Ed's Blog

Target says "Oops, 70-110 million consumers hacked."

By Ed Mierzwinski
Consumer Program Director

Target is now saying, reports the New York Times, that "a range of 70 million to 110 million people," not the original 40 million customers, had their credit or debit card numbers hacked in December (or possibly at other times). Even worse, Target is admitting that the database stolen from the big-box retailer included a lot more than credit or debit card numbers and their associated security codes and expiration dates.

Today, Target admitted that the stolen data also included email addresses and phone numbers, which leaves consumers vulnerable to phishing attacks that could lead to identity theft, as if the previous threat of fraud on existing accounts wasn't bad enough. You might say: "But I never gave Target that information." Answer: "They could easily buy databases to add that information to your file."

(Target had previously admitted, although not at first, that the hack also collected PINs (passwords) which would allow direct access to your bank account, for example through a cloned debit card used at an ATM. But Target has insisted that the PIN numbers/passwords, at least, were encrypted and cannot be hacked. But phishing attacks could help thieves obtain the PIN/password.)

When bad guys obtain credit card or debit card numbers, they can commit fraud on existing accounts. That's not so bad, if your card was a credit card. Your credit card rights by law are very strong (against not only fraud but also in the case of disputes over billing errors or over products or services that do not arrive or don't work well). If your card was a debit card, your rights by law are not as strong at all. Debit cards do provide decent anti-fraud rights by contractual promise ("zero-liability"), but by law you need to be vigilant and report claims promptly or you could lose a lot of money. But even if your fraud claims are eventually covered, remember that while you are disputing fraudulent charges (investigations can legally take 2 weeks or more), money is missing from your checking account and you could face additional cash flow problems and bounced checks. So, we advise consumers who can avoid the hazards of credit card debt to always use credit cards, not debit cards, at point-of-sale (retail) or online.

When bad guys obtain emails and phone numbers, they make phishing attacks to obtain more information: Target has just admitted that the hackers also obtained email addresses and phone numbers. While this information is not enough to commit identity theft, it is enough information to conduct "phishing attacks" designed to collect additional information, including encrypted passwords, from consumers. The additional information the bad guys seek, then, would either allow them direct access to your account (through the PIN) or to open new accounts in your name by committing identity theft. They use what they know to convince you to tell them what they don't know. They want your PIN, or your birthdate and Social Security Number. They hope to trick you into giving it up.

They do this through either dangerous links or various "social engineering" techniques. A phishing email will appear to be from your bank. But if you click on any links, either a virus explodes on your computer to collect any personal information stored on it, or you are redirected to a site that will allow them to obtain the information they need.

As the New York Times further explains:

"Security experts say that clever hackers could potentially parse together customers’ stolen information for identity theft or for use in a so-called spearphishing attack, in which hackers send a highly tailored emails to victims asking them to click on a link or download an attachment that, once opened, gives hackers a foothold into their computers and employers’ networks."

The lower-tech version of spearphishing -- plain old phishing -- goes like this: the thief will use the limited information he has about you to convince you he is legitimate, so you will give him the additional information he wants.

For example, in a phone or text message attack: "Please don't worry, I am from the bank. Here is some information (the account number and even the security code) about you to prove I am legitimate, but I need you to provide some information to convince me I am actually talking with Ed Mierzwinski, accountholder. Please tell me the PIN that goes with this card and/or the Social Security Number you used to open this account."

This doesn't work very often, but it works enough to keep the bad guys in business.

Some tips for all consumers, whether you shopped at Target or not:

(1) Don’t panic. Do check your credit card and bank account statements regularly for fraudulent transactions and report them immediately to your account provider. The most likely use of the card numbers will be to attempt fraud on your existing accounts. You have strong anti-fraud protections by law with with a credit card. If you are vigilant, you can also protect your debit card.

(2) Now that we know emails and phone numbers were also taken in the Target exploit, be aware of “phishing” emails or phone calls, especially calls or emails purporting to be from the bank’s fraud department. Banks will never reach out to you this way. But when a bad guy has some of the information needed to commit identity theft, he will call or email to try to get the additional information he needs to either open new accounts (your Social Security Number and perhaps also birth date) in your name or to access your account directly (your PIN).

  • Never click on any links in emails or open any attachments, even if the email appears to be from your bank. Never give any information to anyone who calls you, even if the caller says something like: “I am going to tell you your account number to verify that this is a legitimate call (but you need to give me some sort of additional information to confirm you are you).”
  • If you are concerned you may be a victim of fraud due to a call or email, don’t reply directly. Instead, look at the back of your actual card and call that toll-free number instead and ask for the fraud department.

