American consumers woke up to a post-shopping scare Thursday, as the US mass retailer Target reported the cybertheft of as many as 40 million credit and debit card numbers of its customers at the height of the Christmas shopping season, starting around Black Friday.
The Target heist is the second largest, after the TJ Maxx cybercrime that exposed at least 100 million cards in 2007, but it is shaping up to be the most audacious in the checkered history of card fraud, taking place during the top shopping weeks of the 2013 Christmas season. The theft ring apparently intercepted credit card information, including card expiration dates and the CVV security numbers on the back.
Credit card companies say they are on the case to ensure that customers don’t have their accounts breached. But security experts say consumers themselves need to check, immediately, any credit card accounts they've used at Target stores to see if the cards have been used by the Target fraudsters to make fraudulent purchases.
Given the dynamics of this case, the stolen data could be used to duplicate debit cards, for example, and to gain access to consumers' checking accounts. It also opens the door to identity theft.
“These are organized criminals that have got their sights set on getting hold of card data so they can take over accounts. So first you need to check and see if the Grinch has done that,” says Tom Field, a vice president at Information Security Media Group in Princeton, N.J.
“The first thing to do is check your accounts to make sure there’s nothing there you don’t recognize," he says. "Quite often, fraudsters will do a test run on a card, a small transaction to make sure it works, and then do something bigger. So go in there and make sure you did buy that cup of coffee.”
Mastercard is reporting that it has spotted nine fraud alerts that appear to be connected to the Target theft. Other card issuers suggest that, so far, only a small number of cardholders have been targeted for fraud.
"Perhaps the fraudsters are selling this info by card type," one credit card executive tells Tracy Kitten of BankInfoSecurity.com. "I hear from contacts at a processor that activity indicates that they might be going BIN [bank identification number] by BIN. We haven't seen a spike in volume yet, but we are monitoring."
The Secret Service is investigating how on earth thieves took information across the big-box retailer’s 1,727 stores in the US between Nov. 27 and Dec. 15, and Target says it has “resolved” the issue so that no more data can be stolen.
"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts," the company said in a statement. "Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."
But Target shoppers are still left with a sour question only a week from Christmas: Now what?
First, vigilant consumers shouldn't panic, says Mr. Field of Information Security Media Group.
“You’re not going to be held liable for fraud committed against you, and you will be reimbursed for anything you lose,” he says. “But that doesn’t mean you’re not going to lose the time it takes to undo the damage of account takeover.”
Debit card users should be especially vigilant, experts say. With the kind of information stolen, thieves can, for instance, create duplicate cards that could give them entrée directly into a consumer's checking account. Indeed, debit card users have the most risk of exposure in the case of a massive data breach, they say.
About 1 in 14 debit card users has had money stolen from an account in the past five years, reports Teresa Dixon Murray in the Cleveland Plain Dealer.
Debit card users also have fewer protections under federal law, she writes. For one thing, under the law, credit card users have a $50 liability limit if the fraud is reported within 60 days; debit card users have only two days to report the fraud, or their liability limit rises to $500.
The vast majority of identity theft does involve credit card accounts or bank accounts. In 2012, 14 percent of victims of identity theft saw monetary losses, according to the US Bureau of Justice Statistics.
Most of those people resolved their situations within one day, though some who had fraudulent usage of their accounts spent a month or so trying to resolve the problems, the Bureau of Justice Statistics reports.
The Target breach, information security experts say, is just one example, though the largest, of the kinds of sophisticated attacks on retailers that have been under way all year by international organized crime syndicates.
“This is the most public example we’ve seen of what’s been happening all year,” Field says. “Hackers have been getting access to payment card data either at the point of sale, where they’ve got something on the card reader … or intercepting data somewhere between the merchant and the card processor, or they’re breaching the card processor.
"But, honestly, that doesn’t matter," he adds. "What matters is this is happening with alarming frequency. Consumers should pay attention. It’s happening all around them.”