Data Breaches: Target, Neiman Marcus

Let's be really clear about what most identity theft is about:  it's about payments data.  Identity theft is first and foremost a payments fraud problem. We don't know all of the details about what happened at Target and Neiman Marcus, but there's a really obvious weakspot in the US payments infrastructure that should be corrected, irrespective of whether it would have prevented the Target and Neiman Marcus breaches:  the use of two-factor authentication, namely chip-and-PIN cards, which are standard outside the US and have been effective in reducing fraud.  

Why don't we have chip & PIN here? Because the banks don't want to pay for it because they don't bear most of the fraud costs. The banks/payment networks are the least cost avoider of identity theft, but because merchants are eating most of the fraud costs, the banks have instead have opted for a complex set of security standards for merchants (PCI Security Standards) that are of dubious effectiveness. 

Chip & PIN cards have two key security features. First, these cards have a microchip inside that frustrates easy physical copying of the cards. With our current mag stripe cards, I can copy the information off the mag stripe with a small reader and then use that to make a new card. Not so easy if I also have to copy the information on a microchip embeded in the card.  Second, these cards require a PIN to use. The PIN creates what is called two-factor authentication. The first factor is the information on the card itself (from the chip and mag stripe). The second factor is the PIN. Thus, even if my card is stolen, the card isn't useful without the PIN. Chip and PIN isn't impossible to crack, but it is a lot harder. And that's the name of the game in identity theft.

The whole nature of identity theft is a Willie Sutton economy. Sutton robbed banks because "that's where the money is." To reduce identity theft, there's a pretty easy recipe:  harden targets so that theft is more difficult. And in particular, try to make sure that you are a less inviting target (no pun intended) than the next guy. 

Maybe there'll be an upside from these recent data security breaches--enough consumers will be perturbed to demand that things change. Unfortunately, the way the stories are being shown in the media, it's the merchants who look like the problem. I don't know if the merchants were in fact being unusually careless, but we have technology that could really reduce identity theft, just that banks don't want to incur the cost of using it.