HOT TOPIC: Shoppers Still Waiting for Security Fix
In September 2014, Home Depot disclosed a data breach involving up to 56 million payment cards. It’s believed that the attack on Home Depot was larger and lasted longer than the December 2013 hacking of Target’s payment system in which 40 million accounts were compromised.1
Roughly one in three people who received data-breach notification letters in 2013 became a victim of fraud, a ratio that has worsened from one in four in 2012 and one in five in 2011. Altogether, more than 13 million U.S. consumers were victimized by identity fraud in 2013, while losses on existing bank and credit-card accounts surged 45% to about $16 billion.2–3
The standard technology for U.S. payment systems has long relied on data contained in magnetic strips on the back of credit and debit cards. This makes life easier for criminals, who buy lists with consumers’ stolen account data on the black market. The information is used to make purchases online or in stores with counterfeit cards. In many cases, victims may not realize that fraud has occurred until the transactions appear on their statements, accounts are frozen, or they are contacted by the bank.
Far-reaching breaches have raised the stakes and sped up efforts by banks and many retailers to strengthen data security, but the risks to consumers remain.
The United States is in the process of replacing swipe-and-sign card transactions with a more secure authentication standard called EMV (Europay, Mastercard, and Visa). Payment cards are embedded with computer chips. Each transaction is approved using a unique authentication code instead of a static card number, so if a store is hacked the information can’t be used again. Shoppers will tap a card on a reader or insert it into a slot before signing or entering a PIN.
Most developed nations moved to EMV chip cards years ago, but until recently many banks and retailers in the United States were unwilling to shoulder the costs. Since the United Kingdom adopted the technology in 2004, card fraud has fallen by 67%.4
An upcoming liability shift is designed to spur the transition and help drive fraud out of the system. Beginning in October 2015, U.S. merchants without secure chip-compatible readers will be responsible for fraudulent charges when chip cards have been provided.
Many large retailers will install chip-enabled terminals in 2015, but it could take much longer before EMV technology is fully adopted. Gas stations, for example, are exempt from the liability rule until October 2017, so they could continue to be a danger zone for several years.5
No Card Needed
More advanced encryption and a technology known as “tokenization” are also coming into play. Both methods can be used to help secure online transactions as well as payments made with smartphones. Instead of storing a customer’s sensitive information, a unique number (or token) is assigned to each transaction. New mobile payment options like Apple Pay and Google Wallet could eventually make paying with plastic obsolete.
How can you help safeguard your personal information and financial accounts when shopping or banking online?
- Thwart hackers by creating strong passwords with at least eight characters and a variety of upper- and lower-case letters, numbers, and symbols. Use a separate password for every account and don’t use automatic log-ins that save your user name and password.
- Enter financial and other sensitive data only on encrypted sites that display a “lock” icon on the status bar of your Internet browser.
- Make sure to enable the encryption and password features on your smartphone.
Credit vs. Debit
Debit cards and credit cards may look the same in your hand, but they are subject to different federal rules and may offer different liability protections. With credit-card accounts, the cardholder is legally responsible for no more than $50, and card issuers often take full responsibility for unauthorized transactions.
With debit cards tied to checking accounts, a consumer could be liable for up to $50 on losses or thefts reported within two days. However, the potential liability rises to $500 for problems reported within 60 days and could be unlimited thereafter.
Many banks go beyond the legal requirements, so it’s important to be aware of your bank’s policies. The zero-liability protections offered by a credit-card company may be extended for signature transactions on their branded debit cards.
To help limit the damage from a compromised card, check your accounts every couple of days and notify your bank immediately if you notice any suspicious activity. Stolen funds are typically returned to account holders when fraud claims are filed promptly.