As many shoppers are now aware, Target experienced a massive security breach between November 27 and December 15, 2013, with the personal data of up to 110 million customers having been compromised. In January, Neiman Marcus experienced a similar hack and in the weeks since, various expert reports have suggested that even more stores are currently also at risk. This has left many consumers wondering: How have so many retailers been hoodwinked by hackers? And is there any truly safe way to pay for goods outside of cash? To help better understand the changing credit card landscape consumers are facing, we've laid out all the details on what information might have been at risk and explore the various ways consumers can shop online and remain secure.
Both Financial & Personal Information Stolen
Using a software called BlackPOS developed by a Russian teenager, hackers corrupted Target's Point of Sale devices (credit and debit card readers) in brick-and-mortar locations. The hackers were able to capture personal data immediately after a credit card was swiped, according to Brian Krebs, the security blogger who originally broke the story. The data was then stored in a repository within Target's own internal system, which, the company recently revealed, hackers were able to crack by stealing vendor credentials.
Target initially confirmed that up to 40 million credit and debit card accounts had been compromised. The information stolen included everything stored directly on a credit or debit card's magnetic strip: account number, cardholder name, and expiration date. It also included encrypted CVV data, which is used to confirm in-store purchases. (CVV data is not the same as the 3-digit CVV2 code found on the back of your card and used to verify online purchases.)
Weeks later, Target also confirmed the theft of additional "Guest Information" for up to 70 million customers, with some possible overlap between the two groups. Target would only say that the data "may have included names, mailing addresses, phone numbers, or email addresses."
But Target's Guest ID accounts also contain unknown amounts of data on customer's personal lives, financial history, and shopping habits. In fact, the company's data collection policies came under scrutiny in 2012, when a New York Times article profiled how it used big data and statistics to win over customers specifically, pregnant women. The article related an apocryphal story that Target once sent a teenage girl baby product coupons before her own father knew she was expecting.
However, the company has never confirmed or denied what personal data it collects, and it can't be confirmed that any of this additional information was lost in the recent hacking.
Criminal Use of Stolen Data
Target's security breach appears not to have given criminals enough information to create new lines of credit in consumers' names to commit identity theft. But experts fear the stolen data could be used in phishing scams, where the thieves attempt to get more information from victims, like social security numbers or mother's maiden name, while posing as representatives from banks or stores. It's important to note that Target has offered free credit monitoring for a year to all of its customers in order to combat potential criminal use of data.
This recent data breach is one of the largest in US history. Second to it was the hacking of TJX (the parent company of TJ Maxx, Marshalls, and HomeGoods) in 2007 when data from over 45 million customers was stolen. In 2009, hundreds of millions of transactions were compromised when payment processing company Heartland Payment Systems was hacked. And since the Target incident, retailers Neiman Marcus and Michael's Arts & Crafts have also announced security problems.
Credit Cards Are Still the Safest Form of Payment, After Cash
Despite such high-profile data breaches, credit cards remain one of the safest ways to shop online and in stores—not necessarily because they are the most secure, but because they leave the shopper the least liable for any problems. The federal Truth in Lending Act limits consumer liability for fraudulent credit card purchases to $50 in stores, and $0 online. Some card providers even waive the $50 liability.
But debit cards are governed by a different federal law, the Electronic Fund Transfer Act. If a consumer reports the unauthorized activity within two days of discovering it, the liability is the same as a credit card: $50 in store, $0 online. However after 48 hours, the in-store liability shoots up to $500. And after 60 days, consumers may be fully responsible for the fraudulent charges.
Several payment alternatives exist, but all have drawbacks. PayPal boasts of data security and PCI (payment card industry) standard compliance. But its ambiguous regulatory status (not a bank or credit card company) sometimes makes it difficult to dispute transactions. And while a paper check might feel akin to paying in cash in terms of the likelihood of the information being lost during one of these wide-scale digital attacks, most retailers actually scan checks before depositing and electronically cache the information therein, which means your name, account number, and routing number might still be on file.
Tap-and-pay technologies have also been heralded as the future of digital payment options. The wireless-enabled chips appear in a number of credit and debit cards and on smartphones. Such NFC technologies allow users to pay for goods simply by taping their phone, card, or wallet on a scanner. But some security experts fear that putting even more sensitive information on a smartphone, and then transmitting it through an unsecured network, could decrease its security.
EMV Might Be the Future of Secure Payments
However there is one technology that may make American credit and debit cards safer. The US is one of the last industrialized nations not to utilize the EMV system for credit cards. Commonly known as "chip-and-PIN" in the UK, these cards do not use magnetic strips, but a tiny computer chip. The chips are harder to read and allow for multiple levels of encryption. A personal identification number (PIN) must be entered for all transactions thereby providing even more security.
In the aftermath of the recent security breaches, EMV is getting increased attention in the news, though retailers and card providers remain resistant to the high costs of installing new card readers and cards. Still, EMV likely would not have stopped the Target breach. Since hackers infiltrated the POS devices, they could have captured the personal information no matter how it was scanned.
Regardless of how you decide to pay for goods in-store and online, it's important to be diligent in your transactions. Be sure to keep a close watch on your financial statements and balances. Unless you want to carry around enough cash for all of your purchases—which brings its own kind of security risks—it pays to monitor your accounts with a careful eye.
Related DealNews Features: