This morning CNN reported that Target fell victim to a massive and very sophisticated hacking scheme. Target and credit card issuers say as many as 40 million credit cards may have been compromised in this attack, which began on Black Friday.
What’s fascinating about this is that the attack was NOT aimed at Target.com, but was instead focused on the brick-and-mortar stores — a place we usually consider to be more secure because major retailers have implemented thorough security measures in the form of PCI.
PCI is The Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. The standard began in 2004, but it really took hold after the massive credit card security breach at TJX Companies (TJ Maxx and Marshalls) during the Christmas shopping season in 2006. That attack affected 94 million accounts, more than double the number affected by the recent Target attack, and according to Visa it resulted in at least $68 million in fraud-related losses.
In a less PCI-compliant environment, the hack might have worked as shown in this YouTube video, “Hacking your credit card as you shop”. What makes this recent Target attack especially interesting (and a bit scary) is that thieves apparently figured out a way to jump in at the very front of the security chain and steal mag stripe information BEFORE hitting any of the PCI measures were designed to prevent theft. Target’s security is top-notch and their PCI implementation quite rigorous, so how did the hackers do it? According to reports, the sophisticated hack may have been in the firmware or software of the credit card swipe devices, so the hackers were able to bypass all the normal PCI-compliant security measures and get to the card data BEFORE it was ever encrypted.
Over the coming weeks and months Target, the Secret Service, and credit issuers will undoubtedly revise security protocols and work to overcome this latest hack. In the meantime, consumer vigilance continues to be our best last defense. If you’ve shopped Target recently, you may want to call a special hotline Target has established for people who suspect unauthorized usage of their card information: 866-852-8680. And it’s a good idea for all of us to do these four things to ensure your credit information is secure.
This may not be all bad: I’ll use this as an excuse to explain any gifts I may have forgotten to buy.