This was a really rotten week for Target executives. The public discovered that during the holiday season, somebody stole 40 million credit-card records (name, card number, expiration date), plus 70 million name-and-address records.
Around the same time, someone stole credit-card records from Neiman Marcus, too.
We don’t know who. We don’t know how many. We don’t know why. We’re not even clear on how.
We do know a surprising amount about these well-publicized credit-card thefts, though, and you deserve to know the background. Here you go: Pogue’s Primer on the new world of stolen credit-card records.
Q: How worried should I be?
A: If your card number was among the stolen, you won’t be hurt financially. The credit-card companies guarantee that; they won’t charge you for anything bought using your stolen card number. (“Consumers are protected by Visa’s zero-liability policy for credit and debit accounts,” Visa’s security rep told me. “These policies exceed federal protections.”)
That’s why the credit-card companies are much more stressed about card-number theft than you are. It’s a minor headache for you; it’s a money-drain situation for them.
Some companies, including Chase, have automatically sent new credit cards to cardholders who shopped at Target during the critical period (Nov. 27 to Dec. 15).
Q: How did the hackers do it?
A: When you hear the word “hacker,” you probably think of a villain in front of a screen somewhere, issuing commands from across the Internet. But this wasn’t an online hack, like most credit-card thefts.
Instead, Target’s attack happened in the stores. Somebody (possibly an insider) managed to install snooping software at the electronic cash registers, where you swipe your card — which collected card information from millions of shoppers.
(By the way: “Theft” is a slightly misleading term for this, because the card numbers aren’t actually taken; they’re copied. But there’s no other good term.)
Q: Why did they do it?
A: Sometimes, people break into corporate systems just to show that they can, or to strike back at The Man (in the case of “hacktivists”). The stereotype seems to be bored Eastern European teenagers.
But there is a thriving secret economy that traffics in stolen credit-card numbers, and these lists are bought and sold on private Web forums. The value of the numbers has to do with how complete they are and how “fresh” they are; the bad guys, of course, want to use the cards before the credit-card companies get around to canceling them.
(Wired published a fascinating transcript of such a sale taking place online.)
Q: How can I find out if my card was swiped?
A: Believe it or not, no law says a company has to disclose when it’s been hacked. Well, no national law — only a patchwork of a few state laws.
You wouldn’t even have heard of the Target hack if it weren’t for questioning from security blogger Brian Krebs, to whom we should be thankful.
If you have an email address on file with Target, the company will email you to let you know that your card was among the swiped. Target is also offering a free year of credit monitoring to everyone who shopped there during the affected time (between Nov. 27 and Dec. 15).
By the way: Even if you did shop at Target during that time, your card wasn’t necessarily stolen. Target has provided lots of good information here.
Q: Is there anything we can do?
A: Short of moving to a cash-only lifestyle or becoming Amish, there’s nothing you can do to prevent in-store checkout-line hacks like the one at Target.
Visa recommends that you look over your credit-card statements carefully and be especially vigilant for phishing attempts. (That’s when you get an email from your bank, or eBay, or PayPal, or some store, asserting that something’s wrong with your account and offering a link to sign in and clear up the problem. Except that it’s a fake site designed to harvest your name and password when you “sign in.”)
If you’re especially worried, you can, with great difficulty, reduce your vulnerability to online hacks. For example, you can use a disposable (virtual) credit-card number (some banks or credit-card companies offer them) each time you buy something online; it will never work again. But that’s a lot of hassle; the actual number of people whose credit cards are swiped online is infinitesimal compared to the number of transactions. And, once again, you won’t be held liable for purchases if someone does steal your number.
What America’s businesses should do, frankly, is adopt EMV — the credit-card system developed by Europay, MasterCard and Visa and used everywhere in Europe. These cards have chips embedded in them that make fraud far more difficult.
In Europe and Asia, where EMV is the standard already, many card readers don’t even accept magnetic-stripe credit cards anymore. Switching to a new system is a slow, expensive process, but it’s under way.
Q: How can you be so calm? Isn’t this a national nightmare?
It’s time to face facts: We live in a new era. Yes, the Target incident inspired headlines, but massive credit-card thefts take place all the time. Three other store chains, not yet identified, were also hit this season. And Target’s 40 million stolen numbers is nothing compared with the 90 million card numbers stolen from T.J. Maxx, the 100 million stolen from Sony, or the 160 million stolen from JCPenney, 7-Eleven and others.
By the way: Full-blown identity theft, where someone gets your contact information and Social Security number, can be much more than a headache. It can take years to sort out. Fortunately, credit-card-number theft isn’t the same thing — and this case isn’t anywhere near as dire.
Our lives are increasingly digital, and our data are increasingly shared and interconnected. Every time the digital world offers something we like — speed, convenience or economy, for example — we make ourselves more vulnerable to things we don’t like: data sharing, privacy intrusions and credit-card thefts.
As the Stephen Sondheim lyric goes, “Good things get better, bad get worse. Wait — I think I meant that in reverse.”
Yahoo Tech is a brand new tech site from David Pogue and an all-star team of writers. Follow us on Facebook for all the latest.