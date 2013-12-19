By Mitch Lipka
Dec. 19 If you think yours was one of the 40
million credit or debit cards involved in a data breach at
Target, security experts recommend a policy of watching
and waiting: Watch the account you used at the retailer on a
daily basis, and wait, because there's no telling when it will
be tapped by thieves.
With the information that was obtained in the data breach
between Nov. 27 and Dec. 15 - cardholder names, card numbers and
the three-digit security codes - crooks can use them for online
transactions or manufacture duplicate cards.
"This could be something that hits your card months from
now, so you need to continue to be vigilant," says Yaron Samid,
chief executive officer of BillGuard, a company that offers a
free service monitoring credit and debit cards for unusual
activity.
Don't look for crazy, big-ticket charges, Samid says.
Sophisticated hackers are more likely to make small
purchases, sometimes aimed at checking the viability of an
account.
"These folks are not going to put a $10,000 charge on one
card," Samid says. "They're going to put a $1 charge on 10,000
cards."
Small charges are less likely to be noticed and disputed, he
says, and a single charge - even if it's for just 99 cents -
enables the crooks to resell the stolen information at a
premium, according to Samid.
A validated stolen card number is worth more than an
untested one, he says.
CREDIT VS DEBIT
If you used a credit card at Target, you have more
protection than if you used a debit card. That's because
consumers are protected from the fraudulent use of a credit
card. You still have to report the fraud to your card issuer.
A fraudulent charge is typically credited back to the
consumer's account after a fraud report is made. The card issuer
then investigates the complaint and, unless the charge is found
to be valid, the credit will be made permanent.
With a debit card transaction, money immediately comes from
the consumer's bank account. After filing a fraud report with
the bank, it is then in the bank's hands when - or if - to
return that money.
Either way, if a fraudulent charge is spotted, consumers
should get a new card.
But experts say it's better to err on the side of caution,
and - at least for debit card holders - get a new card now.
"I do see this as a very severe breach. Take it very
seriously," says Mark McCurley, senior information security
adviser for Scottsdale, Arizona-based IDT911 Consulting, a
company that does data breach prevention and post-breach
analysis.
McCurley says he used his debit card at a Target store
during the period the numbers were stolen. He requested a new
debit card and PIN number.
"That's how seriously I'm taking the matter," he says.
At a minimum, change your PIN number, experts advise. If the
thieves have captured your PIN, you can prevent them from
getting a cash-back during a transaction or using your card at
an ATM machine, McCurley says.
Molly Snyder, a spokeswoman for Target, says there is no
indication at this point that PINs were collected by the
thieves.
TARGET'S RESPONSE
Target is getting out the word to potential victims through
the media and on its website, Snyder says. Consumers who have
the store's credit card or have an email address on file have
been or will be notified directly, Snyder says.
Customers with questions about the breach are asked to call
866-852-8680.
At this point, credit monitoring is not being offered to
potential victims. Additional information will be posted to
Target.com, Snyder says.
A notice to the retailer's customers is posted on the
company's site, with information about putting a security freeze
on credit reports, and other post-breach basics.
"If you shopped in a U.S. store during that time period, we
encourage you to watch your accounts." Target has addressed the
problem, she says, and assures consumers that future
transactions will be protected.
Robert Siciliano, online security expert for Internet
security company McAfee Inc., says consumers shouldn't have to
get identity theft monitoring or freeze their credit in this
case.
"It didn't affect the users' Social Security number,"
Siciliano says. "This is plain and simple a credit card breach.
Bad guys use (Social Security numbers) to open up a new credit
card. In this case, they don't have to. They already have the
best data they can to turn into cash."
PIGGYBACK ATTACKS
Beyond checking on account activity and obtaining new credit
cards, consumers should be on the lookout for scammers trying to
take advantage of the data breach.
"Be wary of any communications from people claiming to be
your bank," warns Lee Weiner, senior vice president of products
and engineering for the Boston-based software security firm
Rapid7.
"Incidents like this provide a great opportunity for other
criminals to launch 'piggyback' attacks," Weiner adds. Scammers
can contact you through a call or email claiming to be your card
issuer, and then get you to give them your banking information,
online security credentials, or visit a malicious website.
If you are contacted by what appears to be your bank or
other financial service company, do not clink on links, and
certainly do not provide the information requested by phone or
email. Contact your bank, for instance, using the number on the
back of your card, Weiner says, or by going directly to the
bank's website.
Piggyback crimes are claiming more victims.
Just last week, Javelin Strategy & Research released a
report that found the number of people notified after a data
breach that they were victimized by fraud rose by 340 percent
between 2010 and 2012.