A week ago Sunday at about 10:00 a.m., Jim Wells was on his way from church to a grandson's birthday party, when he popped into Target to pick up a gift. By the time he returned home from the party at about 3:30, there was a voicemail message on his machine from Citibank's fraud control department asking him to call because they thought there might have been fraud on his account.
The customer service rep read off several charges on his account that were suspect, including a 55-cent charge at a real estate company and a $1 transaction at another site. Only the Target purchase and a gas station charge were real. The rep said the bank believed Wells' card had been compromised, that the card would be canceled immediately and that the bank would send a new one. This was about four days before the Target breach hit the media.
"I was astounded," says Wells, who is president of Wellspring Consulting and not a fan of some large-bank practices. "I was pleasantly surprised."
But this anecdote is a lone success story in the sea of uncertainty that is the Target data breach, confirmed last week, that left vulnerable the card account data of 40 million Target shoppers.
Many banks are taking more of a wait-and-see approach, asking customers to monitor their accounts, and using the banks' fraud analytics software to monitor transactions for signs of foul play, but not rushing to close accounts and reissue cards.
"A bank that is taking a wait-and-see approach is leaving itself open to not only having to make good on a lot of payments but having its cardholders worry," Wells says. "I think the wait-and-see approach is not customer friendly, which is not surprising given I don't think the big banks are customer friendly."
But the right solution is not clear-cut.
Citi's approach, of calling the customer and reissuing his card, is very expensive. "If you've had millions of cards in your portfolio compromised, how many calls can you make a day?" says Avivah Litan, vice president and distinguished analyst at Gartner. Card production facilities are limited in the number of new cards they can generate, in the range of 35,000 to 50,000 cards a day.
Chase's reaction to the breach on Dec. 21 it announced it was limiting affected customers' use of their debit cards to $100 a day for ATM withdrawals and $300 for purchases was widely denounced.
"Chase's statement, said another way, is, we're doing this to protect us," Wells says. "When you get your statement and get the shock of your lifetime, call us and we'll do something."
On Dec. 23, the bank stepped back, raised the limits to $250 per day for cash withdrawals and $1,000 per day for purchases, and apologized for the lowered limits on its website.
Most other large U.S. card issuers including Bank of America, Wells Fargo, U.S. Bank and PNC simply told their customers they were monitoring their accounts and to report any suspect transactions.
Is there anything banks could have done to prevent this breach?
Dozens of security software companies have contacted us to offer us their answer to this question. Each one, had we taken the bait, would have given us a thinly veiled sales pitch for their own technology.
But it's hard to say at this point that there's any one technology or even set of technologies that would have really helped. Target's investigation has not yet been completed and it's too early to say just how the hackers infiltrated the retailer's network.
"You put one block in, they'll find another opening," says Litan. "The typical thing people would say is, use point-to-point encryption. But then [the hackers] could have gotten to the data before it was encrypted."
Until specific technologies are standardized as part of PCI, there's little point for a retailer to invest in them they will get locked into a vendor's non-standard system, Litan says.
Some say the real problem is systemic.
"The real question to be asked is, 'Why aren't Visa and MasterCard involved in establishing data security systems that make these breaches impossible?'" says Gary Olson, president and CEO of ESSA Bank and Trust in Stroudsburg, Penn.
"Can you imagine the cost of 40 million cards being reissued? Banks pay the freight and occasionally you can get reimbursed by Visa and MasterCard for some of the cost. Reissuing is a nightmare for the customers and banks and is not a long-term solution for this massive problem. The retailers need to go to another security level with their servers but no one seems to be responsible for making that happen."
Litan shares this big-picture view.
"We have a very creaky system that needs a fundamental upgrade," she says. "Magnetic stripe security is from the 1970s. Any system is better than magnetic stripe."
Moving to EMV-chip cards with dynamic security, standard technology in the rest of the world, would mean these attacks wouldn't happen so frequently, she says. "If the criminals stole this data, they wouldn't be able to clone the card easily. So far chip cards have worked in the other countries bringing down card-present fraud."
Of course, EMV cards do not help with card-not-present fraud (such as online transactions) and as long as point of sale terminals and ATMs accept both EMV and magnetic stripe cards, it's not a deterrent to criminal behavior.
However, "once the U.S. moves to EMV, we won't need magnetic stripe readers," Litan counters.
The fraud detection systems most banks use have helped somewhat clearly in the Citi example, the software recognized the kind of tiny "test" transactions hackers run before they go in for the larger thefts.
But the large numbers in this breach 40 million in total, two million for Chase alone present difficulty to such systems. "The fraud detection systems are not able to work properly because there are lots of outliers," Litan says. "If you have millions of outlier transactions, the outliers start to look normal. And they can't put all these cards on a watchlist, it becomes meaningless."
The expense of upgrading systems and issuing new chip cards has been the biggest barrier to EMV adoption in the U.S., along with how hard it is to get all players to agree at the same time.
"In other countries, the government has mandated it at times, in some cases the card companies have," Litan says. "The U.S. is too democratic, too unruly. No one can mandate it here. Plus the cost of fraud has been less than the cost of EMV implementation."
Some say the answer is more and better alerts to customers about their account activity.
"The best course of action for banks to take at this point would be to educate their customers of the risk and enroll them in services that could reduce that risk, such as transaction alerts and customer-defined controls," says Alfonse Pascual, senior analyst for security, risk and fraud at Javelin Strategy & Research.
Jim Wells concurs.
"The flip side of Citi is they've never solicited me for my mobile number," he observes. "Most consumers realize there are some cards and card issuers who will offer you to confirm every transaction made with one of your cards to a text to your mobile. If that were standard industry practice, most of these frauds would be avoided. I don't understand why banks aren't actively soliciting that for consumers."
Wells points out that in the U.S., card issuers pay for fraud rather than cure it.
"Let's eliminate fraud. U.S." he says. "The U.S. ought to have the most secure network. We have all these great thinkers, we should have that."