Intentional Privacy

I shop at Target about once a week. Last Saturday, I was dismayed to discover that an estimated 40 million debit and credit cards used at Target had been stolen. This isn’t the first time my card number has been stolen, and it probably won’t be the last, unfortunately.

Many of those cards will be duplicate numbers, so the total number of cards stolen will probably be fewer than 40 million. Still, it is a very large breach, the second largest to date. The biggest breach—90 million credit/debit account numbers!—in the US occurred at TJX over a period of 18 months and was discovered on December 18, 2006 (TJX data theft).

First, let’s look at what happened:

• On December 15, 2013, malware was discovered on Target’s point-of-sale systems at US stores. Target eliminated the malware, and notified card processors and payment card networks.
• According to some sources (a Reuters story posted on Yahoo!), Target did not find the breach; it was discovered by a security researcher. That is worrisome.
• According to Target, the issue only affected US stores; purchases made online at Target.com or in Canada were not part of the breach.
• In their statement, Target explains the breach occurred between 11/27/2013 and 12/15/2013.
• PIN data was stolen (Reuters – Target says PINs stolen, but confident data secure), but not the key, which according to Target’s statement, resides at the external card processing center. They are not giving out the name of their processing center. The PIN data is encrypted with Triple DES encryption.  To decrypt the PIN data, the thieves need the key.
• There are 2 types of security codes used with credit/debit cards. Each card issuer calls the security codes by different names.
  • The first code is embedded in the magnetic stripe of the card and is used when you present the card to a merchant; it’s often called the CVV code. This one was included in the stolen data.
  • The second number, often called the CVV2 code, is not included in the magnetic stripe data and therefore was not stolen. This is the number used when you make card-not-present transactions, such as online or over the phone. American Express prints the four-digit number they use on the front side of the card, while most other issuers use a three-digit code printed on the back of the card next to the signature area.
• The US Secret Service is investigating, as well as an unnamed outside investigator.
• Stay tuned for more details. I don’t think investigators have a good handle on this theft yet, so the details are likely to change.

Note: PINs are not the safest way to protect your financial information; there are only 10,000 combinations (0000 to 9999). Europe uses electronic chips in their cards; another method is a dynamic pin generated through a text message or some other media, such as an RSA token. The problem with dynamic pins is that they’re slow and expensive.

According to Krebs on Security, stolen Target credit/debit card numbers are already being sold in underground black markets in batches of one million cards.

What to do?

1. Monitor any account(s) used at Target at least daily for evidence of tampering.
2. Check out the Target breach details.
3. Get a copy of your credit report. You get 1 free credit report from each credit agency per year. https://www.annualcreditreport.com/index.action
4. Target says they will pay for credit reporting; they will have more details later.
5. Replace your card:
   • If you use a Target REDcard, contact Target for a replacement card.
   • Ask your bank or credit union to replace each card used at Target during the dates the breach occurred.
6. If you choose not to replace your card, at least change your PIN number.
   • Contact your card issuer for instructions.
   • Target REDcard
7. When you choose a PIN, do not use your birth date or consecutive digits, such as “1234.”
8. Some cards allow you to add an alert when it’s used; check with your card issuer to find out if they have this feature. The Target REDcard does give you this ability.
9. Do not respond to any scam emails, texts, or phone calls asking for your PIN or your social security number or your credit card number.
10. Some people suggest buying a prepaid credit card or using cash instead of using credit/debit cards. I’ve never used one, so I don’t know anything about costs, but I’m going to look into it.

If you notice fraudulent activity in your account:

1. Notify your card issuer immediately at the number on the back of your card and cancel your card. This greatly limits the payment portion of fraud you’re responsible for.
2. Put a block on your credit report at one of the three credit reporting agencies:
   • Equifax
   • Experian
   • TransUnion
3. Read the FTC’s tips for “Lost or Stolen Credit, ATM, and Debit Cards.”
   • The FTC has an excellent “Guide for Identity Theft Victims,” which explains in detail who to call and when.

Who pays the costs?

While it’s true that the banks and the merchant eat the losses initially; ultimately, we all pay the price of such theft through higher costs.