Banks race to replace millions of hacked cards before thieves decrypt data

photo The First Tennessee Bank building is located between Market and Broad Streets in downtown Chattanooga.
photo Cornerstone Bank President Frank Hughes

The anonymous hackers who breached Target's data banks stole detailed financial data from nearly one in eight Americans over the shopping season, nearly all 40 million of whom are still reeling from the fallout.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos., according to the Associated Press.

In the days after the attack, banks large and small faced big decisions over whether or not to replace customers' credit and debit cards en masse, or ride out the storm and deal with any identify theft on a case-by-case basis.

First Tennessee, the largest bank in Chattanooga, and SunTrust, the second-largest bank in the market, are both in the process of replacing credit and debit cards for all affected customers, although banking officials wouldn't disclose the exact number of victims affected by the digital heist.

"Replacement cards will be in consumers' hands very soon," said Dondi Black, vice president of First Tennessee's consumer payments strategy. "Given the timing of this breach, when card purchase volume is typically high, First Tennessee took additional steps to allow the cards in customers wallets to remain active until the replacement cards arrive."

Regions Bank is sending warnings instead of new cards. Rather than shell out new plastic, the bank has doubled security for customers who were potential victims of the hack, and warned them via a letter to keep an eye on their accounts for suspicious transactions, said spokesman Jeremy King.

"This enhances our ability to detect any unusual activity," King said.

Frank Hughes, president and CEO of Chattanooga-based Cornerstone Community Bank, said customers are always the first line of defense against fraudsters.

"Whenever these big breaches take place, we always tell people to keep an eye on their account," Hughes said.

Customers at many banks are also protected by Visa's zero liability policy, which automatically refunds customers for money stolen via fraud. But many, such as Chattanooga-based FSGBank, aren't taking any chances.

FSGBank is reissuing compromised cards for all 900 of its customers who were affected by the Target tech thieves, said Martin Schrodt, executive vice president of the bank's retail business lines.

"We made the decision to reissue them all," he said. "By the end of this week, they will all have been reissued. We'll give them time to reactivate the new card, then we'll shut the old cards off."

Schrodt is especially concerned because the stolen Target card data contained everything needed to start using the cards, including pin numbers and expiration dates.

"It wasn't just a card reader or a skimmer or some employee just writing numbers down," Schrodt said.

But hackers will need to decrypt the data before they can start using the debit cards. Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder told the Associated Press. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said the PINs for the affected cards are not safe and people "should change them at this point."

Litan said that while she has no information about the encrypted PIN information in Target's case, such data has been decrypted before, in particular the 2005 TJX Cos. hacking case that's believed the largest case of identity theft in U.S. history.

In 2009, computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez's group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

"It's not impossible, not unprecedented (and) has been done before," she said.

Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

The Associated Press contributed to this report.

Contact staff writer Ellis Smith at esmith@timesfreepress.com or 423-757-6315.

Upcoming Events