The holiday season is approaching, a time for sales and Santa and, now, credit card data breaches.
Though cyber thieves have stolen millions of card numbers this year, shoppers are heading into the heavy-spending season with no new credit safeguards in place.
When you hear about a data breach, Bryan Sartin is one of the guys who goes in to investigate.
"I've seen my own personal information in those lots of stolen data many, many, many, many, many times," Sartin says.
Sartin heads a team of forensic computer techs for Verizon — good-guy hackers, basically. For a while he and his deskmate had a running joke.
"How frequently, in our cases, we would find his credit cards?" he explains. "And I remember, back to back, it was like two out of three cases. And there was a third [case], and it's not here, and he's kind of laughing — and then all of a sudden we found his wife's."
How the system is vulnerable
Sartin says data breaches happen all the time; In fact, only about a third of them are ever made public. In midtown Manhattan, that fact surprises many shoppers, like Alexandra Goodell.
"It's upsetting, it gets me angry," she says. "I work really hard and I don't want to go out of my way to cancel my card and to nail down what happened."
One reason U.S. credit card numbers are stolen so often has to do with how we process them after the swipe, says Sartin.
"That transaction, in a text format of some kind, is sent to a server there at the store that all of the cash registers speak to," he says.
Your credit card number then flies through the Internet to the merchant's main national computer, then to the processor, then to the bank, and then back again.
"It returns in .06 seconds with a yes or no," he says.
You walk out of the store while the transaction continues to ricochet across the country — using technology from the 1970s, says Jason Oxman, CEO of the Electronic Transaction Association.
"What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years," Oxman says. "That's how long mag stripe cards have been on the market."
The next step: Tokenization
He says the magnetic stripe worked fine until the '90s. Then came personal computers, which could counterfeit hundreds of credit cards. Because the U.S. had a strong telecom network, retailers went to an online system to verify credit cards' authenticity. Countries where the Internet wasn't so great adopted so-called chip cards or smart cards.
"So that's one reason that we haven't used the chip cards," Oxman says. "We haven't needed to because our online system of authorization has been a replacement for that offline chip."
But by this time next year, you will likely be using the new chip cards. What slowed them down is the chicken-or-the-egg conundrum: Banks didn't want to issue chip cards if retailers didn't have the readers, and retailers weren't going to buy readers if banks weren't issuing the cards.
"There are more than 10,000 financial institutions that issue credit cards and debit cards in the U.S.," Oxman says. "There are 8 million merchants that accept credit and debit cards in the U.S. "
But the new chip cards are only expected to cut out about 60 percent of the fraud, which frustrates merchants. Mallory Duncan, general counsel at the National Retail Federation, fears the credit card hacks will continue because at the core, the system's backbone is still the same — 16-digit account numbers flying across the Internet.
"Unfortunately all we're going to get in the near future is the not-quite-so-smart card," Duncan says. "The problem is that the product itself is fundamentally flawed. You cannot secure a house of straw."
Duncan says retailers are hoping to move toward a system called called tokenization, which replaces a card number with a one-time-only, randomly generated number. Google Wallet and Apple Pay use tokenization.
"All of those potentially are much more secure for consumers than would be partially secure chip cards," he says.
Tokenization is in use now, but not yet for credit cards. Because they require significant system upgrades for both retailers and the banks, it's that same chicken-and-egg problem: Who spends the money first?