Following Massive Data Breaches, Retailers Try 'Look, A Squirrel!' Tactic

The use of distractions in politics has skyrocketed in the past few years as candidates and others have realized how effective it can be to get the media talking about something else ??? anything else ??? when it’s you that’s under the glare of scrutiny.

The strategy is often called ???look, a squirrel!???, an allusion to the Pixar film Up in which dogs’ conversations are instantly paralyzed when any canine participant observes (or thinks he may have observed) a squirrel.

President Obama, for example, has often been accused of using this technique just as scandals are reaching their nadir or as outrage to his policies threatens to cause deep political harm. And GOP presidential candidate Donald Trump has a knack for launching insult-laden bromides against his rivals as a way to keep the news cycle away from damaging narratives.

So it’s only natural we would start to see this tactic creep into Washington, D.C. lobbying campaigns where extraordinarily capable people are paid large amounts of money to wage well-executed campaigns for narrow and self-interested special interests.

Enter the retail stores sector, whose members ??? think Target, Home Depot, Michaels ??? the list goes on ??? have allowed criminals to steal credit card information on, in total, hundreds of millions of Americans.

These breaches generally happen one way: the computers that process payments when you check out (i.e. a modern cash register) are hacked and instructed to silently send the credit card data of each customer to a server computer controlled by the hackers.

Faced with this problem, one response for the stores would be to work to improve the security of their computers and networks. That would be the right thing to do — it would also cost money.

Instead, they are trying to pull ???look, a squirrel!??? by going on the attack to push a discredited, flim-flam security technique that is generally opposed by experts, but useful as a wedge to give their paid spokesman something to talk about.

Even worse, they have managed enlisted the help of their politician allies, who also happen to conspicuously overlap with the recipients of their generous campaign donations. In fact the evidence is mounting that their efforts are the worst type of crony capitalism.

But first, some background: the ???point of sale??? vulnerability is the impetus for newer credit cards that contain a small computer chip. During a transaction, the chip in the card is powered on and used to encrypt its information, which the cash register computer merely relays on to a secure network that actually processes the payment. In this way, the cash register computer can’t ???see??? the credit card number ??? it’s encrypted.

This doesn’t solve all fraud; for instance, it currently does not help at all for online purchases where consumers enter their credit card numbers by hand. But it is a major step forward and something that will help.

The retailers, in contrast, are pushing to require customers to enter a four-digit PIN for every purchase, like they do for many debit cards.

Security experts, however, view the PIN as the equivalent of relying on a baby gate to keep intruders out of your home. First of all, a password composed of four numbers allows only 10,000 combinations, which even your early 1990s computer running Windows 3.1 could crack by ???brute force??? without a sweat.

Second, any cash register computer that is compromised and sending credit card numbers back to the hackers can easily be set to also send the PIN number.

Third, like the chips, PINs offer no benefit for online transactions, although unlike the chips, they offer very little improvement to the security situation for in-store purchases.

Finally, just in my opinion, it’s annoying to have to remember passwords for all your credit cards, even more so when you realize it’s not providing any real security advantage.

Nevertheless, once they realized that credit card companies and banks weren’t interested in more PINs, retailers realized this could be their crusade, and perhaps a way to turn the tide of all the bad PR they’ve gotten from giving hundreds of millions of Americans’ credit card numbers to thieves.

A perennial retail ally, Sen. Dick Durbin (D-IL) got in on the action a few weeks back, writing a ridiculous letter to the FBI about PIN technology, and now two state attorneys general have signed a letter urging credit card companies to require PINs.

Leading the charge is Sam Olens, Georgia’s AG. Now, Georgia just happens to be the headquarters of Home Depot, a stores that allowed one of the largest breaches to occur and a major player in the political tug-of-war between the stores and the credit card companies. How convenient!

Now, if it weren’t bad enough that the people who left your credit card data vulnerable to thieves are championing a discredited security technique ??? one that will require millions of people to remember tens of millions of new passwords for no good reason, as a manufactured political issue that serves their purpose, here’s the truly flagrant part.

The retailers quest for PINs isn’t really about fraud, but apparently part of a larger play to help convince politicians to set a more favorable price for credit card companies to processing their payments, the so-called ???interchange fees.???

Politico reported this week the PIN campaign is, at heart, a negotiating ploy. ???It is becoming increasingly clear that ‘chip-and-pin’ is nothing more than an interchange play by the merchants with the help of their old pal Sen. Durbin,??? the outlet quoted a congressional aide saying.

Just remember that next time you forget your PIN!


Langer is president of the Institute for Liberty, a conservative public policy advocacy organization.