If you braved the crowds and went shopping at
Target on Black Friday this year, or bought something from the retailer
in the weeks since, you need to check your credit card statements. You
may be among the 40 million customers affected by what may turn out to
be the largest financial breach of 2013.
Unfortunately, beyond being careful and frequently checking your banking and credit card statements for suspicious transactions, there really is not much consumers can do. The vigilance needs to last beyond this month and January, though, as the impact of this theft will be felt for months, if not years, experts warned. There may also be phone and email-based scams on the way taking advantage of the breach.
Did You Get a Deal?Shoppers who took advantage of Target's Black Friday specials and other holiday deals in the physical stores from Nov. 27 to Dec. 15 were affected. Thieves obtained customer names, credit or debit card numbers, card expiration dates, and the three-digit CVV security codes printed on the cards, according to the retailer. Customers who shopped at Target's online store don't appear to have been impacted by the breach.
Security writer Brian Krebs first reported the breach on Wednesday, and Target released a statement on Thursday confirming the theft. Target hasn't provided much information about the breach, beyond stating the problem has been fixed and it is still in the middle of its forensic investigation. Experts said these investigations can take months.
"We can't say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized," an anti-fraud analyst told Krebs.
Impact on CustomersTarget is asking customers to check their card statements for fraudulent activity and to report all suspicious transactions. Remember, this breach impacts all credit and debit cards that may have been used at the physical stores during this time period, not just Target cards.
Beyond that, there is really not much customers can do to about this breach beyond canceling the card and getting a new one, said Wolfgang Kandek, CTO of Qualys who shopped at Target during the time period and is one of the millions affected. Instead of getting a replacement card, which would be "a hassle," Kandek is keeping an eye on all the transactions hitting his credit card by frequently logging into his credit card account online, he said.
Kandek, like many of the other customers, has to trust the fraud detection algorithms that the credit card companies use, and hope that the companies will honor their promise to reverse any unknown charges. "There is not much a customer can do in such a situation," Kandek said.
Customer Vigilance NeededIf the customers aren't going to cancel their cards, it's critical that they keep monitoring their accounts and keep a close eye on transactions. Thieves may sit on bank details for a while and wait for the customers to stop being so vigilant.
"Not finding any indications of third party activity doesn't necessarily mean you're in the clear," said Lee Weiner, senior vice-president of products and engineering at Rapid7.
The fraudulent transactions may also appear for months, if not years. The thieves may be planning to sell the details instead of using them directly, which means a lot of different buyers will be using these numbers at different times. Criminals can also use the information to create physical credit or debit card clones. These counterfeit cards can be used anywhere cards are accepted until the card's expiration date.
"The potential for widespread online ordering fraud which can be particularly nasty considering we're in the midst of the holiday season," said James Lyne, global head of security research at Sophos.
Just because your card was included in the breach doesn't necessarily mean criminals will exploit your information. The number has to be sold or actually used. In many cases, cyber-criminals look at how much the shoppers spent to know who has the most liquid assets, said Grayson Milbourne, security intelligence director at Webroot. This breach should be a "huge wake-up call for consumers to understand they need to take their personal security more seriously," he said.
Piggyback AttacksCyber-criminals frequently launch "piggyback" attacks after a breach to take advantage of people confused and worried about the security of their information. Attackers can impersonate the card issuing company over the phone or via email and claim there may be a problem because of the Target breach. These scammers can ask users for their banking information or online credentials. Users may be asked to visit a malicious link.
"If you receive any communication around the incident, treat it with caution," warned Weiner. Instead of sharing information on the phone or email, call the card issuing company directly using the number on the back of your card, or go directly to the bank's Website, Weiner recommends.
What's Next?
Monitoring all the financial transactions can be challenging, and you may not be sure if you are missing anything. Placing a freeze on your credit cards and using a monitoring service such as one provided by Lifelock can help keep track of your accounts.
Considering the increase in financial-based malware and attacks, Target's data breach is not isolated. You need to be vigilant and protect your financial details as best as you can.
