Not so fast, everyone: Boiling water doesn’t help a woman giving birth, and putting a credit freeze on your credit report won’t stop a hacker from buying things with a credit card stolen from Target.
Here’s an update on what we know, what you should do, and some ideas about what Target’s turn in the hacker cross-hairs might mean going forward.
First off, Target has uphelpfully sent an e-mail with instructions on how to freeze credit files to millions of people. Credit freezes are a good idea in general, but they come with costs: depending where you live, they can cost $25-$50 annually. They also can be a hassle.
But most important at the moment: they won’t help with this Target situation. At all. Credit freezes prevent potential lenders from accessing your credit report, which pretty effectively stops them from granting new credit in your name. That is, freezes stop bad guys from opening up new accounts. They DO NOT STOP FRAUD ON EXISTING ACCOUNTS. Target is giving consumers something to do as busywork to take their mind off the frustration of having their personal information stolen.
(UPDATE: Target announced late Friday that it planned to give consumers access to free credit monitoring and a 10 percent discount at stores this weekend. Nice gestures. I do wonder how they plan to get in touch with all 40 million customers…through issuing banks? What service will they get? Will it be free of the kind of sneaky upsells we’ve seen in the past? “Give us a credit card, and you’ll get 90 days for free…” We’ll see).
Yes, a bad guy could take your stolen credit card information and pair it with other information and try to open up new accounts in your name. But frankly, I wouldn’t say the risk of that is much higher than it was before Target’s credit card data was stolen. And it seems clear in this case the principal motive behind stealing the data was to use it as stolen credit card data. As I said yesterday, don’t overreact.
Here’s what you need to do. This is ALL you need to do.
1) For the next few days, figure out which card(s) you used at Target and check your online credit card statement every day. For the next few months, check every few days. If you spot fraud, contact your bank, make sure the charges are forgiven and cancel your card. Carefully port all your automatic transactions over to the new card so you don’t accidentally fail to pay a bill and face a late fee. I still think that’s the biggest risk for most victims here.
2) It’s quite possible your bank might pre-emptively issue you a new card. If so, great! Carefully watch your mail during the next few weeks and make sure you spot the envelope so it’s not stolen, and carefully port over your automatic transactions to the new accounts.
If you want a freeze for your own piece of mind, and that’s a conscious decision you are making to deal with life in the age of ID theft, great. But don’t get a freeze just because a hacker took your credit card from Target.
What’s the real risk? That’s the real question for most people: Having your account number compromised doesn’t mean it’s being actively used for fraud, though obviously one leads to the other. The journalist who broke the story, Brian Krebs, is as usual one step ahead of everyone else. He says security experts at banks are already seeing blocks of their credit card accounts being sold in online forums for crooks, going for $25-$50 each. That’s bad, but not unexpected. Right now, the criminals are in a race with the banks. They will try to turn the stolen accounts into cash as quickly as possible, before banks can have all their fraud flags in space. You would expect to see a flurry of fraud for the next few days.
Don’t be distracted by anecdotes of individual account exploitation, however. The real question now is: Will hackers exploit 1 in 100 accounts or 1 in 100,000? Turning stolen numbers into real money is non-trivial. Because this happened so fast, I hope the exploitation rate will be on the low side. But we shall see.
Who did it? How’d they do it? As usual, the public doesn’t know much at this stage. It’s always easy to blame Eastern Europeans; but I have a sneaking hunch that at least one or two operators in this scheme are local. Target is such an American target, after all. And that’s usually how these stories play out. A global conspiracy with operators both local and in the usual hacker haunts, like Romania and Russia.
As for how they did it: there’s plenty of speculation that criminals found a way to compromise Target’s point of sale terminals, and tricked each one into send data to the bad guys, which would be remarkable. It sounds kind of like a bot-net for carders. But these attacks often involve the payment processor who transports data between the retailer’s bank and all the cardholders’ banks, a very complicated process that creates many single points of failure. These are two areas investigators will consider immediately.
What does it mean? I should do a separate piece on this, but for now consider: In Europe, credit cards all come with fraud-fighting chips, a system called chip-and-pin. In the U.S., we still use black magnetic strips that are essentially the same thing as cassette tapes. In other words, while the music industry has advanced through about 4 different technology eras, credit cards are stuck in the 1960s. Payment experts have always wondered if it might take a huge hacking incident to force American retailers and banks to switch to a more modern system. Target *might* be it, but I doubt it. The expense is enormous, starting with forcing retailers to buy all-new point-of-sale systems. The irony: nearly a decade ago, Target tried to unilaterally install a chip card system in its stores. It failed.
To learn more about the chills being sent through the retailer payment industry (and through stores themselves) read this.
For more on why the U.S. has been slow to adopt better credit cards, read this NBCNews.com story.