The payment systems of big retail chains keep getting hacked, compromising the credit-card information of millions of US consumers (recent breaches at Home Depot and Target alone exposed data on 100 million cards). But at least the banks issuing the cards appear to be getting better at deterring fraudulent uses of the data.
According to security writer Brian Krebs, would-be fraudsters who purchase stolen card data from websites like Rescator (the data, sold by the card or in bulk, can be loaded onto the magnetic strip of forged cards that are then used in store transactions) are grumbling louder than usual about having the counterfeit cards rejected at the register. ”A lot of the cards they’re buying are coming back canceled,” Krebs noted. Here’s why:
The bank bears nearly all of the up-front costs when a card fraud occurs. A portion of the liability can be passed on to the merchant who makes the sale, but only after some time. (In the US, consumers aren’t responsible for fraudulent card expenses as long as they report them.) As retailers show over and over again that they’re unable to keep card data secure, there’s an obvious motivation for banks to develop better means to detect fraud.
Systems that monitor transactions to detect fraudulent patterns in real time are becoming more sophisticated, according to David Pollino, who works in fraud prevention at San Francisco-based Bank of the West, a subsidiary of France’s BNP Paribas. The systems are helping banks get better at recognizing, and declining, suspicious transactions.
Before the massive Target breach in late 2013, card issuers generally “would take a wait-and-see attitude,” Krebs said. But in the wake of the Home Depot breach, which was first disclosed this month, many banks simply have canceled at-risk cards and issued replacements, “embracing a known cost versus an unknown one,” as Krebs put it. This means that carders who try to use the same tricks on banks that have been exploited in the past are less likely to be successful this time around.
Many security experts say that efforts to fight back against credit-card fraud in the US won’t be effective without the widespread adoption of EMV, or “chip-and-PIN,” credit cards. These cards, which are the standard in Europe, permit transactions without requiring merchants to actually store the card data. A benefit to retailers is they would be liberated from many security obligations. But the new cards require new hardware for processing—and disagreement over who should bear the cost for this is one reason why the adoption of chip-and-PIN in the US has been so slow.
Card issuers plan to ramp up chip-and-PIN installation next year. But even this is no guarantee of a safer system. The cards have curbed, but not halted, fraud in Europe—and if one thing is certain, it’s that hackers will continue to innovate, challenging banks to catch up yet again.