On the other hand, if you find yourself dealing with a lot of fraudulent transactions appearing on your card because the criminals are using your data, it might be less of a hassle to just cancel that card and start over.
Unfortunately, beyond being careful and frequently checking your banking and credit card statements for suspicious transactions, there really is not much consumers can do. The vigilance needs to last beyond this month and January, though, as the impact of this theft will be felt for months, if not years, experts warned. There may also be phone and email-based scams on the way taking advantage of the breach.
Did You Get a Deal?Shoppers who took advantage of Target's Black Friday specials and other holiday deals in the physical stores from Nov. 27 to Dec. 15 were affected. Thieves obtained customer names, credit or debit card numbers, card expiration dates, and the three-digit CVV security codes printed on the cards, according to the retailer. Customers who shopped at Target's online store don't appear to have been impacted by the breach.
Security writer Brian Krebs first reported the breach on Wednesday, and Target released a statement on Thursday confirming the theft. Target hasn't provided much information about the breach, beyond stating the problem has been fixed and it is still in the middle of its forensic investigation. Experts said these investigations can take months.
"We can't say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized," an anti-fraud analyst told Krebs.
Impact on CustomersTarget is asking customers to check their card statements for fraudulent activity and to report all suspicious transactions. Remember, this breach impacts all credit and debit cards that may have been used at the physical stores during this time period, not just Target cards.
Beyond that, there is really not much customers can do to about this breach beyond canceling the card and getting a new one, said Wolfgang Kandek, CTO of Qualys who shopped at Target during the time period and is one of the millions affected. Instead of getting a replacement card, which would be "a hassle," Kandek is keeping an eye on all the transactions hitting his credit card by frequently logging into his credit card account online, he said.
Kandek, like many of the other customers, has to trust the fraud detection algorithms that the credit card companies use, and hope that the companies will honor their promise to reverse any unknown charges. "There is not much a customer can do in such a situation," Kandek said.
Customer Vigilance NeededIf the customers aren't going to cancel their cards, it's critical that they keep monitoring their accounts and keep a close eye on transactions. Thieves may sit on bank details for a while and wait for the customers to stop being so vigilant.
"Not finding any indications of third party activity doesn't necessarily mean you're in the clear," said Lee Weiner, senior vice-president of products and engineering at Rapid7.
The fraudulent transactions may also appear for months, if not years. The thieves may be planning to sell the details instead of using them directly, which means a lot of different buyers will be using these numbers at different times. Criminals can also use the information to create physical credit or debit card clones. These counterfeit cards can be used anywhere cards are accepted until the card's expiration date.
"The potential for widespread online ordering fraud which can be particularly nasty considering we're in the midst of the holiday season," said James Lyne, global head of security research at Sophos.
Just because your card was included in the breach doesn't necessarily mean criminals will exploit your information. The number has to be sold or actually used. In many cases, cyber-criminals look at how much the shoppers spent to know who has the most liquid assets, said Grayson Milbourne, security intelligence director at Webroot. This breach should be a "huge wake-up call for consumers to understand they need to take their personal security more seriously," he said.
Piggyback AttacksCyber-criminals frequently launch "piggyback" attacks after a breach to take advantage of people confused and worried about the security of their information. Attackers can impersonate the card issuing company over the phone or via email and claim there may be a problem because of the Target breach. These scammers can ask users for their banking information or online credentials. Users may be asked to visit a malicious link.
"If you receive any communication around the incident, treat it with caution," warned Weiner. Instead of sharing information on the phone or email, call the card issuing company directly using the number on the back of your card, or go directly to the bank's Website, Weiner recommends.
What's Next?
Monitoring all the financial transactions can be challenging, and you may not be sure if you are missing anything. Placing a freeze on your credit cards and using a monitoring service such as one provided by Lifelock can help keep track of your accounts.
Considering the increase in financial-based malware and attacks, Target's data breach is not isolated. You need to be vigilant and protect your financial details as best as you can.
On the other hand, if you find yourself dealing with a lot of fraudulent transactions appearing on your card because the criminals are using your data, it might be less of a hassle to just cancel that card and start over.