Analyst: Banks Must Make Credit Card Accounts Useless To Data Thieves - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:23 PM

Analyst: Banks Must Make Credit Card Accounts Useless To Data Thieves

Adding one-time password capability to credit and debit cards might prevent incidents similar to the data breach revealed last week by TJX.

The hack that chain retailer TJX disclosed last week demonstrates that banks must shoulder their share of responsibility and add protection to credit and debit cards, an analyst said Wednesday.

"Banks must own up to this problem and change their payment systems so that, even if data is stolen, it is useless to thieves," says Avivah Litan, an analyst with Gartner.

On Jan. 17, TJX -- which owns hundreds of T.J. Maxx and Marshalls department stores -- said that one or more hackers had broken into its computer network and made off with a still-to-be-determined number of customer records. Those records included credit and debit card account numbers, and in some cases names and driver's license numbers.

The attack, says Litan, appears well-targeted. It's just the latest breach in a numbing round of data losses and thefts that stretch back to early 2005 and one more piece to the portfolios that sophisticated cybercrooks are assembling on consumers by stitching together data stolen by phishing, keylogging, bank and brokerage account takeovers, and retailer system hacks.

"The attacks are getting much more orchestrated and better targeted," says Litan. "It's time to shift strategy. It's clear we can't count on the retailers to secure customer data.

"Retail payment systems were not designed with security in mind. Hackers are finding the weakest links, especially among retailers that have the most sensitive data stored."

It's unrealistic, says Litan, to expect the United States' 5 million retailers to all become experts in security and to change their back-end systems overnight to add security. Her solution? "Banks must own up to the problem and accept responsibility."

Banks already are pressuring retailers to adopt the Payment Card Industry (PCI) data security standard, which is backed by Visa and MasterCard. Progress, however, has been slow.

"We have a few years' experience in PCI now, so we can tell how slow it's going," Litan says. "Only about a third of the largest retailers were compliant as of October 2006. And that's after a few years' work."

To make account data -- such as that filched from TJX -- useless to thieves, Litan advises banks to add one-time password capability to credit and debit cards. Unlike the "chip and pin" standard used in Europe, a one-time password would be much less expensive to add to cards; Litan estimates it would cost about $3 per card.

Equipped with one-time password capability, a credit card would generate a one-use value to complete each transaction at retail or online. That value, or password, would have to match what the card issuer generates before a transaction would be authorized.

"Thieves would have to steal the physical credit card to access the account," says Litan, if one-time password functionality was added to U.S.-issued cards.

"I think there is a real sense of urgency at banks," Litan says. "Fraud officers I talk to would love to see stronger card authentication."

One U.S. bank that Litan would not name but said was "very large" will add one-time password to its debit cards this year, the first major American move in that direction. "I think there's a 70% likelihood that banks will adopt one-time passwords for Internet transactions in 2008," she predicts. "Once the infrastructure is out there, it'll start gradually moving to point-of-sale."

TJX has not released any new details about the break-in since the original disclosure, but Litan's sources have told her that investigators are "close to finding" the hacker. "They'll figure it all out eventually."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll