How consumers can prepare for future cyberattacks

McClatchy-Tribune Information Services

January 27, 2014

Just as the shock of the massive data breach at Target over the holidays has begun to wane, cybersecurity and other experts are warning consumers to brace for similar attacks in the coming year.

The breach at the mass merchant, which compromised card accounts and personal contact information for tens of millions of shoppers nationwide, "kind of takes your breath away," said Bill Hardekopf, CEO of the credit card marketplace

"I think we are going to see more of this," he said. "This is what our culture is in for."

High-risk times for more strikes will be the next big shopping cycles that give hackers the potential for the biggest payoff, such as around Valentineís Day, Motherís Day, the back-to-school time frame and next Christmas, said Charles Wood, corporate security specialist and assistant professor of information systems management at Duquesne University.

Short of people chopping up their cards and filling their pockets with cash, consumers can take steps to minimize their exposure to future data heists, experts said.

First, shoppers should consider the additional risk that comes with using a debit card versus a credit card.

Thieves who get a hold of debit card data gain access to a personís bank account. And depending on the card issuerís policy, any money that comes out of the account may not be refunded right away.

"If someoneís account gets drained, it may be tough to pay the bills in the next month," said Jody Farmer, vice president with the credit card comparison site "The inconvenience is potentially massive."

Big banks may provide a provisional credit to compromised debit card accounts within a day or so after a customer disputes a transaction. But federal law generally allows up to 10 days for the financial institution to investigate before making any refunds, said Gerri Detweiler, personal finance expert with the educational site

"In the meantime, your rent might be due," she said.

"In general, the more Iím hearing about data breaches, the more leery I am about using a debit card," she said. "Iíve seen people have $10,000 taken out of their account."

In contrast, if fraudulent charges are rung up on a credit card, itís the bank thatís out of the money.

Despite the downside of debit cards, many people prefer them over credit, often as a way to help control spending because they canít run up big bills the way they can with credit cards.

For people who canít give up their debit cards, Detweiler recommends setting up two accounts, one for spending money "and the other to put your paycheck into so you arenít exposing all of your money to scamsters."

Itís also important to check debit and credit card accounts frequently online for suspicious transactions and report them promptly to minimize any damage.

Pay attention to small transactions, not just the big ones, Hardekopf said.

"A lot of times thieves put through small amounts first to see if the account is still active," he said.

After notifying a financial institution about suspected fraud, itís also a good idea to follow up with a written complaint, Detweiler said.

Experts also recommend that consumers regularly check their credit reports for errors or unfamiliar accounts to help detect identity theft, the type of fraud where a thief may open new credit card accounts, take out loans or commit other crimes under someone elseís name. For the victim, sorting out the mess can be a nightmare.

Federal law entitles consumers to free copies of their credit reports once every 12 months from each of the three main credit bureaus, available at or by calling toll free 1-877-322-8228.

One strategy is to order a free report from one of the three main bureaus every four months, said Heather Murray, manager of education with the nonprofit Advantage Credit Counseling Service in Pittsburgh.

"By doing that Ö you can catch identity theft sooner," she said.

Consumers should look for things like credit cards that they didnít apply for or bogus loans in their name.

The Federal Trade Commissionís website,, is a good source of information on ID theft, Murray said.


In the Target data breach revealed Dec. 19, which ranks as one of the worst ever, hackers stole credit and debit card numbers, expiration dates and CVV codes, which are the three- or four-digit numbers on the back or front of cards used for additional verification.

The thieves also captured names, addresses, email addresses and phone numbers, which could raise the chances of ID theft. The theft of the personal contact information was disclosed more recently, on Jan. 10.

Many banks and other card issuers have contacted customers who shopped at Target during the Nov. 27 to Dec. 15 time frame to cancel and replace their existing cards. Shoppers who havenít been contacted should call their card issuer and insist on a new card, especially if they used a debit card, experts said.

"If I had shopped at Target with my debit card during that time, I would do that," Farmer said.

At the minimum, shoppers should be closely monitoring their accounts for fraudulent transactions, experts agreed.


Detweiler, who has been on radio shows taking questions from anxious Target shoppers, said some callers who used a debit card during the affected period mistakenly believed that if they had signed for the transaction instead of entering a personal identification code, their accounts were more secure.

"Thatís not true," she said. "It just means the transaction was processed differently."

Pennsylvania Attorney General Kathleen Kane last week warned consumers to be on alert for "phishing" attacks linked to the Target breach in which thieves try to trick people into divulging personal information ó such as passwords, account numbers and Social Security numbers ó by sending emails that look like theyíre coming from Target.

"A number of scammers have taken advantage of Target customersí misfortune and have set up websites and are sending emails with Targetís logos in an attempt to further victimize consumers," Kane wrote in a news release.

Target earlier this month sought to limit any damage and the assault on its image by offering free credit monitoring and identity theft protection for one year to all Target shoppers.

To sign up, customers have until April 23 to go to a special website,, and register for an activation code.

While itís OK to take advantage of the offer, experts said, people should make sure they understand all the terms of the programs so they donít end up paying for coverage they donít want after the free service period ends.

The Washington, D.C.-based Consumer Federation of America said the offer was not enough.

"The identity theft service that Target is paying for only monitors one of the three major credit bureaus, and while it may alert consumers to new accounts opened in their names, it wonít notify them about takeovers of their existing accounts or other types of identity theft, such as using their personal information to falsely obtain employment or tax refunds," the CFAís Susan Grant said.

"Consumers should also understand that the fraud assistance and insurance that will be provided are somewhat limited and that no ID theft protection service can prevent their information from being sold or used."