Breaches Put Magnetic Stripe Insecurities in the Spotlight
This month, Madison Square Garden announced that it has been the victim of a long security breach that has put its in-venue customers at risk for having their identities stolen.
The breach is suspected to have lasted almost a year, from November 9, 2015 to October 24, 2016 and was uncovered when credit card issuing banks noticed payment transaction patterns that were along the lines of those involving stolen credit card information. The banks alerted Madison Square Garden, who, upon learning this information, did an investigation and discovered that its systems had been breached. It then brought in security firms to fix the problem and update the company's security.
That said, many of the company's customers are potential victims of identity theft. Those at risk are ones who purchased food or merchandise at several of the company's event venues, including Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater in New York City and Chicago Theater in Chicago. The breach affected only these types of in-person transactions and didn't affect transactions that took place on the company's websites, venue box offices or through Ticketmaster.
The information leaked is that typically found within the magnetic stripe on a credit card and includes credit card numbers, cardholder names, expiration dates and internal verification codes--and with that information, a credit card theft could easily make a unauthorized credit card to use at will. The thieves captured the data as it routed through the payment system process.
Madison Square Garden notes that the thieves went after in-person transactions that were swiped and that not every person who used their card at these venues had their information compromised.
Another interesting point to note is that EMV chip cards are supposed to help mitigate fraud because they put the data that's normally stored on the magnetic stripe and load it onto a chip that's a lot harder to hack. While the U.S. is in the midst of a transition from magnetic stripe cards to EMV cards, not every credit card holder has an EMV chip card, nor does every business accept them.
In May, payments consulting firm Mercator forecast that 84 percent of all credit cards would be chip cards by the end of this year. While that number shows progress on EMV conversion, it still leaves chipless consumers vulnerable. Mastercard reported in September that as of July, 88 percent of its American cardholders had chip cards. Visa recently reported that in October, there were 388.8 million Visa chip cards in the U.S., with 180.6 million of those being credit cards. It did not disclose how many total cards it had on the market.
The added cost of replacing a magnetic stripe card with a more expensive chip card is just one piece of the puzzle. Just because a consumer has a chip card doesn't mean that they automatically have better fraud protection.
While the credit card companies tout greater acceptance of EMV technology, there's still a long way to go in that merchants need to make the--sometimes very expensive--investment to acquire and implement chip-reading terminals that can make the EMV transactions. This may be where the problem lies in persistent data breaches. Visa reports that a mere 37 percent of American storefronts have the capability to accept chip cards. That means at most store, credit card users still have to swipe their cards for payment, which puts them at greater risk for fraud in general.
Visa notes that those merchants who have converted to EMV have seen a 43 percent drop in counterfeit fraud dollars compared to a year ago; however, the low numbers of acceptance that persist across the country could mean that we're likely to keep seeing news of data breaches for some time.