Sign up to our newsletter
The latest security news direct to your inbox
Have you used a credit or debit card in a store in the last three months? If you’re like me, you have, possibly numerous times. If so, you should check all of your credit and debit card accounts today to make sure there have been no fraudulent charges.
Why? Because we are now hearing that Target is not the only retail chain to become a victim of cyber criminals stealing credit/debit card data and other personal info besides. Several more retailers are likely to be named in the near future.
So, as the Big Retail Rip-off continues to unfold, and we learn that the address information for some shoppers has also been stolen, we are beefing up our top tips on how to defend your accounts and your identity. Please share these with friends and family. (If you are wondering how this data was stolen, including the role of Point of Sale malware, check the notes at the end of the article.)
If you used your credit or debit card at any retailer in November and December of last year you need to check your accounts right away.check your statements for fraudulent transactions. Criminals are likely to hang on to data and use it after attention has died off, so this is something you should continue to do for the foreseeable future.
If you would rather not take the time to continually monitor your card, you may wish to ask for a replacement card instead. Remember, if you have any auto-pay accounts that reference this account number, you will need to update that information when the replacement card is activated. The Federal Trade Commission offers a lot of advice on dealing with lost or stolen cards.
If the card that was used was a debit card, you should change your PIN. Criminals are actively working to crack the encryption used to protect this information, and many people use weak PINs that are easy to guess. You might want to listen to what my colleague Aryeh Goretsky has to say about choosing a good PIN: Listen to PIN podcast now.
It is now clear that the thieves have enough information on some shoppers to carry out identity theft, which can be much worse than dealing with fraudulent charges on a card. You should regularly monitor your credit report so that you can spot and then report any fraudulent account activity, like new accounts in your name that you did not authorize. Target has provided detailed contact information for the three credit-reporting agencies, and provided a year of free credit reporting for those that have been affected. You may also want to look into setting up a fraud alert or a credit freeze if you want additional protection against fraudsters trying to get credit in your name. Be aware that these steps will also mean you have to go through additional verification if you wish get credit, for the duration of the alert or freeze.
There is no indication yet that online stores were impacted by this latest round of cyber crimes, but the forensic investigation of these incidents is not complete. As a precaution, it is a good idea to change your passwords, making sure they are hard-to-guess and unique to each account.
Criminals may now have access to more information about customers than just card data. So they are now more likely to use this data to send scam or phishing emails. Be sure not to click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.
The data you need to steal to create fake credit and debit cards does not include Social Security or Tax ID numbers. But if those numbers are stolen, they can be used for tax identity theft, which is a huge problem in America right now. How big of a problem? The FTC has declared this week Tax Identity Theft Awareness Week and has put out a lot of information about preventing and correcting damage from this crime. Check out the informational events both online and in locations around the US.
We don’t know yet how the Target and Neiman Marcus breaches were committed, but a lot of people are asking, quite reasonably, how thieves could get at card data that is supposed to be encrypted. There are several possible answers, one of which is that the encryption may not have been implemented correctly. Another is that the data is not encrypted throughout the transaction process. It is temporarily decrypted in random access memory (RAM) by point-of-sale (POS) machines so that it can be read and processed. Thieves may have stolen the data from RAM, using a technique called RAM scraping, which has already been used in some malware.
The basic technique was demonstrated years ago by Mark Goudie, managing principal of Verizon Business Investigative Response. Concerns have been raised about RAM scraping in POS devices for several years. Malware using RAM scraping was the subject of a recent CERT advisory. ESET products block several strains of POS malware.
Author Lysa Myers, ESET