Could the uproar over Target's vast data breach finally force Americans to get serious about consumers' security?
Most of the rest of the world - including Canada and Europe - now uses payment cards embedded with microchips, making them far harder to clone. Almost everywhere, payment cards also are secured by customers' secret PIN codes.
Meanwhile, America clings to outmoded magnetic-stripe technology, which makes card cloning much easier for the bad guys. And we blithely issue debit cards - yes, cards that take money from your very own bank account - that are usable with just a signature, no PIN required.
The breach acknowledged last month by the Minnesota retailer was hardly the first that illustrates the porosity of our payment system. Nor was it the largest, even after Target said it affected tens of millions more than the 40 million customers it first announced. In July, a grand jury in New Jersey indicted five men accused of hacking more than 160 million credit- and debit-card numbers from 2005 to 2012 - including about 130 million in a 2007 breach at Princeton-based Heartland Payment Systems.
But Target's failures, followed by word of a similar breach at the more upscale Neiman Marcus, have caught the public's eye in a way that might push reform, say advocates such as Ed Mierzwinski of the U.S. Public Interest Research Group.
"Congress has begun to ask questions," says Mierzwinski, a longtime critic of payment systems he says put consumers at needless risk even as card issuers classify fraud as "just a cost of doing business."
Target plainly made lots of mistakes in failing to secure its checkout-counter payment terminals and back-end systems.
Less than a week before Christmas, the retailer said data from 40 million customers' credit and debit cards had been stolen by malware infecting its stores' point-of-sale terminals. Weeks later, it acknowledged that other data - names, mailing addresses, and e-mail addresses or phone numbers - had been hacked on 70 million customers, though it wasn't clear how many of the same consumers were affected.
Target's damage control has included the now-common offer of a year's free subscription to Experian's ProtectMyID credit-monitoring service, and advice to be wary of anyone who phones, e-mails, or texts "even if they claim to be someone you know or do business with. Instead, ask for a call-back number."
Sadly, there's nothing overwrought about that advice. The Target hacking puts its customers at particular risk of the crime called "spearphishing."
In ordinary phishing, the bad guys troll widely - typically via spam e-mail - for personal data that might make someone a target for identity theft. Spearphishers are con artists who start with some of those data. Then they use a key detail - say, your first name, or the last four digits of a familiar account number - to steal from you, or to get more details for full-blown identity theft.
How do you protect yourself?
Replace your cards and your account numbers. If your bank hasn't done so yet, insist.
Use a new PIN.
Watch all statements closely. Fraudsters won't necessarily go for big-ticket items right away.
Consider a "security freeze," also known as a "credit freeze," which blocks access to your credit file until you thaw it with a PIN code. A freeze blocks thieves from getting credit in your name - the worst kind of ID theft.
Ask your bank for an ATM-only debit card rather than a Visa or MasterCard debit card that's usable with a signature.
Signature-based debit is absurdly risky, Mierzwinski says, and I wholeheartedly agree. Even if Visa and MasterCard promise to cover your losses, your federal protections are weaker than when using a credit card. And the con artists are building your Visa bill, not depleting your bank balance.
"It's much better to go to a bank and say you don't owe them money than to go to a bank and say, 'Give me my money back,' " Mierzwinski said.
It's time for the payment industry to get serious about security - or for Congress or regulators to act if it doesn't.