Could Target-Style Data Breach Happen to Me?
ABC News Fixer answers small business owner's worry over customer credit safety.
Feb. 13, 2014 -- Dear ABC News Fixer: I am confused about the credit card data thefts I have been hearing about, such as the breach at Target stores. I have my own one-man business (mobile sharpening, in which I go to homes to sharpen knives, scissors, lawn mower blades, etc.). I accept credit cards using a credit card swiper attached to my cell phone.
When I look at the credit purchase history on my phone, I do not see PIN numbers or credit card expiration dates. I do not even see the entire credit card number -- just the last four digits.
I called the company that processes my receipts to find out how much credit card data is on my cell phone. They told me that only the date of the transaction, the amount and the last four digits of the card are on my phone.
If I cannot store complete credit card information, how is it that Target can? How did the Target hackers steal the information?
The reason I'm asking is I do not want any of us out here – small businesses that use credit card swipers -- to be held responsible if credit card information is stolen from our customers.
- Gary Gordon, Charlotte, NC
Got a consumer problem? The ABC News Fixer may be able to help. Click here to submit your problem online. Letters are edited for length and clarity.
Dear Gary: The Target breach – said to be the second-largest retail cyber attack in history – rattled a lot of nerves among consumers, retailers and bankers, and investigators are still trying to determine exactly what happened.
What we know is this: Between Nov. 27 and Dec. 15 – hackers were able to access information for about 40 million customers, including their names, card numbers, card expiration dates, card security codes and debit card PINs (though the PINs were encrypted, Target said). Later, Target disclosed that additional info was compromised – that 70 million consumers had their names, addresses, phone numbers or email addresses exposed.
The U.S. Secret Service continues to investigate, but it's looking like the hackers used malware that accessed Target's computers and grabbed information at the point of sale. ABC News and other outlets have reported that the focus is on a heating and refrigeration business whose vendor access to Target's computers may have been hacked.
Target spokeswoman Molly Snyder declined to discuss specifics of the ongoing investigation.
The breach has brought new calls for something to be done. And something will, by October 2015, which is the deadline for the United States to finally switch to chip technology, considered a lot safer than the magnetic strips now on our cards.
Honestly, the whole story makes the ABC News Fixer want to hide all our money under a mattress and deal only in cash. But back to your question.
We asked experts in banking and technology whether a breach like this could happen to you.
Lori MacVittie, a senior product manager at F5 Networks and a technology blogger, said the amount of information that's available in any transaction depends on the software the merchant uses and the type of transaction. When a consumer swipes his card, the merchant's software sends data to a payment gateway – essentially a bridge between the card reader and the credit issuing institution. The gateway stores the info it needs for the transaction – whether it's just a credit authorization or a transaction that will be batched and processed later on.
In your case, neither your cell phone nor your swiper is storing the data; rather, your customers' info is kept at the gateway and then sent to the credit issuer.
Gateway providers and credit issuers are highly regulated and are required to have lots of security. For example, all their communications must be encrypted.
In the recent Target breach, it's thought that the thieves may have used credentials they stole from the vendor to install malware that placed them right at the card reader – almost as if they were standing over the customer's shoulder in the check-out line.
MacVittie said that if you visualize a hose that's carrying credit card information from the card reader to the payment gateway to the bank, the malware put a "Y" nozzle on the hose right at the card reader. At that "Y," one set of info went to the gateway and a copy of that info went to the thieves. That's the working theory, anyway.
MacVittie said the only way you could get in trouble is if your swiper was somehow compromised before you got it. As long as it's legit and wasn't tampered with, you should be fine.
Doug Johnson, VP of risk management policy for the American Bankers Association, agreed. He added, however, that the October 2015 deadline for the switch to chip technology will have implications for you and other small businesses.
After the switch, if a fraud occurs on a magnetic card that a bank chose not to replace with a chip, the liability for the loss will be on the bank. If, however, a fraud occurs on a new chip card that was accepted by a merchant who didn't upgrade his technology, the liability will fall on the merchant.
So for now, don't worry. But have a talk with your credit card processor before October 2015 to find out how to upgrade your technology to accept the new chip cards that your customers will be using.
- The ABC News Fixer