« The Behavioral Economics of Bitcoin | Main | Cert granted in that *other* Argentina case »

Data Breaches: Target, Neiman Marcus

posted by Adam Levitin

Let's be really clear about what most identity theft is about:  it's about payments data.  Identity theft is first and foremost a payments fraud problem. We don't know all of the details about what happened at Target and Neiman Marcus, but there's a really obvious weakspot in the US payments infrastructure that should be corrected, irrespective of whether it would have prevented the Target and Neiman Marcus breaches:  the use of two-factor authentication, namely chip-and-PIN cards, which are standard outside the US and have been effective in reducing fraud.  

Why don't we have chip & PIN here? Because the banks don't want to pay for it because they don't bear most of the fraud costs. The banks/payment networks are the least cost avoider of identity theft, but because merchants are eating most of the fraud costs, the banks have instead have opted for a complex set of security standards for merchants (PCI Security Standards) that are of dubious effectiveness. 

Chip & PIN cards have two key security features. First, these cards have a microchip inside that frustrates easy physical copying of the cards. With our current mag stripe cards, I can copy the information off the mag stripe with a small reader and then use that to make a new card. Not so easy if I also have to copy the information on a microchip embeded in the card.  Second, these cards require a PIN to use. The PIN creates what is called two-factor authentication. The first factor is the information on the card itself (from the chip and mag stripe). The second factor is the PIN. Thus, even if my card is stolen, the card isn't useful without the PIN. Chip and PIN isn't impossible to crack, but it is a lot harder. And that's the name of the game in identity theft.

The whole nature of identity theft is a Willie Sutton economy. Sutton robbed banks because "that's where the money is." To reduce identity theft, there's a pretty easy recipe:  harden targets so that theft is more difficult. And in particular, try to make sure that you are a less inviting target (no pun intended) than the next guy. 

Maybe there'll be an upside from these recent data security breaches--enough consumers will be perturbed to demand that things change. Unfortunately, the way the stories are being shown in the media, it's the merchants who look like the problem. I don't know if the merchants were in fact being unusually careless, but we have technology that could really reduce identity theft, just that banks don't want to incur the cost of using it. 


The second factor is the PIN. Thus, even if my card is stolen, the card isn't useful without the PIN

At least in the UK, this is only partly true. Most online purchases can be made with just the card. There is two factor authentication for online as well, but it's only sometimes engaged.

At the minimum, I am taken aback by the fallacy of your statements regarding banks not wanting to pay for the payment system upgrades and that they don’t bear the cost of fraud. I have a feeling this is the root of what people do not understand about financial crimes.

Merchants do not eat the cost of fraud committed via payment systems, the financial institutions do. Not only do the financial institution refund the money to the consumer and replace any cards at a cost that is chalked up to "the cost of doing business", but they also get to deal with the irate consumer who doesn’t understand that the store they frequent doesn’t comply with the Payment Card Industry standard of data security.

Due to the most recent regulations regarding payment cards and fraud responsibility, merchants will need to start updating their equipment and software programs to accept the “Chip” cards. If they do not, they will finally have some financial responsibility when dealing with fraud losses.


I've been in payments fraud prevention for about 20 years. For most online fraud, the merchants eat the straight fraud losses. The game is rigged against them, heavily. I won't get into details unless asked.

However, if the fraudsters who got the Target/NM data included magstripe data, they will be able to create counterfeit cards and use those, which will more likely directly hit the banks, unless they can confirm that the card used was counterfeit, in which case they can chargeback even a card present transaction. This leaves the merchant out their goods and money.

The comments to this entry are closed.


Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.



  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless ([email protected]) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.