EMV is not impervious to data breaches

Despite the gigantic data piracy at U.S. Target stores that compromised millions of people's credit card accounts -- including some Canadian cross-border shoppers -- many Canadians are complacent about the dangers of mass identity theft. security-breach

While no Canadian Target stores have been revealed as victims of the attacks, as many as 700,000 Canadians who shopped at U.S. Target stores were affected by the breach. Heather Ormerod, a spokesperson for Canada's privacy commissioner, said in a statement that her office has officially reached out to Target to inquire whether Canadian stores were affected.

Despite the news, Queen's University professor Ken Wong says he doesn't expect the breach to have a negative impact on Canadians' shopping habits. There's a generalized acceptance of a one-time breach, Wong says.

Smart-chip cards also give Canadians a sense of security not shared across the border. Chip technology makes it much harder for criminals to make counterfeit copies of cards, compared with the unencrypted magnetic-stripe cards that are still the standard in the U.S.

That said, smart chips don't eliminate all kinds of fraud. Target hackers also intercepted some three-digit verification codes typically found on the back of MasterCard and Visa credit cards. Criminals use those codes to place fraudulent online and phone orders, says Scott Schober, president of New Jersey's Berkeley Varitronics Systems. Stolen verification codes enable the hackers to circumvent the EMV encryption technology on Canadian smart chip cards.

"EMV has the same drawback as magnetic-stripe cards when a thief is buying online and performing other card-not-present fraud -- there's not much you can do," explains Schober.

"I believe Canadians are no better protected than Americans against mass data theft," agrees Toronto-based Internet security consultant Rob Cairns.

Awareness decreases fraud
Cairns' research shows that similar breaches have already occurred in Canada with the same malware criminals used to access Target point-of-sale terminals and snatch personal information. As serious as such a network hack is, Canadians shouldn't ignore other types of data breaches.

"What's really important is an overall awareness so the chances of any frauds occurring are decreased," advises RCMP Financial Crime Commander Dave Bellamy.

From 2010 to 2012, hundreds of government- and private-sector breaches were voluntarily reported to the Office of the Privacy Commissioner of Canada. But Canada has minimal legislation forcing businesses and government agencies to disclose data breaches. Attorney Theodore P. Charney's June 2013 Privacy Law in Canada paper identifies Alberta as the only province mandating all organizations to report breaches. In contrast, 46 of 50 United States require disclosure.

Cairns points out that Canadian financial institutions and retailers are often reluctant to publicly divulge a customer data breach, since that would make an organization appear more vulnerable than its competitors. He also believes other incidents as widespread as Target may have already happened in Canada, but have not yet been reported because disclosure is largely voluntary.

"Many Canadian banks and retailers treat fraud as a cost of doing business," says Cairns.

Never let your guard down
Both Wong and Cairns agree that, ideally, the Target data breach should serve as a wakeup call, spurring consumers to become more cautious in protecting their personal information from external threats beyond their control.

Cairns says the increase in piracy attacks means that consumers need to monitor their banking and credit card accounts more often. He also recommends regularly changing passwords and PINs -- and making them hard for criminals to guess.

Another lesson from the Target breach is that familiarity is not synonymous with security. Consumers must remain vigilant with their personal financial data even when shopping at stores where they have done business for years.

"There is no steel curtain you can put up that will work indefinitely," observes Wong. "It's basically a battle of continually reinventing your curtain in order to stay a step ahead of the hackers."

Cairns agrees. "The key is to never let your guard down," he says, "because the one time you do is often when you get bitten."

See related: 5 myths about contactless payments; Why debit is riskier than credit 

Published January 27, 2014

Most recent All credit card news Stories