The holiday season attack on up to 110 million credit card customers’ identities sounded the alarms from bank and department store boardrooms to family kitchens.
As the investigation deepened in January, the attack placed a particular spotlight on retailers who issue their own cards and their customers’ data. The customers most seriously affected held cards issued by retailers since those cards include more personal information.
You can expect retailers soon to develop the same data protections many banks already employ in the ever-evolving world of financial data security.
Serious as the data breach was, relatively few customers whose identities were breached are likely to see any effect. Even so, every customer should pay close attention to daily online bank reports. The dwindling number of paper-only customers must check their mail right away as people must report fraud to the bank within 60 days of its appearance on the account.
Once news of the data breach came out, banks acted instantly, notifying customers and in many cases reissuing cards
Still, there is no room for complacency.
Credit card companies require encryption. This means customers’ personal identification numbers, or PINs, are supposed to be encrypted, or converted into a code or form that cannot readily be understood by unauthorized people.
MasterCard and Visa require this for member banks such as ours. In addition, most banks employ an extra defense of data at rest encryption, which prevents captured data from being read and used. This defense is critical for any card issuer.
Smart banks use monitoring alerts. To protect their customers, they retain services that scan the Internet for attempts to phish—or flush out financial or other confidential information from Internet users. These services start by crawling the Internet like a minesweeper for efforts to tease out your bank’s bank identification number, or BIN, generally the first six numbers on your credit card.
Criminals will crawl through the Internet in efforts to buy and sell complete credit or debit card magnetic strip information. When the phishing is discovered, the customer is notified, the account is blocked, and a new card is issued.
Smart banks operate a neural network. This is a general name for increasingly sophisticated programs banks and issuers employ to monitor the user’s spending habits. They can alert a bank to any sudden deviations from a normal pattern, like a $1,000 tab at an out-of-town nightclub. Here, too, a bank can pick up on a deviation from the pattern, call the customer and, if needed, block the card and reissue.
Finally, banks use a simple rules-based system. This is the old-fashioned way by 2014 standards. Nonetheless, it has been in operation for years, and most banks use it to catch more obvious deviations from pattern. Those could include filling a gas tank three times a day rather than once or running a charge in England on the same day you are running a $75 grocery bill through Publix or Costco when you rarely travel out of country.
When this happens, a bank can automatically freeze an account. It is imperfect, of course, and can sometimes get awkward when traveling or making unusual purchases leads to blocking an account, creating profound inconvenience.
New Cars Coming
The global cat-and-mouse game continues as hackers, often working anonymously and in relative safety from sites around the world, try to find new ways to crack your personal safe and get your money. We and many other banks have detected and successfully blocked such efforts.
The United States remains a rich target, but American cards will soon change from magnetic strips to the uniform standard of secure chipped Smart Card technology coming into use in about 80 other countries.
It is anticipated that by October 2015, all major bank credit cards will transfer to the new Europay, MasterCard and Visa, or EMV card, which would make data breaches far less likely.
Until then and even beyond, banks, customers, retailers and insurance companies will stand guard as never before.