What You Need to Know to Shop Safely, Online or Offline
Credit-card theft is often thought of as something that happens only as a result of shopping online. Yet tens of millions of Target and Neiman Marcus customers who've never shopped at those stores' websites are being told their credit-card information might be in the hands of cybercriminals.
How did this happen?
"When we're talking about data breaches, usually the customer did nothing wrong," said Bogdan Botezatu, senior e-threat analyst at Bitdefender, an anti-malware company based in Bucharest, Romania. "These kind of issues happen, and will continue to happen, regardless of what kind of security you're adding to your network."
So what can consumers do to protect themselves from cybercrime, whether shopping online or in a store? Here are a few things you should know to shop in the safest way possible.
Most credit and debit cards issued in the United States store data on a magnetic stripe on the back. Criminals have long had "skimmers" that can copy the "track data" from the magstripe, reprint it onto a new magstripe, and create a "clone" of the original card.
In the Target data breach, unknown criminals apparently infected the company's in-store point-of-sale devices nationwide with malware that captured data from cards' magstripes right after they were swiped, but before the data could be encrypted for safe transmission to card-payment servers.
Because the 3- or 4-digit verification code printed on a card's exterior is not included in magstripe track data, the Target card thieves will have trouble using stolen cards to make online or telephone purchases. Most websites ask for verification codes.
However, the clones will work in brick-and-mortar stores, because many checkout staffers don't check card signatures.
If your credit card was issued by a bank, the bank may tell you if your credit card has been part of a data breach. But it's usually up to card holders to keep a close watch over the security of their cards.
Ask your bank to alert you whenever your card is used overseas. The criminals behind the Target and Neiman Marcus data breaches were probably from Eastern Europe.
That won't keep you perfectly safe, since America has its fair share of cybercriminals, including the ringleader of the massive "TJ Maxx breach" in 2007 that affected T.J, Maxx, Barnes & Noble, Sports Authority, Forever 21 and more.
U.S. debit cards require users to enter a 4-digit PIN in order to validate a transaction — or at least they should.
The data stolen from Target includes debit card PIN numbers as well as magstripe data, but the PINs were strongly encrypted. Thus far, the criminals have been unable to decrypt them.
Without a PIN, a criminal won't be able to use a cloned debit card to withdraw money from a bank or ATM — but he can still make in-store purchases.
"Every debit card with a Visa or MasterCard logo on it can be used without a PIN," said Loc Nguyen, vice president of Feedzai, a fraud-risk-prevention firm in San Mateo, Calif. "So, for instance, if you go to Walmart and you use your debit card, they'll ask you for a PIN, but if you hit the 'cancel' button, it allows you to sign your name instead of entering a PIN."
For that reason, just changing your debit card's PIN isn't enough to protect you in case of a data breach. As with a credit card, you might need to replace it entirely. Setting up alerts for overseas activity or transactions over a certain amount can also help you manage your debit card.
With so many risks associated with credit and debit cards, some consumers might decide that they're better off using cash. But inconvenience and higher risk of physical theft mean that paying with cash simply isn't feasible for most people.
Your credit cards aren't a cybercriminal's only target. Personal data can be more valuable than a single credit-card number.
"People tend to think that [criminals] are stealing money," Nguyen said. "The criminals aren't going after the card itself, they're going after the identity. They use that to open lines of credit under your name."
Even if you cancel a compromised credit card, you're not always safe from fraud, because criminals can use stolen personal information to get another credit card in your name.
If you believe you're part of the 70 million Target customers whose names, email addresses, street addresses and telephone numbers were stolen alongside 40 million credit- and debit-card accounts, ask a credit-monitoring service to alert you whenever someone opens a line of credit in your name.
Online payment services
Some online payment services, such as Paypal or Amazon Payments, offer an extra layer of security called two-step verification. A randomly generated code is texted to your phone when you log into an account, and you have to enter that code into the Web page. Two-step verification will stop a criminal who knows your email address and password, unless he happens to have your cellphone as well.
Two-step verification can be circumvented, however, if your computer or phone is infected with malware. For example, keylogging malware will send cybercriminals a record of every key pressed on an infected computer, which can be used to figure out passwords and passcodes.
"Given the current circumstances, I'd say it's safer to shop online," Botezatu said.
"Based on my previous experience, whenever I have to choose between paying with a credit card and Paypal … I always go for Paypal," he said. "This allows me to better control what the merchant knows about me, since I'm using my own device to initiate the payment process."
The future: Chip-and-PIN cards
In Europe and Canada, credit and debit cards now use what's called "chip-and-PIN" technology instead of magstripes. Sensitive data is stored on computer chips embedded in the cards. The data is encrypted and digitally signed, which makes it very difficult to steal, and also makes the cards difficult to clone.
The chip protects against point-of-sale attacks, such as the ones levied on Target and Neiman Marcus. The PIN even protects online purchases, because consumers can type PINs into USB-connected card readers when shopping from home.
However, chip-and-PIN cards are not a perfect solution.
"Like everything with fraud, it's a game of cat and mouse," Nguyen said. "As the good guys come up with solutions, the bad guys are trying to come up with workarounds."
American Express, Discover, MasterCard and Visa plan to switch to chip-and-PIN cards in the U.S. by October 2015, enough time for most retailers to upgrade their card-reading equipment.
Nguyen says countries that implement chip-and-PIN credit and debit cards might see less point-of-sale credit-card fraud, but they often see an increase in online fraud as criminals redirect their focus.
It's important to remember that, as security expert Bruce Schneier said, "Security is a process, not a product."
"There's no perfect single silver bullet that's going to make things right," Nguyen said.