Print 74 comment(s) - last by Rukkian.. on Feb 6 at 1:31 PM

Smartcards have tiny microprocessor chips instead of magnetic strips

Target was the victim of a major security breach over the holiday season last year, and as a result, the retail chain is calling for the implementation of smartcards. 

John J. Mulligan, chief financial officer and executive vice president for Target, wrote his company's case for smartcards in The Hill this week, saying that the business community in the U.S. needs to embrace the new technology together.

Smartcards, unlike current credit and debit cards used in the U.S., have a tiny microprocessor chip that encrypts the user's personal data shared with the merchant's sales terminals. Traditional credit and debit cards have a magnetic strip instead, which hold's the user's information, but can clearly be compromised. If a smartcard number is stolen, it's useless without the microchip. 

To show Target's dedication to the smartcard cause, it's speeding up its goal of bringing its REDcard smartcards to all Target stores by early 2015 -- six months earlier than its previous goal. The chain is making a $100 million investment in the technology to accomplish this goal.  

Mulligan also noted that the requirement of a four-digit PIN number with all smartcard transactions could further protect customer information. 


Target said other countries like Canada and the United Kingdom have already deployed smartcards, and that cases of lost or stolen cards have decreased since they've done so. However, the U.S. is slow to adopt the technology because the cards are expensive to produce, and merchants, issuers, banks and the networks haven't found a way to share the costs. 
"The reported attacks on Target and Neiman Marcus underline the need to do more," said Mulligan. "At Target, we know we have work to do. For years, we made significant investments in security. We had multiple layers of protection in place. But we still came under attack by sophisticated, global criminals. We will do everything we can to further strengthen Target's systems."
Target attempted to deploy chip-enabled cards around 10 years ago, but since it was the only retailer to do so on that scale, it failed. The cards were too expensive to produce, and since Target was the only one with such a card, customers couldn't use it elsewhere, making it inconvenient and a bit confusing. 
Target's breach ran from November 27 through December 15, where customer information like their names, card numbers, expiration dates and CVV verification codes were compromised. Around 40 million customers had their credit cards compromised and 70 million had their customer records stolen.

Source: The Hill

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Ummm...
By Motoman on 2/4/2014 3:38:09 PM , Rating: 1
...what about online purchases, which is pretty much the way all credit card fraud happens?

Chip or not in your card doesn't matter, since you don't swipe or otherwise authenticate your card when making an online purchase.

The fault is Target's for storing all that data...and then letting a hacker steal it. This is just them trying to deflect attention - because the card isn't the problem, and switching to smartcards wouldn't fix this problem.

RE: Ummm...
By inighthawki on 2/4/2014 5:40:35 PM , Rating: 2
You would need a smart card reader. They are relatively cheap, and by all standards not a big deal to have to buy in order to make an online purchase. Most tech companies already use a similar system for access remote resources from home, for example.

RE: Ummm...
By Solandri on 2/5/2014 3:31:47 AM , Rating: 4
You can buy a smart card reader. Or the card issuers can get off their lazy bums and let you generate single-use card numbers when logged into your online account. As I said before, the problem is the card issuers don't pay for fraud (the merchant does), so they have done almost nothing to improve credit card security because it just represents added cost to them for no benefit.

RE: Ummm...
By drlumen on 2/4/2014 6:01:24 PM , Rating: 2
The hackers didn't get into some CC database within Target. They used an exploit against the card readers. How the hackers got such detailed info about the card readers is what makes me really curious.

I too would like to blame target but from what I have read it was a fairly elaborate and sophisticated hack.

Like others have said, with the card+pin the card data would be useless - regardless of how the data was obtained.

RE: Ummm...
By tayb on 2/5/2014 11:19:22 AM , Rating: 4
I was the victim of fraud on my card last night. I just moved across the country and Amex believed that there was a device placed over the card reader at the pump and they just printed a new card later that day. They went on a shopping spree at QT grocery stores and Amex caught it within about half an hour.

Smart cards would have prevented this from happening.

If banks would get off of their lazy asses they would let you log in to your bank account online, generate a one time use card number, and authenticate it for that single transaction. Then that card number would be meaningless after that.

RE: Ummm...
By Motoman on 2/5/2014 12:07:21 PM , Rating: 3
What has your comment got to do with my comment, which started off with:

...what about online purchases, which is pretty much the way all credit card fraud happens?

It's mind-boggling how there's this sea of illiterate people trying to tell me how smartcards help at a physical POS...when I've never, not once, referred to anything other than online sales.

The whole lot of you need to brush up on your ESL skills.

