Target is now saying, reports the New York Times, that "a range of 70 million to 110 million people," not the original 40 million customers, had their credit or debit card numbers hacked in December (or possibly at other times). Even worse, Target is admitting that the database stolen from the big-box retailer included a lot more than credit or debit card numbers and their associated security codes and expiration dates.
Today, Target admitted that the stolen data also included email addresses and phone numbers, which leaves consumers vulnerable to phishing attacks that could lead to identity theft, as if the previous threat of fraud on existing accounts wasn't bad enough. You might say: "But I never gave Target that information." Answer: "They could easily buy databases to add that information to your file."
(Target had previously admitted, although not at first, that the hack also collected PINs (passwords) which would allow direct access to your bank account, for example through a cloned debit card used at an ATM. But Target has insisted that the PIN numbers/passwords, at least, were encrypted and cannot be hacked. But phishing attacks could help thieves obtain the PIN/password.)
When bad guys obtain credit card or debit card numbers, they can commit fraud on existing accounts. That's not so bad, if your card was a credit card. Your credit card rights by law are very strong (against not only fraud but also in the case of disputes over billing errors or over products or services that do not arrive or don't work well). If your card was a debit card, your rights by law are not as strong at all. Debit cards do provide decent anti-fraud rights by contractual promise ("zero-liability"), but by law you need to be vigilant and report claims promptly or you could lose a lot of money. But even if your fraud claims are eventually covered, remember that while you are disputing fraudulent charges (investigations can legally take 2 weeks or more), money is missing from your checking account and you could face additional cash flow problems and bounced checks. So, we advise consumers who can avoid the hazards of credit card debt to always use credit cards, not debit cards, at point-of-sale (retail) or online.
When bad guys obtain emails and phone numbers, they make phishing attacks to obtain more information: Target has just admitted that the hackers also obtained email addresses and phone numbers. While this information is not enough to commit identity theft, it is enough information to conduct "phishing attacks" designed to collect additional information, including encrypted passwords, from consumers. The additional information the bad guys seek, then, would either allow them direct access to your account (through the PIN) or to open new accounts in your name by committing identity theft. They use what they know to convince you to tell them what they don't know. They want your PIN, or your birthdate and Social Security Number. They hope to trick you into giving it up.
They do this through either dangerous links or various "social engineering" techniques. A phishing email will appear to be from your bank. But if you click on any links, either a virus explodes on your computer to collect any personal information stored on it, or you are redirected to a site that will allow them to obtain the information they need.
As the New York Times further explains:
"Security experts say that clever hackers could potentially parse together customers’ stolen information for identity theft or for use in a so-called spearphishing attack, in which hackers send a highly tailored emails to victims asking them to click on a link or download an attachment that, once opened, gives hackers a foothold into their computers and employers’ networks."
The lower-tech version of spearphishing -- plain old phishing -- goes like this: the thief will use the limited information he has about you to convince you he is legitimate, so you will give him the additional information he wants.
For example, in a phone or text message attack: "Please don't worry, I am from the bank. Here is some information (the account number and even the security code) about you to prove I am legitimate, but I need you to provide some information to convince me I am actually talking with Ed Mierzwinski, accountholder. Please tell me the PIN that goes with this card and/or the Social Security Number you used to open this account."
This doesn't work very often, but it works enough to keep the bad guys in business.
Some tips for all consumers, whether you shopped at Target or not:
(1) Don’t panic. Do check your credit card and bank account statements regularly for fraudulent transactions and report them immediately to your account provider. The most likely use of the card numbers will be to attempt fraud on your existing accounts. You have strong anti-fraud protections by law with a credit card. If you are vigilant, you can also protect your debit card.
(2) Now that we know emails and phone numbers were also taken in the Target exploit, be aware of “phishing” emails or phone calls, especially calls or emails purporting to be from the bank’s fraud department. Banks will never reach out to you this way. But when a bad guy has some of the information needed to commit identity theft, he will call or email to try to get the additional information he needs to either open new accounts (your Social Security Number and perhaps also birth date) in your name or to access your account directly (your PIN).
- Never click on any links in emails or open any attachments, even if the email appears to be from your bank. Never give any information to anyone who calls you, even if the caller says something like: “I am going to tell you your account number to verify that this is a legitimate call (but you need to give me some sort of additional information to confirm you are you).”
- If you are concerned you may be a victim of fraud due to a call or email, don’t reply directly. Instead, look at the back of your actual card and call that toll-free number instead and ask for the fraud department.
(3) Don’t pay for expensive credit monitoring services. You have the right under federal law to look at each of your three credit reports (Equifax, Experian and TransUnion) once a year for free at the federally-mandated central site annualcreditreport.com. Don't like websites? You can also access your federal free report rights by phone or email. You can stagger these requests – one every four months -- for a type of do-it-yourself no-cost monitoring. And, if you suspect you are a victim of identity theft, you can call each bureau directly for an additional free credit report.
(4) In the future, if you can avoid running up credit card debt, always use credit cards, not debit cards, in stores or online. Your credit card rights are stronger by law, and you don’t run the risk of missing funds from your checking account for up to two weeks or more while the bank conducts an allowable fraud reinvestigation of debit card fraud.
Our general identity theft tips are here. http://uspirgedfund.org/issues/usf/protecting-yourself-identity-theft
Let us know what else we can do to help. We'll also be watchdogging the regulators to make sure that they hold both Target, and the card networks, accountable for their sloppy practices.
Arizona PIRG’s Consumer Program Director Ed Mierzwinski co-authored this post