Three Years After The Target Breach

There was a time when data breaches were not a daily part of consumers’ day-to-day lives. Sure, credit cards got stolen or skimmed from time to time — but such occurrences were comparatively rare.

These days, that is just not the world we live in. About a week ago, a billion (with a “b”) Yahoo! customers found out that their personal information has been in the hands of hackers for the last few years, mostly due to out-of-date encryption and an apparent unwillingness on Yahoo!’s part to believe their systems had been compromised.

This, we should note, was the second mega-hack Yahoo! revealed in the past 60 days — there was also the matter of an entirely separate 500-million-account hack announced earlier in the fall.

But more remarkable than the fact that Yahoo actually managed to compromise the data of 21 percent of the planet is the fact that this information barely registered with the vast majority of people. It wasn’t front-page news, it led few news broadcasts, and, were one to ask the average man on the street about it, odds are pretty good that he’d shrug it off.

What happened?

How did consumers go from leading lives mostly free from data fraud and identity theft to one where such hacks, skims and breaches are part of the everyday background noise?

The simple answer: December 19, 2013 happened.

The other December date that will live in infamy happened — as it was the day that the news of the big Target breach was publicly confirmed by Target (the initial reports had started emerging on Dec. 13).

When the smoke cleared, the numbers were ugly: 40 million cards breached, 70 million customer records stolen, 1 million to 3 million cards successfully sold and used in fraudulent transactions, $200 million spent on reissuing cards by banks and credit unions for compromised cards, and an estimated $57.3 million flowing directly into the pockets of the criminals who managed to pull off the heist.

And customers — as Karen Webster noted in a commentary that came out shortly after the breach broke — suddenly had their eyes wide open.

“Forty million card accounts represents a lot of cardholders, and just about everyone knows someone who’s been a victim.”

At the time the big question mark was whether consumers were going to abandon ship on debit and jump back to credit cards — since bad credit transactions are much easier to deal with than a thief who has managed to gain access to one debit and PIN information and drain their bank account.

“The big nervousness that consumers have is related to the downside of the debit plus PIN compromise. Debit, as we know, is an extremely popular payment method, and while it’s generally hard to change the payments habits of consumers, there’s no bigger incentive to change than fearing that the bad guys have access to your bank account and are using it as their own personal ATM,” said Webster.

That fear did not pan out, mostly because issuers worked hard to quickly reassure customers that their debit accounts were just at protected as their credit accounts and that the funds would be replaced in the event of fraud.

But Target was a Black Swan — and one of those events that divides the ecosystem into a “before” and an “after.”

What came next?

EMV

Whether you love EMV or you hate that beeping noise to the core of your being, you can pretty much thank the Target breach for its presence in your day-to-day life.

Which is not to say that EMV was not on the table before news broke of the Target breach — the liability shift was announced as far back as 2012. But EMV had not exactly been a front-burner issue in U.S. payments before then — the liability shift deadline had been pushed back, and many believed that the October 2015 date would also ultimately be put off.

Then the Target breach happened — and suddenly there was an outpouring for public and legislative support for EMV, with various Congressmen at the time opining on CNN that America needed to catch up with the rest of the world and get serious about EMV.

That security expert after security expert at the time opined that EMV alone without tokenization or some other form of end-to-end encryption would have done precisely nothing to prevent the Target breach did not seem to bother anyone. America suddenly needed a payment solution, and the fact that it would not actually solve the particularly problem at hand was not as big a problem as one might expect.

And, as it turns out, EMV came into the market already married to the other half of the solution that would have helped with the Target breach: data tokens.

Tokenization

Instead of making it impossible for hackers to break into systems — since the past few years have shown us that hackers will eventually break into any system — tokenization instead looks to make it impossible for the hacker to use what they stole. The backbone idea behind tokens — be they through Visa or Mastercard — is that instead of storing actual payments card data, that data can be swapped out with a unique data string (a token) that retains all the essential information about the data to route it to where it should go but makes it impossible to use the data for anything until it has reached its destination and been de-encrypted by an authorized party (i.e., an issuer).

And while tokenized data would have prevented the worst aftershocks of the Target hack, the token conversation has evolved largely since it was initially discussed as an in-store complement to EMV. In fact, these days, when Visa and Mastercard aren’t competing for the hearts, minds and spend of consumers around the world, they are collaborating to make tokens a consistent, cross-channel security standard — no matter where the customer is shopping or what card they happen to be using.

“The analogy that we like to draw is what we did in the physical world. We created NFC and contactless to be more secure — and then we opened up that platform to let everyone else ride that rail so merchants and consumers have a consistent experience,” noted Visa VP of Digital Solutions Vish Shastry.”

Hackers Just Keep On Hacking

It would at this point probably be quicker and easier to list major retailers and institutions that hadn’t been hacked than trying to complete and exhaustive list of all of those that have: Home Depot, P.F. Chang’s, Anthem, Marriott, the White House, Neiman Marcus, the State Department, Starwood, eBay, Yahoo …. We could keep doing this all day, but the point is, the cybercriminals are out there and have spent the intervening years keeping themselves busy.

And though the format will change — EMV is cutting down on the amount of in store fraud attempts — the overall level is likely going to continue to rise. They might even get a bit more creative — earlier this year a handful of the web’s most popular sites when down, victim to botnets and wireless routers gone awry.

But in a post-Target world, what hackers have lost the ability to do is shock much of anyone with their antics or really get much of the drop on anyone these days since everyone is expecting to be hacked all of the time.

And while alerting consumers, tokens and EMV aren’t a silver bullet to stop cybercrime from continually arising, they are enough to remind everyone that while some very smart and motivated people go into cybercrime, the people who want to lock them out —  consumers, issuers, card networks and merchants — are equally motivated and getting smarter by the day.