Credit card data of 40 million shoppers stolen from Target stores

San Francisco: Target may have been an easy bull's-eye for criminal hackers intent on stealing credit card information, but the theft of records for 40 million store customers was hardly the worst security breach among big retailers in recent years. And the incident revealed Thursday is unlikely to be the last.

Security experts say the Target hack is a reminder of security problems facing many retailers that won't easily go away: There are weaknesses in the way payment information travels between retailers and banks. There is plenty of money to be made on the black market selling stolen credit card numbers, which can go for as little as a quarter or as much as $45 each. And American companies have been reluctant to adopt smart-chip cards, a type of credit card widely used in Europe that provides better security.

Target said that from Nov. 27 to Dec. 15 hackers stole customer names, credit or debit card numbers, expiration dates and three-digit security codes for 40 million customers who had shopped in its stores. It is currently working with a forensic team from Verizon to investigate the breach, according to one person involved in the inquiry. But there was no word as to who was behind the attack, how they got in, or what the total cost to Target may be. Thursday, visitors to the retailer's website found a site festooned in red and green save for a stark black-and-white security notice at the top. Complicating matters, Target was hit during the holiday shopping season, when fraud detection systems have a hard enough time telling legitimate transactions from fake ones.

"This is the perfect storm" for vulnerability to hackers, said Paul Kocher, president of Cryptography Research, a company that develops technologies to prevent fraud.

It may be of little comfort to its customers, but the Target hack was dwarfed by a similar break-in six years ago at T.J. Maxx, which resulted in stolen data for 90 million customers, and a breach of the card processor Heartland Payment Systems in 2009 - the biggest on record - which resulted in 130 million stolen card numbers.

Security experts said that even if Target had installed the most cutting-edge security - and it is not clear how Target was protecting this data - it would not be shocking if hackers found a way in.

"It's a game of cat and mouse," said Steven M. Elefant, a managing director of Soaring Ventures, who was chief security officer at Heartland Payment Systems when it was breached in 2009. "We're dealing with sophisticated bad guys that have many ways to attack."

Elefant said the Heartland breach should have been a wake-up call to large financial institutions and retailers that they needed to increase defenses and encrypt data as it moved from the cash register to card issuers and banks. But hackers, at least, do not appear to be dissuaded from whatever changes retailers have made since then.

Target has not said how its systems were compromised and a spokeswoman declined to say whether the company's point-of-sale systems have been encrypted. Elefant said, however, that the vast majority of systems still transmit credit and debit card data "in the clear," security speak for plain text without encryption that can easily be intercepted.

When shoppers pay for store purchases with credit cards, their payment data moves from the store's terminal through the retailer's network to the acquiring bank and credit card issuer. "At every hop it could be vulnerable," said Kocher. "There have been attacks at every stop along the way."

Even when the data is encrypted, experts say there are plenty of other weak spots criminals can target. "Cash registers used to be just cash registers," said Dan Kaminsky, the chief scientist at White Ops, a security consulting company. Today, they are computers of sorts, as vulnerable to hackers as a PC.

And those hackers do have an incentive. Credit and debit card numbers often sell in bulk on black market websites. Platinum cards can fetch as much as $35 and corporate cards, $45. That stolen data - someone's financial identity - can be burned onto magnetic strips on counterfeit cards that can be used for fraudulent purchases, or to buy gift cards that can be exchanged for cash.

Experts also question why - with breaches recurring regularly and credit card fraud rampant - American credit card issuers have not embraced smart chip technology. The United States accounts for more than 47 percent of global credit card fraud, while generating only 24 percent of card spending, according to the Nilson Report, a card industry newsletter. More than 80 countries around the world use chip technology, but less than 1 percent of credit cards in the United States have chips.

Unlike magnetic-stripe credit cards, which serve the same data every time they are swiped, chip cards offer a different encrypted mathematical value, making it harder for criminals to use stolen data for future purchases.

"The U.S. is the only world region where counterfeit fraud continues to rise," said David Robertson, the Nilson Report publisher. The absence of this chip technology at the physical point of sale is a large contributing factor, he added.

Europe started migrating to chip cards in 2002, when Europay, MasterCard and Visa partnered on a standard for chip technology. In 2005, the card companies also shifted liability for fraud to merchants in cases where they accepted a fraudulent payment from a magnetic-stripe card, instead of a chip card. As adoption of chip cards increased, fraud levels in Europe, which peaked in 2008, began to decline, according to Euromonitor International, a research company.

"The U.S. is still the only market using these 1960s magnetic-stripe cards," said Kocher.

Last year, major credit card companies, including Visa and MasterCard, set October 2015 as the date that merchants will be subjected to new chip card standards, which shift the burden for fraudulent magnetic-stripe transactions from issuers to merchants.

It is unclear whether Target's breach will accelerate the process. Seth Eisen, a spokesman for MasterCard, said the decision to move to the more secure cards will continue to be made by each card company and merchants.

In the meantime, breaches continue.

"The most important thing to realize is that 500 of the Fortune 500 are under constant attack," said Kaminsky. "Nobody should be saying 'I can't believe Target got attacked' because the reality is that everybody is getting attacked."