Identity theft strips credit card users of security

It’s becoming not a matter of if but when one will have their identity stolen. Using a credit or debit card at major retailers feels like a game of Russian roulette with every swipe.

Kmart and Dairy Queen have recently joined the ranks of a growing list of companies experiencing data breaches of consumer financials. Collectively, over 100 million credit card numbers were stolen from the computers of Target and Home Depot — and that’s a conservative estimate. That’s one-third of Americans, and if it’s not alarming, it should be.

However, to focus attention on the internal security of retailers is to misunderstand the bigger problem. The truth is our credit and debit cards are giving out all of the information that thieves want.

The magnetic strip on the back of existing cards is an exceedingly antiquated technology, one that much of the rest of the world began moving away from a decade ago. Unfortunately, the United States is the last major market to still use the outdated system known as swipe-and-sign.

This is probably the reason why half of the world’s credit card fraud happens in America. There’s a clear correlation between the shift away from magnetic strip cards in the rest of the world and the increased credit card fraud in the U.S. Criminals have been following the path of least resistance, which means shifting attention to America, where card data can be more easily acquired.

A card’s magnetic strip contains all of the information a thief needs to rip off cardholders, and it’s much easier than one might assume. Two common methods are skimming and bumping.

When a card is used in a point-of-sale transaction, the account information is transferred to the retailer’s computer where it can later be intercepted, but it may also be captured before the transaction is even completed.

If the card reader being used has been modified — typically with a seamless, undetectable attachment over the real device — when the card is swiped, the information is “skimmed” off before it is given to the merchant. The thief now has the account information and, to add insult to injury, it was the cardholder who just gave it away unknowingly.

RFID-enabled cards, those marked with the terms “PayPass” or “Blink,” can be waved over the card reader instead of swiping, allowing wireless communication with the merchant’s terminal, but also anyone else within the owner’s vicinity, and not just at the register, at any time. It was originally assumed that this method, “bumping,” could only be achieved if someone was close enough to bump into the person carrying the card, but this has been proven false.

Once the owner’s information has been captured, the card can be cloned and used as if it were the original. Duplicating a credit card is a fairly straightforward process that can be done with about $300 worth of equipment and very little technical knowledge. For those criminals lacking the know-how, step-by-step instructions exist on the internet.

Our cards are vulnerable, but not for much longer. Over the next year, the U.S. will catch up to the rest of the world by transitioning to a new kind of card.

The familiar magnetic strip will be phased out and replaced by a new generation of EMV cards featuring a computer chip. These cards, embedded with integrated circuits, are much more secure. The most important difference between them and their predecessors is the way transactions are completed.

When a magnetic strip card is swiped, the card number is communicated to the merchant’s computer. Chip cards, however, generate a unique number for each transaction that can only be used once; if this number is captured by a thief, it does them little good.

The transition to a more secure form of payment is one that’s long overdue. Visa has been an advocate of this changeover for years with little success. Merchants have proven to be the largest roadblock keeping banks from increasing card security, claiming the cost of replacing and updating hardware in stores to accommodate the new cards is more costly than any fraud taking place.

However, this is a sentiment that changed quickly after the Target debacle of 2013. In its wake, merchants began to recognize credit fraud as a problem of gargantuan proportion that can no longer be ignored.

“It’s deplorable that it always seems to take a really terrible situation to bring about necessary changes,” said Hispanic Studies doctoral candidate Sarah Becker, whose mother was a victim of the “Target fiasco,” as she calls it.

The magnetic strip and chip will overlap until the former is completely phased out, but Visa, Mastercard and American Express have set Oct. 1, 2015 as the deadline for merchants to become compliant with the migration to the chip card. What’s occurring is essentially a liability shift.

After Oct. 1, the party with the lesser technology will bear the burden of the fraud. Banks issuing new cards will refuse accountability for fraudulent charges as a result of the continued use of the magnetic strip; if the bank has not provided the customer with a new card, but the merchant does have the requisite technology, the bank will assume liability.

The fact that competing financial institutions are getting together to curtail credit card fraud indicates the scale and gravity of the problem at hand. To unite and collectively initiate a change that is years overdue is admirable.

“If replacing existing technology will significantly increase card security and decrease theft, then it is a step in the right direction,” said creative writing graduate student Dino Piacentini.

While one must acknowledge that a certain degree of criminal activity cannot be escaped, Piacentini is right; if new cards can protect consumers from being defrauded, then it is a change that needs to happen.

Many retailers have already updated their registers in anticipation of the payment transition. Additionally, several financial institutions have the new cards available.

Don’t wait for the bank to issue a replacement card. Call to request an EMV card and start making more secure transactions now.

Opinion columnist Jonathan Bolan is an English graduate student and may be reached at [email protected].