(3) Don’t pay for expensive credit monitoring services. You have the right under federal law to look at each of your 3 credit reports (Equifax, Experian and TransUnion) once a year for free at the federally-mandated central site annualcreditreport.com. Don't like websites? You can also access your federal free report rights by phone or email. You can stagger these requests – 1 every 4 months -- for a type of do-it-yourself no-cost monitoring. And, if you suspect you are a victim of identity theft, you can call each bureau directly for an additional free credit report. (If you live in either CO, GA, MA, MD, ME, NJ, PR or VT you are eligible for yet another free report annually by calling each of the Big 3 under state or provincial law.

(4) In the future, if you can avoid running up credit card debt, always use credit cards, not debit cards, in stores or online. Your credit card rights are stronger by law, and you don’t run the risk of missing funds from your checking account for up to two weeks or more while the bank conducts an allowable fraud reinvestigation of debit card fraud.

Our general identity theft tips are here. http://uspirgedfund.org/issues/usf/protecting-yourself-identity-theft

Let us know what else we can do to help. We'll also be watchdogging the regulators to make sure that they hold both Target, and the card networks, accountable for their sloppy practices.

Comments

Sto per dirti, io preferisco immergermi nei miei orologi, prendermi cura delle mie passioni e di moda, piuttosto che stare attenti a quello che dici. Quindi, per chi fosse interessato, ecco una spiegazione dei movimenti nel campo dell'orologeria.

http://mahirseogoogle.blogspot.com/2014/06/adro.html ADRO TEXTILE Konveksi Murah Indonesia – Tlp 081362666444 !
http://clorot.blogspot.com/2014/04/kursus.html Kursus SEO dan Internet Marketing Terbaik di Jakarta

Until this moment M88, very difficult to explain what happened to Chelsea last season. From time to time, when they thought they had found the pace of the match m88
, the blue team lost points romantic nhach.HLV Jose Mourinho repeatedly mentions the phrase "small horse" refers to the lack of M88 experience of Chelsea, and he said again and again a problem affected to the Blues during the past season, that Chelsea "lack of a true striker."

No "big words" like Mourinho, is not resilient m88 online
"steel" as Van Gaal, nor or "offensive" M88 rivals like Wenger, Pellegrini coach of Manchester City's form is quite "fresh" in the Premier League. But that's just a cover to hide the M88 field championships this quiet man.

http://www.breweryage.com/newsite/about/hublot.html abounding an aficionado. atom of fendi outlet the cost. even accept the aforementioned consecutive numbers or archetypal numbers as the original.The handles are fabricated to dior outlet

Love love make a moment Fashion Insider also not idle: Liu Wen http://www.devinegroup.co.uk came to the park and ant soldier for a group photo. Natasha Poly with his daughter Santa to admire the beauty of flowers. Vlada Roslyakova came to Sri Lanka in http://www.roundash.co.uk/site.asp Sarees show waist. Ginta Lapina and Daria Strokous sisterhood has also played circus theme http://www.5starstourbridge.co.uk a costume party......

http://www.living-business.org These facilities provide housing solutions and special need care for the elderly people and those who are physically disabled or have accessible problems.

http://www.smartgreenbusiness.org Becoming a Green Business has obvious environmental benefits. Business owners who make the transition will also increase revenue and profitability while reducing risk and cost!

http://www.minoritybusinesssolutions.org But there are ways to make things happen in your business so that you can climb back up to the top and come out with an over flow of income and clients for your minority business, almost to the point of turning them away.

http://www.businesstheory.org Is there such a thing as business theory? In reality, there are several. Business theory not only changes over time, but also differs from continent to continent, country to country, business to business and even manager to manager.

http://www.businesstheory.org Is there such a thing as business theory? In reality, there are several. Business theory not only changes over time, but also differs from continent to continent, country to country, business to business and even manager to manager.

http://www.hotpet.org You've decided to take your pet along on vacation. It will be more fun, and you won't have to worry about leaving a member of your family behind in an unfamiliar kennel. With some extra planning and forethought, you can have a safe and enjoyable trip with your pet.

Useful info. Fortunate me I found your website unintentionally, and I am surprised why this coincidence didn’t happened in advance! I bookmarked it.
nordauto |

Priority Action

The overuse of antibiotics on factory farms is threatening the effectiveness of lifesaving antibiotics. Call on the Food and Drug Administration to put an end to the worst practices.

Support Us

Your donation supports U.S. PIRG’s work to stand up for consumers on the issues that matter, especially when powerful interests are blocking progress.

Consumer Alerts

Join our network and stay up to date on our campaigns, get important consumer updates and take action on critical issues.