What Can Consumers Do in the Wake of Target’s Credit-Card Thefts? Not a Whole Lot
This was a really rotten week for Target executives. The public discovered that during the holiday season, somebody stole 40 million credit-card records (name, card number, expiration date), plus 70 million name-and-address records.
Around the same time, someone stole credit-card records from Neiman Marcus, too.
We don’t know who. We don’t know how many. We don’t know why. We’re not even clear on how.
We do know a surprising amount about these well-publicized credit-card thefts, though, and you deserve to know the background. Here you go: Pogue’s Primer on the new world of stolen credit-card records.
Q: How worried should I be?
A: If your card number was among the stolen, you won’t be hurt financially. The credit-card companies guarantee that; they won’t charge you for anything bought using your stolen card number. (“Consumers are protected by Visa’s zero-liability policy for credit and debit accounts,” Visa’s security rep told me. “These policies exceed federal protections.”)
That’s why the credit-card companies are much more stressed about card-number theft than you are. It’s a minor headache for you; it’s a money-drain situation for them.
Some companies, including Chase, have automatically sent new credit cards to cardholders who shopped at Target during the critical period (Nov. 27 to Dec. 15).
Q: How did the hackers do it?
A: When you hear the word “hacker,” you probably think of a villain in front of a screen somewhere, issuing commands from across the Internet. But this wasn’t an online hack, like most credit-card thefts.
Instead, Target’s attack happened in the stores. Somebody (possibly an insider) managed to install snooping software at the electronic cash registers, where you swipe your card — which collected card information from millions of shoppers.
(By the way: “Theft” is a slightly misleading term for this, because the card numbers aren’t actually taken; they’re copied. But there’s no other good term.)
Q: Why did they do it?
A: Sometimes, people break into corporate systems just to show that they can, or to strike back at The Man (in the case of “hacktivists”). The stereotype seems to be bored Eastern European teenagers.
But there is a thriving secret economy that traffics in stolen credit-card numbers, and these lists are bought and sold on private Web forums. The value of the numbers has to do with how complete they are and how “fresh” they are; the bad guys, of course, want to use the cards before the credit-card companies get around to canceling them.
(Wired published a fascinating transcript of such a sale taking place online.)
Q: How can I find out if my card was swiped?
A: Believe it or not, no law says a company has to disclose when it’s been hacked. Well, no national law — only a patchwork of a few state laws.
You wouldn’t even have heard of the Target hack if it weren’t for questioning from security blogger Brian Krebs, to whom we should be thankful.
If you have an email address on file with Target, the company will email you to let you know that your card was among the swiped. Target is also offering a free year of credit monitoring to everyone who shopped there during the affected time (between Nov. 27 and Dec. 15).
By the way: Even if you did shop at Target during that time, your card wasn’t necessarily stolen. Target has provided lots of good information here.
Q: Is there anything we can do?
A: Short of moving to a cash-only lifestyle or becoming Amish, there’s nothing you can do to prevent in-store checkout-line hacks like the one at Target.
Visa recommends that you look over your credit-card statements carefully and be especially vigilant for phishing attempts. (That’s when you get an email from your bank, or eBay, or PayPal, or some store, asserting that something’s wrong with your account and offering a link to sign in and clear up the problem. Except that it’s a fake site designed to harvest your name and password when you “sign in.”)
If you’re especially worried, you can, with great difficulty, reduce your vulnerability to online hacks. For example, you can use a disposable (virtual) credit-card number (some banks or credit-card companies offer them) each time you buy something online; it will never work again. But that’s a lot of hassle; the actual number of people whose credit cards are swiped online is infinitesimal compared to the number of transactions. And, once again, you won’t be held liable for purchases if someone does steal your number.