5 lessons learned from the Target security breach
by Herb Weisbaum, Today.com
The theft of 40 million credit and debit card records from Target wasn’t the biggest or most damaging data breach ever, but coming right before Christmas, it sure did get our attention – and maybe that’s good.
Perhaps we needed a slap in the face to get us to focus on the growing problem of financial data theft. Keep in mind: Target was just one of about 600 publicly disclosed data breaches in 2013.
“Any retailer can be hit,” said Al Pascual, a senior analyst for security risk and fraud at Javelin Strategy and Research. “People need to protect themselves because sooner or later they’re going to be affected, regardless of where they shop.”
It’s important to understand how debit cards and credit cards differ when it comes to fraud protection, and what to do if your card information is stolen. Quite frankly, some of the advice given to Target victims was questionable or wrong. Here’s what you need to know:
1. Credit cards offer better fraud protection.
The most important difference between credit and debit cards is that credit cards provide better fraud protection.
“If a fraudster steals your credit card number and uses it, they’re stealing the bank’s money, not your money,” said John Ulzheimer with CreditSesame.com. “If a fraudster steals your debit card number and uses it, they’re stealing your money and you’ll have to argue with the bank to get your money back.”
Federal law limits responsibility for unauthorized credit card charges to $50. Visa, MasterCard, Discover and American Express all have “zero liability” policies, so you’ll never lose a penny to credit card fraud.
With debit cards, your maximum liability is $50, if you notify the bank within two days. After that it jumps to $500. You could lose all the money that was stolen from your checking account if you fail to report the fraud within 60 days of getting your bank statement.
Visa and MasterCard promise “zero liability” on the debit card transactions they handle if the customer chooses to sign for the transaction rather than use a PIN. Even so, the missing money doesn’t go back into your account instantaneously.
“Your money could be legally missing from your account for as much as two weeks while the bank investigates and decides whether to reimburse you,” noted Ed Mierzwinski, consumer program director at the advocacy group U.S. PIRG. “During that time you may not be able to pay your rent or mortgage or buy anything with your debit card.”
So why have a debit card? Some people don’t qualify for a credit card. Others use them to stick to their budget, since you can’t spend more than you have in your checking account.
“Debit cards are fine, right up to the point where they get stolen, and then they’re no longer fine,” Ulzheimer said. “In my mind, if you qualify for a credit card and have the willpower not to run up a massive amount of credit card debt, then credit cards are a safer alternative.”
Note: After the Target breach, a few banks took the unprecedented step of limiting how much customers could spend at stores or withdraw from ATMs using their debit cards. No such restrictions were put on credit card customers.
2. Free credit monitoring is nice, but it won’t protect Target victims.
We’ve come to expect free credit monitoring after a breach. It’s a way for the company to show they care about us.
Credit monitoring can be a useful fraud-fighting tool if someone steals your personally identifying information, such as date of birth, account passwords or Social Security numbers. That did not happen in this case.
“To be honest with you, it’s worthless in this situation,” Pascual said. “I think it created a false sense of security, which is unfair and probably wasn’t the best way to go about helping people.”
That’s because the fraudulent use of your credit card does not trigger an alert on your credit report. And debit card transactions aren’t even reported to the credit bureaus.
3. A security freeze won’t protect you in this sort of breach.
A lot of “experts” advised victims of the Target breach to put a security freeze on their credit report.
When Social Security numbers are stolen, a credit freeze is the smart thing to do. It prevents an identity thief from opening new accounts in your name. But that did not happen in this case.
“A security freeze doesn’t make any sense as a way to respond to this data breach,” said Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center. “That’s something you typically do after you spot obvious signs of financial fraud.”
A freeze prevents lenders from accessing your credit report to process a new loan or credit card application. It does not prevent fraud on an existing account. It will not stop a crook from using a stolen account number to shop online or clone a new debit or credit card to use at the store.
A credit freeze is a smart thing to do when Social Security numbers are stolen because it prevents an identity thief from opening new accounts in your name.
4. Should you change the PIN number on your debit card?
Target confirmed Friday that encrypted PINs were stolen in the breach, though it said the “key” necessary to decrypt data is not within its system and could not have been taken during breach.
Changing your PIN will prevent a stolen debit card number from being used to withdraw cash at an ATM, but it won’t stop a crook from using it to buy things. Debit cards can be used without a PIN at most stores.
To be completely safe, you’ll need to ask the bank to issue you a new card number.
5. Is it safer to choose “credit” over “debit” when you use a debit card?
When you swipe your debit card, you’re asked to choose “debit” or “credit.” Some have suggested that if you hit “credit” you are then making a credit card transaction. That’s not true.
“There is nothing you can do to turn that debit card into a credit card, even if the card has the Visa or MasterCard logo on it,” said Bill Hardekopf, CEO and Founder of LowCards.com.
What you are doing is choosing how that transaction is processed. Does it require a PIN or just a signature to pull that money out of your checking account?
“You’re just as vulnerable to a hacker,” said Brian Krebs, who broke the Target breach story on his KrebsOnSecurity blog. “Nothing magically happens if you push credit instead of debit that makes it any harder for someone to steal your card information. It’s all still ones and zeros on a magnetic strip.”
Is more regulation needed?
Debit cards are not going to go away. People like them. Banks encourage us to use them.
Consumer groups want Congress to guarantee more fraud protection for debit cardholders.
“We would like to see the liability for debit cards capped at $50 – just like credit cards,” said Linda Sherry, director of national priorities at the advocacy group Consumer Action. “We’d like to see a higher standard of protection for debit cards enshrined in law, not just in the voluntary ‘zero liability’ programs offered by card issuers.”
The nation’s bankers oppose any change in the law. And quite frankly, it’s unlikely Congress will do anything. That means you need to take steps to protect yourself.
Best practices for anyone with a credit or debit card
The best way to take responsibility for your financial security is to go online a couple of times a month to check your credit card and checking account statement. Look for any unauthorized charges and report them right away. Don’t wait for your end of the month statement to do this.
Take advantage of financial alerts, if available, on your accounts that can give you a heads-up to a possible problem.
If you get a notification in the mail that your debit or credit card accounts have been breached, respond immediately, because the risk is real. Javelin’s data shows that people who were notified of a card breach this past year had a 28 percent chance of being the victim of card fraud.
Beware of email alerts that ask you to provide your personal information. Target is not doing this – no company would. These bogus alerts are from identity thieves.
“These attacks are affecting retailers of all sizes and they are going to continue to happen,” Javelin’s Pascual said. “Consumers need to remain vigilant and take advantage of any opportunity they have to monitor their accounts and protect themselves.”