NEW YORK (AP) — The U.S. is the juiciest target forhackers hunting credit card information. And
experts say incidents likethe recent data theft at Target’s stores will get worse before they
getbetter.That’s in part because U.S. credit and debit cards rely onan easy-to-copy magnetic strip on the
back of the card, which storesaccount information using the same technology as cassette tapes."Weare
using 20th century cards against 21st century hackers," saysMallory Duncan, general counsel at the
National Retail Federation. "Thethieves have moved on but the cards have not."In most
countriesoutside the U.S., people carry cards that use digital chips to holdaccount information. The chip
generates a unique code every time it’sused. That makes the cards more difficult for criminals to replicate.
Sodifficult that they generally don’t bother."The U.S. is the topvictim location for card counterfeit
attacks like this," says JasonOxman, chief executive of the Electronic Transactions
Association.Thebreach that exposed the credit card and debit card information of asmany as 40 million Target
customers who swiped their cards between Nov.27 and Dec. 15 is still under investigation. It’s unclear how
the breachoccurred and what data, exactly, criminals have. Although securityexperts say no security system
is fail-safe, there are several measuresstores, banks and credit card companies can take to protect
againstthese attacks.Companies haven’t further enhanced security becauseit can be expensive. And while
global credit and debit card fraud hit arecord $11.27 billion last year, those costs accounted for just
5.2cents of every $100 in transactions, according to the Nilson Report,which tracks global payments.Another
problem: retailers, banksand credit card companies each want someone else to foot most of thebill. Card
companies want stores to pay to better protect their internalsystems. Stores want card companies to issue
more sophisticated cards.Banks want to preserve the profits they get from older processingsystems.Card
payment systems work much the way they have fordecades. The magnetic strip on the back of a credit or debit
cardcontains the cardholder’s name, account number, the card’s expirationdate and a security code different
from the three or four-digit securitycode printed on the back of most cards.When the card is swipedat a
store, an electronic conversation is begun between two banks. Thestore’s bank, which pays the store right
away for the item the customerbought, needs to make sure the customer’s bank approves the transactionand
will pay the store’s bank. On average, the conversation takes 1.4seconds.During that time the customer’s
information flows throughthe network and is recorded, sometimes only briefly, on computerswithin the system
controlled by payment processing companies. Retailerscan store card numbers and expiration dates, but they
are prohibitedfrom storing more sensitive data such as the security code printed onthe backs of cards or
other personal identification numbers.Hackershave been known to snag account information as it passes
through thenetwork or pilfer it from databases where it’s stored. Target says thereis no indication that
security codes on the back of customer creditcards were stolen. That would make it hard to use stolen
accountinformation to buy from most Internet retail sites. But the securitycode on the back of a card is not
needed for in-person purchases. Andbecause the magnetic strips on cards in the U.S. are so easy to
make,thieves can simply reproduce them and issue fraudulent cards that lookand feel like the real
thing."That’s where the real value to thefraudsters is," says Chris Bucolo, senior manager of
security consultingat ControlScan, which helps merchants comply with card processingsecurity standards.Once
thieves capture the card information,they check the type of account, balances and credit limits, and
sellreplicas on the Internet. A simple card with a low balance and limitedcustomer information can go for
$3. A no-limit "black" card can go for$1,000, according to Al Pascual, a senior analyst at Javelin
Strategyand Research, a security risk and fraud consulting firm.To besure, thieves can nab and sell card
data from networks processing cardswith digital chips, too, but they wouldn’t be able to create
fraudulentcards.Credit card companies in the U.S. have a plan to replacemagnetic strips with digital chips
by the fall of 2015. But retailersworry the card companies won’t go far enough. They want cards to have
achip, but they also want each transaction to require a personalidentification number, or PIN, instead of a
signature."Everyone knows that the signature is a useless authentication device," Duncan
says.Duncan,who represents retailers, says stores have to pay more — and banks makemore — on transactions
that require signatures because there are only afew of the older networks that process them, and therefore
less pricecompetition. There are several companies that process PIN transactionsfor debit cards, and they
tend to charge lower fees to stores."Comparedto the tens of millions of transactions that are taking
place everyday, even the fraud that they have to pay for is small compared to theprofit they are making from
using less secure cards," Duncan says.Evenso, there are a few things retailers can do, too, to better
protectcustomer data. The most vulnerable point in the transaction network,security experts say, is usually
the merchant."Financialinstitutions are more used to having high levels of protection,"
saysPascual. "Retailers are still getting up to speed."The simple,square, card-swiping machines
that consumers are used to seeing at mostcheckout counters are hard to infiltrate because they are
completelyseparate from the Internet. But as retailers switch to faster,Internet-based payment systems they
may expose customer data to hackers.Retailersneed to build robust firewalls around those systems to guard
againstattack, security experts say. They could also take further steps toprotect customer data by using
encryption, technology which scramblesthe data so it looks like gibberish to anyone who accesses
itunlawfully. These technologies can be expensive to install and maintain,however.Thankfully, individual
customers are not on the hook forfraudulent charges that result from security breaches. But these kindsof
attacks do raise costs —and, likely, fees for all customers."Partof the cost in the system is for fraud
protection," Oxman says. "Itcosts money, and someone’s going to pay for it
eventually."Jonathan Fahey can be reached at http://twitter.com/JonathanFahey .Copyright 2013 The
Associated Press. All rightsreserved. This material may not be published, broadcast, rewritten
orredistributed.