Visa Stats Show A Huge Flip In U.S. Data Breaches Versus The Rest Of The World

The fact that U.S. retailers have been the world's top fraud targets is nothing new, but recent Visa stats show a recent startling reversal. In 2009, the U.S. accounted for 38 percent of the world's data breaches, with the rest of the world the victim of the remaining 62 percent. But by the next year—2010—those numbers did an almost full 180-degree flip. The U.S. suddenly accounted for 61 percent of all incidents globally, with the total of all other countries' breaches delivering the remaining 39 percent.

That pattern continued—mildly—last year (2011), with the U.S. inching up to 67 percent of all breaches globally. But it's the huge flip in 2010 that's fascinating. What happened then? Jennifer Fischer, Visa's head of payment system security and acceptance risk, said her people saw it as a combination of factors.

First, franchisees became targets, both because of generally lax security and because many of these store owners use similar systems (remote access was a popular security hole), thereby creating similar flaws and enabling cyberthief gangs to make efficient volume attacks. Although franchisees certainly exist throughout the world, they are much more common in the U.S. Hence, franchisee attacks would disproportionately boost U.S. breach numbers.

Plus, EMV's popularity in Europe and Asia (and Canada and Mexico) made those chains less attractive targets than their EMV-resistant U.S. counterparts. "The hackers are targeting static payment card data" and would rather avoid dynamic data as found on EMV and other more secure systems, Fischer said.

Two other explanations: a lousy economy and a big increase in organized gangs doing these data breaches. When retailers need to trim costs, new PIN pads and updated back-end software are easy expenses to defer. That could explain security holes that don't get patched.

Another economy-related explanation is that there might be more sticky-fingered associates willing to participate in card skimming. But that's a little harder to swallow. Crooked associates who will skim customers' payment cards don't need a recession as an excuse for being thieves. If they're crooked, they'll do it regardless.

But what has shown up over the past few years is a pattern of what are clearly organized gangs going after retail chains, including Aldi in 2010, Michaels in 2011 and Barnes & Noble this year. The more we know about the aftermath of these breaches, the more it's clear that the thieves are organized and methodical and that they understand a lot more about how breaches are detected than any retailer should be comfortable with.

Remember, these thieves understand that they can make it harder to spot breaches by sorting stolen card numbers by BIN. Plus, they farm out the work of getting cash from stolen debit-card numbers to street gangs. And those are just the techniques we know about.

It would be nice if a little more EMV and PCI would make U.S. chains a lot more breach-proof. Maybe they actually could. On the other hand, maybe thieves aren't just stealing card numbers from U.S. chains because it's slightly easier—but rather because, as bank robber Willie Sutton supposedly said, "that's where the money is."