The financial affairs of 40 million Target cardholders were placed at higher risk because of a cyber theft. Target has released little information on what happened, and some reports suggest Target underperformed in handling the deluge of customer complaints about the security breach. In response to the risks, Citi has limited the daily value of transactions permitted on its cards.
Target says that pins were not stolen and that it will offer credit account monitoring. Target will help mop up the financial tangle when fraudulent charges are made, and it will give an additional 10% discount for 2 shopping days (transparently self-serving). That clutch of apologies does not solve consumer problem.
Since Target and the FBI are withholding detail about the attack, consumers cannot determine for themselves what is in their interest to do. Ideally, we want a holistic, forward looking resolution that protects cardholders and shareowners from regular attacks by cyber-thieves. That resolution is not available.
Media coverage has already been broad and indignant so the usual huffing and puffing by elected representatives serves no purpose. As pragmatists, consumers are looking at the big picture – is the legal system or technology more likely to provide us with a resolution?
There seems to be no purpose behind parsing what the law says about the Target snafu. It’s obvious that the law did not prevent the crime. Cyber criminals are rarely identified, and they are almost never prosecuted and sentenced to meaningful punishment. Victims are routinely denied meaningful restitution and defense lawyers for the perps are usually a taxpayer burden. Some prosecutors treat cyber-crime as low priority – ”just a cost of doing business.” In cyber-crime, the only winners are the criminals and those paid to work in the justice system.
Target and the FBI have kept a lid on details of the Target attack, hoping to improve their chances of arrest and prosecution. Clarity on how the criminals stole the financial information might help businesses and consumers thwart future attempts at theft. Some of what we might learn could be banal, such as the importance of using tougher passwords. Some lessons may encourage technical improvements such as “chip and pin” (but not “chip and signature”) or may call for sturdier in-house security practices. “Chip and pin” use in Britain cut credit card fraud losses in half, but it did not eliminate them. Allowing “card not present” transactions, such as for internet purchases will undermine most credit card security measures.
The only way to eliminate charge card losses is to make the offense cost the perpetrators more than they could hope to harvest from it. Since the justice system is not aggressive enough to be effective, technology is our best prospect.
Alan Daley is a retired businessman who writes for the American Consumer Institute Center for Citizen Research. He is also a Target shareholder.