Why the key to web victory is often taking a break and looking around, and more pie for your viewing (not eating) pleasure.

More »
Comment
 
The Art Of The American Pie: Recipes
Friday, Jul 25, 2014

In the odd chance that our pie hour this week made you hungry — how could it not, right? — we asked our piemaking guests for some of their favorite pie recipes. Enjoy!

More »
1 Comment