How consumers can prepare for future cyberattacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.post-gazette.com/business/2014/01/19/OFFTARGET/stories/201104130175

Just as the shock of the massive data breach at Target over the holidays
has begun to wane, cybersecurity and other experts are warning consumers to
brace for similar attacks in the coming year.

The breach at the mass merchant that compromised card accounts and personal
contact information for tens of millions of shoppers nationwide "kind of
takes your breath away," said Bill Hardekopf, CEO of the credit card
marketplace Lowcards.com.

"I think we are going to see more of this," he said. "This is what our
culture is in for."

High-risk times for more strikes will be the next big shopping cycles that
give hackers the potential for the biggest payoff, such as around
Valentine's Day, Mother's Day, the back-to-school time frame and next
Christmas, said Charles Wood, corporate security specialist and assistant
professor of information systems management at Duquesne University.

PROTECTING YOURSELF

Short of people chopping up their cards and filling their pockets with
cash, consumers can take steps to minimize their exposure to future data
heists, experts said.

First, shoppers should consider the additional risk that comes with using a
debit card vs. a credit card.

Thieves who get a hold of debit card data gain access to a person's bank
account. And depending on the card issuer's policy, any money that comes
out of the account may not be refunded right away.

"If someone's account gets drained, it may be tough to pay the bills in the
next month," said Jody Farmer, vice president with the credit card
comparison site Creditcards.com. "The inconvenience is potentially massive."

Big banks may provide a provisional credit to compromised debit card
accounts within a day or so after a customer disputes a transaction. But
federal law generally allows up to 10 days for the financial institution to
investigate before making any refunds, said Gerri Detweiler, personal
finance expert with the educational site Credit.com.

"In the meantime, your rent might be due," she said.

"In general, the more I'm hearing about data breaches, the more leery I am
about using a debit card," she said. "I've seen people have $10,000 taken
out of their account."

In contrast, if fraudulent charges are rung up on a credit card, it's the
bank that's out of the money.

Despite the downside of debit cards, many people prefer them over credit,
often as a way to help control spending because they can't run up big bills
the way they can with credit cards.

For people who can't give up their debit cards, Ms. Detweiler recommends
setting up two accounts, one for spending money "and the other to put your
paycheck into so you aren't exposing all of your money to scamsters."

It's also important to check debit and credit card accounts frequently
online for suspicious transactions and report them promptly to minimize any
damage.

Pay attention to small transactions, not just the big ones, Mr. Hardekopf
said.

"A lot of times thieves put through small amounts first to see if the
account is still active," he said.

After notifying a financial institution about suspected fraud, it's also a
good idea to follow up with a written complaint, Ms. Detweiler said.

CHECK YOUR CREDIT REPORT

Experts also recommend that consumers regularly check their credit reports
for errors or unfamiliar accounts to help detect identity theft, the type
of fraud where a thief may open new credit card accounts, take out loans or
commit other crimes under someone else's name. For the victim, sorting out
the mess can be a nightmare.

Federal law entitles consumers to free copies of their credit reports once
every 12 months from each of the three main credit bureaus, available at
www.annualcreditreport.com or by calling toll free 1-877-322-8228.

One strategy is to order a free report from one of the three main bureaus
every four months, said Heather Murray, manager of education with the
nonprofit Advantage Credit Counseling Service in Pittsburgh.

"By doing that ... you can catch identity theft sooner," she said.

Consumers should look for things like credit cards that they didn't apply
for or bogus loans in their name.

The Federal Trade Commission's website, www.ftc.gov, is a good source of
information on ID theft, Ms. Murray said.

TARGET FALLOUT

In the Target data breach revealed Dec. 19, which ranks as one of the worst
ever, hackers stole credit and debit card numbers, expiration dates and CVV
codes, which are the three- or four-digit numbers on the back or front of
cards used for additional verification.

The thieves also captured names, addresses, email addresses and phone
numbers, which could raise the chances of ID theft. The theft of the
personal contact information was disclosed more recently, on Jan. 10.

Many banks and other card issuers have contacted customers who shopped at
Target during the Nov. 27 to Dec. 15 time frame to cancel and replace their
existing cards. Shoppers who haven't been contacted should call their card
issuer and insist on a new card, especially if they used a debit card,
experts said.

"If I had shopped at Target with my debit card during that time, I would do
that," Mr. Farmer said.

At the minimum, shoppers should be closely monitoring their accounts for
fraudulent transactions, experts agreed.

Ms. Detweiler, who's been on radio shows taking questions from anxious
Target shoppers, said some callers who used a debit card during the
affected period mistakenly believed that if they had signed for the
transaction instead of entering a personal identification code, their
accounts were more secure.

"That's not true," she said. "It just means the transaction was processed
differently."

Pennsylvania Attorney General Kathleen Kane last week warned consumers to
be on alert for "phishing" attacks linked to the Target breach in which
thieves try to trick people into divulging personal information -- such as
passwords, account numbers and Social Security numbers -- by sending emails
that look like they're coming from Target.

"A number of scammers have taken advantage of Target customers' misfortune
and have set up websites and are sending emails with Target's logos in an
attempt to further victimize consumers," Ms. Kane wrote in a news release.

Target last week sought to limit any damage and the assault on its image by
offering free credit monitoring and identity theft protection for one year
to all Target shoppers.

To sign up, customers have until April 23 to go to a special website,
creditmonitoring.target.com, and register for an activation code.

While it's OK to take advantage of the offer, experts said, people should
make sure they understand all the terms of the programs so they don't end
up paying for coverage they don't want after the free service period ends.

The Washington, D.C.-based Consumer Federation of America said the offer
was not enough.

"The identity theft service that Target is paying for only monitors one of
the three major credit bureaus and while it may alert consumers to new
accounts opened in their names, it won't notify them about takeovers of
their existing accounts or other types of identity theft, such as using
their personal information to falsely obtain employment or tax refunds,"
the CFA's Susan Grant said.

"Consumers should also understand that the fraud assistance and insurance
that will be provided are somewhat limited and that no ID theft protection
service can prevent their information from being sold or used."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.