Creative Commons photo courtesy flickr user Philip Taylor PT
The credit and debit cards of 40 million shoppers may have been compromised in a widespread security breach at Target stores. The retail giant said customers who swiped their cards between Nov. 29 and Dec. 15 may have had data stolen, including names, card numbers, card expiration date and three-digit security codes.
Despite the magnitude and sophistication of the breach, credit card users can empower themselves against attacks. Tim Erlin, director of IT security and risk strategy for the data security company Tripwire, shares some best practices for credit card users, including watching out for pin pads that don’t look quite right, being aware of purchases and checking one’s credit report.
Is there any way that people using credit cards at a store can protect themselves from data theft?
The best thing to combat a physical planted device is to be aware of the device used, like a skimmer, which has been used on ATMs in the past. You put card in and it takes your information. You can learn to recognize that device and when things don’t look right. The attackers can get better at making it looking real and behave correctly. But red flags include when the device looks like it has loose parts or moves around like something was added to it. There are cases of ATM skimmers where you can look for a pinhole camera, recording you as you push buttons on the pin pad. But generally speaking, these things are manufactured by the millions, so they should all look the same. If they look different, it’s always worth asking inside the store and point out this device doesn’t look right.
What is the most common way that credit card data is stolen and how can credit card users protect themselves?
A physically planted device is not the most common way for credit card data to be stolen. There’s an increase in the use of skimmer for stealing data, but usually not used in wide breaches, such as this Target incident. The most common way for credit card data to be stolen is for it to be copied from a vendor. When you swipe at the register, that data goes through multiple different parties before it gets processed. There’s the vendor who’s selling you the product, they may or may not see data, one or more third party vendor that support the processing, and bank on other end for funds. You as a consumer have little transparency in how that’s all processed. Anyone who handles that information can unintentionally keep it in an unsecure format, and as a consequence, it’s easier to steal. You only have visibility at the two ends, visible at front end — when you swipe your card — and when money comes out of your account. The best thing is to do is be aware. Pay attention to where you’ve been shopping. Fraud charges may not be big charges, but you’ll know you didn’t shop there. You’ll find fraud charges may be small, and may not always occur right when it was stolen. It may be copied but not used for six month. In this Target incident, we’ll see the repercussion of this for months if not years.
How can you know or find out if your credit card has been stolen?
Pay attention to charges that don’t make sense to you. Pay attention to your credit report, the accounts you open and didn’t open. If your identity was compromised, it can result in someone opening a fraudulent new account in your name, spending it and throwing it away. The other thing you can do if you’re in a publicly disclosed breach is look for mail that tells you you’re involved in a breach, and an organization may or may not be required to notify you.
What should you do once you realize your credit card number has been stolen?
If you suspect your card has been compromised or stolen or used in a way, call your credit card company. They generally have a clear process for how they respond. They’ll replace the card, put a stop on the old card and detect fraudulent activities. It’s in their best interest to protect you and their brand.
What happens when you swipe your credit card? Is your information secure?
Not everyone is allowed to take credit card for payment. They have to be an authorized vendor. Anyone that holds credit card data is subject to a data security standards. For example, any information system that processes credit card data can’t have default passwords. If I have to log in and get into the information, the password and username need to be strong. It can’t be “password” or “1234”. And anytime you store credit card data, it needs to be encrypted so if they can get the data, they can’t see the data…. But it’s hard to enforce this standard — some haven’t implemented their information system on this standard or [they] make mistakes.
Where should you avoid using your credit card?
It’s a very reasonable question. In the absence of a clear criteria, don’t use your credit card anytime you feel uncomfortable. I’d like to provide indication of time and place. But we have places like Target, a large organization where it should be safe to use your credit card. But it wasn’t.
What happens to your credit card data when it’s stolen?
Generally there are two things. They’re either trying to use it directly or sell it to someone else. When a large number of cards are compromised, the objective is to sell that information later. When someone steals it, they may be intending to use it when it’s small theft. Credit card data isn’t just a number. There are different components. There’s a name, a billing address, there’s other codes involved as well. That data can be used to open a new account or for identity theft. One of primarily goals of data security is to make sure you don’t store data together and important pieces of information are encrypted. There’s a lot done in the industry to prevent people from getting all of the data at once.
Are you liable for money that someone steals from your credit or debit card?
There are some cases. But they’ll vary based on credit card, bank and individual. As a consumer you should fight for not being liable if you feel like you’re a victim of fraud. You’re more likely to be liable if you don’t report fraud or don’t notify a company when you feel like you have been compromised. Laws vary state by state and country by country. It’s not a simple answer.