RE: Ummm...
By Rukkian on 2/5/2014 1:20:50 PM , Rating: 2
Online purchases are easy, just get a smart card reader, and have sites require them. They are very cheap, and many laptops have (at least as an option). It could just become standard on any computing device you buy.

RE: Ummm...
By Motoman on 2/5/2014 2:30:46 PM , Rating: 2
The number of Americans who will purchase a smart card reader...and then carry it around at all times in case they want to purchase something online when they're not at home: 0.

I can't believe there are people like you even saying something this stupid. There is no chance - not the slightest, slimmest chance - that you're going to convince people that they need to buy card readers for their PCs, tablets, and smartphones in order to buy things online.

No. Chance.

RE: Ummm...
By lagomorpha on 2/5/2014 2:50:47 PM , Rating: 2
There are already smart cards in microSD format. Why not just use that as a credit card? You could even have a credit card shaped case to store it in. If you want to make a purchase on your computer/phone just insert the microSD card.

Your phone doesn't have a microSD port? Then you bought the wrong kind of phone.

RE: Ummm...
By Motoman on 2/5/2014 2:55:57 PM , Rating: 2
Your phone doesn't have a microSD port? Then you bought the wrong kind of phone.


But aside from that blindingly-obvious fact, giving people microSD CCs still isn't going to help. The vast majority of cellphones have the microSD slot under the battery you basically have to disassemble your phone, take out your existing SD card with all your stuff on it, put in your SD CC, put the phone back together, go online, shop, make your purchase, then take the phone apart again, take the SD CC out, put your regular SD card back in, and reassemble the phone again.

Not happening. And while it would be infinitely easier for the rare phones that have an externally-accessible SD slot, I think you'd firstly be amazed how many normal cell phone users haven't got the slightest clue what a microSD card is...or whether or not their phone supports one. And also how easy it would be to lose a microSD card that you're constantly swapping in and out of your phone. I would reckon it would be really easy to get that tiny little bit of plastic stolen too...and at this point you've made the problem worse, not better.

RE: Ummm...
By lagomorpha on 2/5/2014 3:27:53 PM , Rating: 2
You only have to remove the smart card from your phone if you're really paranoid. Otherwise you leave it in the phone and need to activate it with a pin and fraud only happens when your card is in your phone and your phone is completely owned which is still a lot better security than a card with a number printed on it.

RE: Ummm...
By Motoman on 2/5/2014 3:32:59 PM , Rating: 2
You only have to remove the smart card from your phone if you're really paranoid.

...or if you actually wanted access to your *stuff*. You know...on your microSD card.

Doesn't help.

RE: Ummm...
By lagomorpha on 2/5/2014 4:31:57 PM , Rating: 2
I suppose there is nothing preventing a smart card that also functioned as a conventional microSD card. Eye-fi has been making SD cards that also have 802.11 build in for years.

RE: Ummm...
By Motoman on 2/5/2014 8:56:45 PM , Rating: 2
All that does is potentially increase the value of that SD card to thieves...on the off chance you're dumb enough to save something else on that card that's useful to them, like personal information.

I'm sorry...but it's just not a great idea to make microSD sized CC cards.

Cleaning up the problems on the back end of the system, like vendor databases, is a vastly easier and better option.

Although it would be really funny seeing all iThing owners incapable of making online purchases.

RE: Ummm...
By lagomorpha on 2/6/2014 7:54:44 AM , Rating: 2
The thing is, if the card stays in your phone thieves can't tell which phones have SD cards in them and which don't. And it would be trivial to setup the system to automatically revoke your card's certificate if your phone is stolen. Personal information is as likely to be stored on a phone as on the card so that's not a new issue.

Although it would be really funny seeing all iThing owners incapable of making online purchases.

That alone would be worth implementing the system.

The trouble with cleaning up the back end of the system is that it would have to happen at all vendors, and there would always be vendors with idiotic security practices and customers have no way of auditing them. Maybe you could do that if there was some sort of organisation that went around auditing vendor database security but that would end up costing more than moving to a smart card system.

RE: Ummm...
By senecarr on 2/6/2014 11:26:17 AM , Rating: 2
...what about online purchases, which is pretty much the way all credit card fraud happens?

Except, it isn't. Most instances of credit card theft are still, in fact, done physically. Almost any legitimate business uses encryption, meaning the barrier to entry to reading the information is fairly high, even with easy crackers. The only barrier to someone in person stealing your card number is the time it takes to copy or memorize the card you handed them - the whole thing is plain text.

"We basically took a look at this situation and said, this is bullshit." -- Newegg Chief Legal Officer Lee Cheng's take on patent troll Soverain
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki