BreachExchange mailing list archives
How consumers can prepare for future cyberattacks
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 20 Jan 2014 18:09:33 -0700
http://www.post-gazette.com/business/2014/01/19/OFFTARGET/stories/201104130175 Just as the shock of the massive data breach at Target over the holidays has begun to wane, cybersecurity and other experts are warning consumers to brace for similar attacks in the coming year. The breach at the mass merchant that compromised card accounts and personal contact information for tens of millions of shoppers nationwide "kind of takes your breath away," said Bill Hardekopf, CEO of the credit card marketplace Lowcards.com. "I think we are going to see more of this," he said. "This is what our culture is in for." High-risk times for more strikes will be the next big shopping cycles that give hackers the potential for the biggest payoff, such as around Valentine's Day, Mother's Day, the back-to-school time frame and next Christmas, said Charles Wood, corporate security specialist and assistant professor of information systems management at Duquesne University. PROTECTING YOURSELF Short of people chopping up their cards and filling their pockets with cash, consumers can take steps to minimize their exposure to future data heists, experts said. First, shoppers should consider the additional risk that comes with using a debit card vs. a credit card. Thieves who get a hold of debit card data gain access to a person's bank account. And depending on the card issuer's policy, any money that comes out of the account may not be refunded right away. "If someone's account gets drained, it may be tough to pay the bills in the next month," said Jody Farmer, vice president with the credit card comparison site Creditcards.com. "The inconvenience is potentially massive." Big banks may provide a provisional credit to compromised debit card accounts within a day or so after a customer disputes a transaction. But federal law generally allows up to 10 days for the financial institution to investigate before making any refunds, said Gerri Detweiler, personal finance expert with the educational site Credit.com. "In the meantime, your rent might be due," she said. "In general, the more I'm hearing about data breaches, the more leery I am about using a debit card," she said. "I've seen people have $10,000 taken out of their account." In contrast, if fraudulent charges are rung up on a credit card, it's the bank that's out of the money. Despite the downside of debit cards, many people prefer them over credit, often as a way to help control spending because they can't run up big bills the way they can with credit cards. For people who can't give up their debit cards, Ms. Detweiler recommends setting up two accounts, one for spending money "and the other to put your paycheck into so you aren't exposing all of your money to scamsters." It's also important to check debit and credit card accounts frequently online for suspicious transactions and report them promptly to minimize any damage. Pay attention to small transactions, not just the big ones, Mr. Hardekopf said. "A lot of times thieves put through small amounts first to see if the account is still active," he said. After notifying a financial institution about suspected fraud, it's also a good idea to follow up with a written complaint, Ms. Detweiler said. CHECK YOUR CREDIT REPORT Experts also recommend that consumers regularly check their credit reports for errors or unfamiliar accounts to help detect identity theft, the type of fraud where a thief may open new credit card accounts, take out loans or commit other crimes under someone else's name. For the victim, sorting out the mess can be a nightmare. Federal law entitles consumers to free copies of their credit reports once every 12 months from each of the three main credit bureaus, available at www.annualcreditreport.com or by calling toll free 1-877-322-8228. One strategy is to order a free report from one of the three main bureaus every four months, said Heather Murray, manager of education with the nonprofit Advantage Credit Counseling Service in Pittsburgh. "By doing that ... you can catch identity theft sooner," she said. Consumers should look for things like credit cards that they didn't apply for or bogus loans in their name. The Federal Trade Commission's website, www.ftc.gov, is a good source of information on ID theft, Ms. Murray said. TARGET FALLOUT In the Target data breach revealed Dec. 19, which ranks as one of the worst ever, hackers stole credit and debit card numbers, expiration dates and CVV codes, which are the three- or four-digit numbers on the back or front of cards used for additional verification. The thieves also captured names, addresses, email addresses and phone numbers, which could raise the chances of ID theft. The theft of the personal contact information was disclosed more recently, on Jan. 10. Many banks and other card issuers have contacted customers who shopped at Target during the Nov. 27 to Dec. 15 time frame to cancel and replace their existing cards. Shoppers who haven't been contacted should call their card issuer and insist on a new card, especially if they used a debit card, experts said. "If I had shopped at Target with my debit card during that time, I would do that," Mr. Farmer said. At the minimum, shoppers should be closely monitoring their accounts for fraudulent transactions, experts agreed. Ms. Detweiler, who's been on radio shows taking questions from anxious Target shoppers, said some callers who used a debit card during the affected period mistakenly believed that if they had signed for the transaction instead of entering a personal identification code, their accounts were more secure. "That's not true," she said. "It just means the transaction was processed differently." Pennsylvania Attorney General Kathleen Kane last week warned consumers to be on alert for "phishing" attacks linked to the Target breach in which thieves try to trick people into divulging personal information -- such as passwords, account numbers and Social Security numbers -- by sending emails that look like they're coming from Target. "A number of scammers have taken advantage of Target customers' misfortune and have set up websites and are sending emails with Target's logos in an attempt to further victimize consumers," Ms. Kane wrote in a news release. Target last week sought to limit any damage and the assault on its image by offering free credit monitoring and identity theft protection for one year to all Target shoppers. To sign up, customers have until April 23 to go to a special website, creditmonitoring.target.com, and register for an activation code. While it's OK to take advantage of the offer, experts said, people should make sure they understand all the terms of the programs so they don't end up paying for coverage they don't want after the free service period ends. The Washington, D.C.-based Consumer Federation of America said the offer was not enough. "The identity theft service that Target is paying for only monitors one of the three major credit bureaus and while it may alert consumers to new accounts opened in their names, it won't notify them about takeovers of their existing accounts or other types of identity theft, such as using their personal information to falsely obtain employment or tax refunds," the CFA's Susan Grant said. "Consumers should also understand that the fraud assistance and insurance that will be provided are somewhat limited and that no ID theft protection service can prevent their information from being sold or used."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- How consumers can prepare for future cyberattacks Audrey McNeil (Jan 22)