If you want to know what the single biggest vulnerability is for identity theft and credit card fraud in your name, that’s easy: it’s using your card at major retail stores that have repeatedly been breached by hackers.
Using outdated kiosk computers to process sales, retailers have allowed clever thieves to install viruses that silently relay customers’ credit card info back to them. This is how Target negligently let thieves pilfer 70 million card numbers, it’s how Home Depot allowed 56 million credit card numbers to be stolen, it’s how Michaels’ stores – well, the list goes on. But that’s how it happened.
Facing these disasters, big box stores might work to increase the security on their own systems, that, according to the Identity Theft Resource Center, a non-profit organization that monitors identity theft and assists victims, are the number one cause of data breaches.
Alas, the stores’ have decided to instead to rely on slick lobbying campaigns and well-compensated political allies to confuse the issue. Specifically, the retailers have been clamoring for banks and credit card companies to issue cards with four-digit PINs.
PINs are annoying to consumers and, from a security perspective, relatively worthless. A four-digit numerical password is inherently insecure because there are only 10,000 unique combinations. A computer can generate all of them in under one millisecond, making “brute force” attacks completely painless for any mildly sophisticated criminal.
Indeed, law enforcement officials in Europe, where credit card PIN use is more prevalent, have observed thieves adapting, sometimes by waiting to view someone key in their PIN before stealing their card.
But what’s easy for a computer is sometimes difficult for the average person, who carries four cards in their wallet, to remember. For these reasons, experts consider PINs to be headed shortly to the scrapheap of history, to be replaced by much more sophisticated approaches like encryption and tokenization.
That doesn’t mean that PINs can’t be a useful cudgel for the retailers, who are looking to use the issue as a wedge that prevents them from upgrading their outdated technology faster.
Enter noted computer security expert (I jest) Sen. Dick Durbin (D-IL), who weighed in on the issue this week in a letter to the FBI.
Durbin complained the FBI hadn’t included language about PINs in the final version of its consumer bulletin that even the newest types of credit cards can still be vulnerable to fraud.
The bulletin “raises significant questions about…whether the FBI is taking appropriate steps to warn against and deter payment card fraud involving lost or stolen cards,” Durbin wrote.
For the second-ranking Democrat in the Senate, Durbin sure is shameless about plugging for the big box stores, which have consistently poured hundreds of thousands of dollars into his campaign coffers, according to data from the Center for Responsive Politics. Some would say it’s the Chicago way.
You may remember a major lobbying dust-up over credit card “interchange fees” about five years ago. Then, Durbin led the charge to put price controls in place on how much Visa, Mastercard and other companies could charge stores to process their payments.
The government-set prices were supposed to help consumers, but that turned out not to be the case, as studies since then have showed the big box stores just took home the extra profit and laughed their way to the bank.
Look, it’s one thing to nakedly fight for your own bottom line in a clear business-on-business K Street war.
It’s another to alarm consumers with warnings about a discredited security technique when your own stores (and Durbin’s own donors) are the ones practically giving their customers’ credit card numbers to fraudsters.
Shame on Senator Durbin.