Email this article: EMV is not impervious to data breaches  Email 
 Link to story 

EMV is not impervious to data breaches

By Daniel Workman

Despite the gigantic data piracy at U.S. Target stores that compromised millions of people's credit card accounts -- including some Canadian cross-border shoppers -- many Canadians are complacent about the dangers of mass identity theft. security-breach

While no Canadian Target stores have been revealed as victims of the attacks, as many as 700,000 Canadians who shopped at U.S. Target stores were affected by the breach. Heather Ormerod, a spokesperson for Canada's privacy commissioner, said in a statement that her office has officially reached out to Target to inquire whether Canadian stores were affected.

Despite the news, Queen's University professor Ken Wong says he doesn't expect the breach to have a negative impact on Canadians' shopping habits. There's a generalized acceptance of a one-time breach, Wong says.

Smart-chip cards also give Canadians a sense of security not shared across the border. Chip technology makes it much harder for criminals to make counterfeit copies of cards, compared with the unencrypted magnetic-stripe cards that are still the standard in the U.S.

That said, smart chips don't eliminate all kinds of fraud. Target hackers also intercepted some three-digit verification codes typically found on the back of MasterCard and Visa credit cards. Criminals use those codes to place fraudulent online and phone orders, says Scott Schober, president of New Jersey's Berkeley Varitronics Systems. Stolen verification codes enable the hackers to circumvent the EMV encryption technology on Canadian smart chip cards.

"EMV has the same drawback as magnetic-stripe cards when a thief is buying online and performing other card-not-present fraud -- there's not much you can do," explains Schober.

"I believe Canadians are no better protected than Americans against mass data theft," agrees Toronto-based Internet security consultant Rob Cairns.

Awareness decreases fraud
Cairns' research shows that similar breaches have already occurred in Canada with the same malware criminals used to access Target point-of-sale terminals and snatch personal information. As serious as such a network hack is, Canadians shouldn't ignore other types of data breaches.

"What's really important is an overall awareness so the chances of any frauds occurring are decreased," advises RCMP Financial Crime Commander Dave Bellamy.

From 2010 to 2012, hundreds of government- and private-sector breaches were voluntarily reported to the Office of the Privacy Commissioner of Canada. But Canada has minimal legislation forcing businesses and government agencies to disclose data breaches. Attorney Theodore P. Charney's June 2013 Privacy Law in Canada paper identifies Alberta as the only province mandating all organizations to report breaches. In contrast, 46 of 50 United States require disclosure.

Cairns points out that Canadian financial institutions and retailers are often reluctant to publicly divulge a customer data breach, since that would make an organization appear more vulnerable than its competitors. He also believes other incidents as widespread as Target may have already happened in Canada, but have not yet been reported because disclosure is largely voluntary.

"Many Canadian banks and retailers treat fraud as a cost of doing business," says Cairns.

Never let your guard down
Both Wong and Cairns agree that, ideally, the Target data breach should serve as a wakeup call, spurring consumers to become more cautious in protecting their personal information from external threats beyond their control.

Cairns says the increase in piracy attacks means that consumers need to monitor their banking and credit card accounts more often. He also recommends regularly changing passwords and PINs -- and making them hard for criminals to guess.

Another lesson from the Target breach is that familiarity is not synonymous with security. Consumers must remain vigilant with their personal financial data even when shopping at stores where they have done business for years.

"There is no steel curtain you can put up that will work indefinitely," observes Wong. "It's basically a battle of continually reinventing your curtain in order to stay a step ahead of the hackers."

Cairns agrees. "The key is to never let your guard down," he says, "because the one time you do is often when you get bitten."

See related: 5 myths about contactless payments; Why debit is riskier than credit 

Published: January 27, 2014

Comments or Questions, Library of Stories

Email this article: EMV is not impervious to data breaches  Email 
 Link to story 

Three most recent All credit card news stories:

  • Cash, debit or credit? When to use which payment – You carry cash, a debit card and a credit card -- how do you know when to use each type of payment? Experts give a guide on when to pull out plastic and when cash is ideal ...
  • Your options if your issuer changes your agreement – You open your mail to find your card issuer increased your interest rate or added an annual fee to your card. If you don't like the changes, here are a few ways you can handle the situation ...
  • Ways to overcome the stigma of debt – Not being able to pay your bills on time is hard, but not being able to talk about it can be even harder. Debt comes with negative connotations. If you're feeling the stigma of debt, give yourself these reminders to shake shameful feelings ...