Visa Stats Show A Huge Flip In U.S. Data Breaches Versus The Rest Of The World

Written by Frank Hayes and Evan Schuman
October 31st, 2012

The fact that U.S. retailers have been the world’s top fraud targets is nothing new, but recent Visa stats show a recent startling reversal. In 2009, the U.S. accounted for 38 percent of the world’s data breaches, with the rest of the world the victim of the remaining 62 percent. But by the next year—2010—those numbers did an almost full 180-degree flip. The U.S. suddenly accounted for 61 percent of all incidents globally, with the total of all other countries’ breaches delivering the remaining 39 percent.

That pattern continued—mildly—last year (2011), with the U.S. inching up to 67 percent of all breaches globally. But it’s the huge flip in 2010 that’s fascinating. What happened then? Jennifer Fischer, Visa’s head of payment system security and acceptance risk, said her people saw it as a combination of factors.

First, franchisees became targets, both because of generally lax security and because many of these store owners use similar systems (remote access was a popular security hole), thereby creating similar flaws and enabling cyberthief gangs to make efficient volume attacks. Although franchisees certainly exist throughout the world, they are much more common in the U.S. Hence, franchisee attacks would disproportionately boost U.S. breach numbers.

Plus, EMV’s popularity in Europe and Asia (and Canada and Mexico) made those chains less attractive targets than their EMV-resistant U.S. counterparts. “The hackers are targeting static payment card data” and would rather avoid dynamic data as found on EMV and other more secure systems, Fischer said.

Two other explanations: a lousy economy and a big increase in organized gangs doing these data breaches. When retailers need to trim costs, new PIN pads and updated back-end software are easy expenses to defer. That could explain security holes that don’t get patched.

Another economy-related explanation is that there might be more sticky-fingered associates willing to participate in card skimming. But that’s a little harder to swallow. Crooked associates who will skim customers’ payment cards don’t need a recession as an excuse for being thieves. If they’re crooked, they’ll do it regardless.

But what has shown up over the past few years is a pattern of what are clearly organized gangs going after retail chains, including Aldi in 2010, Michaels in 2011 and Barnes & Noble this year. The more we know about the aftermath of these breaches, the more it’s clear that the thieves are organized and methodical and that they understand a lot more about how breaches are detected than any retailer should be comfortable with.

Remember, these thieves understand that they can make it harder to spot breaches by sorting stolen card numbers by BIN. Plus, they farm out the work of getting cash from stolen debit-card numbers to street gangs. And those are just the techniques we know about.

It would be nice if a little more EMV and PCI would make U.S. chains a lot more breach-proof. Maybe they actually could. On the other hand, maybe thieves aren’t just stealing card numbers from U.S. chains because it’s slightly easier—but rather because, as bank robber Willie Sutton supposedly said, “that’s where the money is.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.