By now, most members of the Self-Reliance Institute (formerly the Patriot Privacy & Security Society) have heard about the huge credit card data breach potentially impacting people who shopped at Target between Nov. 27 and Dec. 15.
The Target breach is a good reminder for all of us that these credit and debit card data breaches — of one size or another — occur every day and we need to know what the actual risk is when a breach does happen. It’s also a good reminder that it’s worthwhile to use a credit monitoring service that monitors illicit activity involving your personal information, financial accounts, and your credit and debit cards.
So even if you aren’t personally impacted by the Target breach, it’s worth learning from this unfolding case for when you are impacted by a data breach at a company with which you do business. And believe me, if you use a credit or debit card, you will be the victim of a breach at some point — if you haven’t already.
“Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.
“According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.”
Krebs sources were correct. By Thursday, Target acknowledged the breach in a press release titled, “Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores.”
“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue. …
“Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”
Clearly, Target’s statement, other than confirming what Krebs had uncovered, isn’t all that helpful at explaining what happened, why, and what Target shoppers can do to protect themselves.
Over at Wired.com, Kim Zetter added a bit more in her report,“Target Admits Massive Credit Card Breach; 40 Million Affected.”
“The thieves breached the point-of-sale system (POS) and stole customer magstripe data, including names, credit or debit card numbers, expiration dates and everything else needed to make counterfeit cards. Target did not indicate if PIN numbers were also taken, which would allow the thieves to use the account data to withdraw cash from ATMs.
“It’s unclear how the breach of the point-of-sale system occurred. It’s possible the thieves installed malware on the card readers at stores or breached the transaction network and sniffed data at a point that it was not encrypted.”
Based on professional experience, I believe it was a breach of the transaction network. As the investigation unfolds, we may find out.
But for most folks, how the breach occurred is not as important as understanding the true nature of the threat and what steps can be taken to minimize the extent of the damage if you become a victim. After all, there is no credit or debit card system that can’t be breached.
Let me say that again. There isn’t a credit or debit card system that can’t be breached.
But what is the actual danger from a breach?
Let’s turn to my friends at FRSecure and review a few of the Frequently Asked Questions they’ve compiled to rebut some of the incorrect reporting in the mainstream media.
Target Breach FAQ (Go to the site for the full list of FAQs)
“What information was stolen?
“Full magnetic stripe data, also called “track data”, from credit and debit cards. The magnetic stripe contains the following information (only): Cardholder name; Cardholder account number; Card expiration date; Card Security Code 1 (CSC1), also called the Card Verification Value 1 (CVV1)*. This code is stored on the magnetic stripe and is used to validate “card present” transactions. Card present transactions are those that are made in-person, at the merchant, using a swipe.”
“What information was NOT stolen?
“There was no other data stolen. The following information was not included in the breach: Card Verification Value 2 (CVV2)*. This code is printed on the back of credit and debit cards. This code is used to validate “card not present” transactions. Card not present transactions are online transactions and those made by phone or form; Cardholder physical addresses; Cardholder Social Security Numbers; Cardholder birthdates; Transaction history data; Personal Identification Numbers (PIN).”
“If I shopped at Target between the dates mentioned, what should I do?
“All of us at FRSecure have made purchases at Target using our cards between the dates mentioned in the breach. Here are some things that we are doing: Monitor your credit and/or debit card accounts closely online; If you are really concerned, take some cash out of your account and keep it in a safe place; If you detect or find fraudulent transactions on your account, call your financial institution, close your account and open a new one; Use the cash that you took out earlier to get you by until your new card arrives in the mail; Validate that your financial institution has returned your funds.”
That’s accurate and useful information from FRSecure. In other words, there’s no need to panic.
Still, you can and should take steps to protect yourself against data breaches if you haven’t already.
As I mentioned at the outset, Chris and I use credit monitoring services to monitor illicit activity involving our personal information, financial accounts, and our credit and debit cards. Chris uses Identity Guard and I use CSID.
I can attest to the fact that when the data of a credit card of mine was stolen as part of the infamous Stratfor hack, CSID accurately notified me of my account number being sold on the Internet days before cybercriminals attempted to run charges on my account.
In short, while monitoring services were a bit of a rip-off as recently as five years ago, they are far better today at actually providing monitoring and protection services. So if you’re not already using a monitoring service, consider doing so. It might just save you time — and time equals money — down the road.
Finally, please share your experiences with me. Have you been notified that you were a victim of the Target breach? Have you been the victim of another breach? Do you use a monitoring service? If so, are you satisfied or unsatisfied?
As always, you can write me at [email protected].
OK, time to sign off. It’s snowing like crazy here at 8,000 ft. in the Rockies. So I’m going to grab Nittany (my Bernese Mountain Dog) and go enjoy the powder!
Be safe and secure,