Unless you have been stuck on an Antarctic Research Ship, you probably know that around 40 million credit and debit card records were stolen in Target stores between 27 November and 15 December. If you shopped in a Target store during that time and used a credit or debit card, you had better assume that the card is compromised.
You should make a habit of monitoring your credit transactions at least weekly, and debit card transactions daily. Fortunately, that only takes a few minutes on-line. Oh, and change the password for that online access frequently.
Those of you who didn’t shop in a Target store should not be complacent. There were over 600 publically disclosed data breaches in 2013, and a, duh, unknown number of non-disclosed breaches. By law in 46 states and the District of Columbia, a company is required to disclose any breach that exposes personally identified financial information and that information is not encrypted. However, I suspect some companies “forget” to make that public disclosure, and many more are never aware that their data was compromised. Over two-thirds of identified data breaches are discovered by a third party. Target, which has good security monitoring, had over two weeks elapse before they even noticed the problem. Had they discovered it in the first few hours they could have eliminated the vast majority of the damage.
US law limits your liability with a credit card to $50, and the major credit card companies have zero liability policies (American Express, Discover, MasterCard and Visa).
Not so with a debit card. Your maximum liability is $50 if you notify the bank within 48 hours. After two days, your liability is $500 up to the 60th day. After that, you can lose everything in your account. In any case, your bank can legally take up to two weeks to reimburse you. During that time, your debit card and checks are useless.
Some people need to have debit cards. They are easier to get with less than perfect credit, and they make it harder to rack up huge bills. But those benefits come with significant risks. After the Target attack, some banks limited how much the cardholder could spend with the card, making it difficult for some people to conduct their normal personal or business activities. If you don’t absolutely need a debit card, don’t get one.
On the Privacy Law loophole about encryption: there is encryption and there is encryption. Almost any encryption can be broken; the only issue is how long will it take. Target told customers they should not worry that their PIN information had been compromised, because it was encrypted. A four digit encrypted PIN can be broken in minutes. Worry.
Changing your PIN will help prevent your card information from being used in an ATM; however, it doesn’t help in stores. Credit and in many cases debit cards can be used without a PIN. The best answer is to ask your card provider to cancel your current card and issue you a new card with a new number.
If Target offers you a free credit monitoring service, please accept it. If nothing else, it is a real financial cost to Target to offer that service and should be part of their punishment for failing to prevent and being slow in detecting this breach. However, it does absolutely nothing about credit or debit card theft. Credit monitoring helps you when your social security number or birth date is stolen. Likewise, putting a security freeze on your credit report will do nothing to minimize the damage of this kind of attack.
When you receive a letter in the mail that your card account information has been breached, respond immediately. You are probably already outside the 48 hour limit for debit cards, but the sooner you find out how badly you were hurt the sooner you can start getting it fixed. If you get that letter, your information was stolen. Companies work diligently to determine exactly whose information was impacted. Historically, over a quarter of the people who are notified ended up being the victim of fraud.
The last word:
In December of 1963 I received my first payment for writing code: helping a teacher get his Doctor of Education by doing the statistical computing for his thesis. This was an interesting assignment that I repeated several more times over the years. By the summer of 1966 I had a very small part in the NASA Mercury and Gemini projects leading to Apollo 11 in July 1969. That Atlas missile guidance computer ended up in the Smithsonian Institution for many years, but a few decades ago was replaced by a plaque. It is an indication of how fast this industry is changing when a computer you have worked on ages out of the Smithsonian.
It has been an exciting journey as the hardware and software technology has evolved at an amazing pace. Almost as interesting was the struggle marketing and sales had trying to keep up not just with the technology changes but also by the periodic revolution in the very business models of IT. I got to watch legacy companies try to lead or follow the almost constant paradigm changes in the industry. Even stranger were the new companies trying to cope with the lessons of support, reliability and scalability that the legacy companies had learned a long time earlier. Along the way I have met and worked with many great people, with just a few of the other kind to make it clear how great most of them really were.
So, it is time to ease into retirement. I intend to continue to do a little consulting in the area of data security, mostly related to Cloud Computing and the Unisys Stealth solutions, and to keep writing this blog.
Keep your sense of humor.