It has been reported that Target Corporation was another victim of a data breach that possible exposed up to 40 million customer’s credit data. The breach occurred between Black Friday and December 15th, 2013 and was focused around the data sent through Target’s systems from the card readers.
Now the full report and exposure level of this breach is not yet known, Target is getting some extra help by the United States Secret Service with their investigation, so right now all customers should assume the worst. What can you do? First people need to understand what can happen from the Target data breach. I am basing the following on the information that is current out there at the time that I am writing this post that the data compromised was the data stored on the magnetic strips of the credit and debit cards. The data on that strip is everything a hacker would need to create a copy of your card and begin using it without restriction. It’s the same concept as people using card skimmers, gathering that strip data, only here the database(s) that housed that data or the communications lines that were used to transmit that data were accessed and 40 million strips were accessed.
The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes on the backs of cards. The data breach did not affect online purchases. Assume that all the pieces of information required to copy your card is in the hands of the hackers. There are some simple things that you can do now to protect your checking account from getting drained or your credit cards racking up big charges damaging your credit. The primary action is to cut off your card(s) from your accounts.
- Call your bank(s), tell them that you used the card(s) at Target during the reported breach and request new cards. Your bank then will cancel that card’s number and if they are good will put a flag on it if that number is ever attempted to be used and report it to the authorities. 3 to 7 business days later you get a new card with fresh numbers. If you bank even thinks about charging you any kind of a fee for this, switch banks.
- Watch your accounts for any charges or activity you did not do. If you see something unusual call your bank immediately to get a new card and protect your account. Contact Target that your information was used post-breach to let them know the data stolen is being used 866-852-8680.
- Spend some money, usually it’s about $20 to $25 a month, and get a credit watch service to keep an eye on your credit reports for any odd activity, attempts to open new credit cards in your name or usually shifts in your credit score. If you do this I would recommend locking the service down that you will be contacted for any new accounts, even if you opened it yourself. It adds one more layer of security and prevents surprises. I personally have used EnhancedITP (Identity Theft Protection) service in the past and I was very satisfied with the reporting and protection.
At the end of the day Target joins the list of reasons to why our electronic payment systems need a complete overhaul. Don’t get me wrong, this may not be Target’s fault. A big corporation like Target doesn’t do all the processing 100% in-house, they use services like everyone else, the breach may have been with a 3rd party business Target works with but then again it could be a failure in a Target owned process. It really doesn’t matter at this point, the data is in the open, who cares how it got out there right now. Protecting yourself is all that matters.
In the point of sale systems today there is no required identity verification at the time of payment, no required multi factor authorizations for online purchases, no laws to ID everyone for a credit card use. It comes down to the retailers discretion. All you need is a card, a number and a smile and 9.9 times out of 10 you will not be asked to prove you are the owner of a card and/or authorized to use a card. I even have the words SEE ID written in big black ink in my signature line to get people to ask me for it and most still don’t. Target stores never, ever do and that’s a huge pet peeve of mine being an IT security expert, but other big retailers also never check me out. I work tirelessly to protect data systems I work with in my career and yet my own personal data, financial livelihood, and protection of my identity is not a priority to retailers.
Hopefully the more breaches of this magnitude occur the right people will finally push to overhaul the process and fix it. Yes, changes will add ‘inconveniences’ to the users to have to verify themselves but if it stops a random thief from using any card that is not their own, don’t you think that’s worth the extra 30 seconds? If you don’t like it, go back to paying with cash then.
In the electronic world we live in this is reality. Unfortunately, the systems and security advancements are not keeping up with the adoption and expansion of fast, easy use. Now 40 million cards’ critical information are floating out there somewhere, on the black market to the highest bidder, to be used for millions of dollars of fraud and theft. Why? Because all you need is the number and a smile, the undertrained, undisciplined companies will do the rest. It’s your card, your money, your responsibility to watch it, don’t rely or assume everyone that takes your credit card numbers are protecting them the same way.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.