Fiscal Rangers

http://www.washingtonpost.com/business/technology/target-data-breach-affects-40-million-accounts-payment-info-compromised/2013/12/19/5cc71f22-68b1-11e3-ae56-22de072140a2_story.html

http://techcrunch.com/2013/12/20/the-target-breach-flood-is-already-appearing-on-the-carder-black-market-target-reacts/?utm_campaign=fb&ncid=fb      <<< This contains details how one small bank already found many of their customer card numbers being hacked and sold to specialists in using stolen credit cards.  These guys act fast.

http://www.chicagotribune.com/news/local/suburbs/batavia_geneva_st_charles/chi-batavia-target-data-breach-20131220,0,5697169.story    This article says a business has filed a class action suit against Target.  Also, that Target did not disclose how the data theft occured and that "Stolen information (taken) included customer names and their credit or debit card numbers, along with the cards' expiration dates and three-digit security codes, Target said".  That is enough data to buy stuff online on most sites. (except many sites ask for billing addresses, which may not be data that was taken).

http://www.latimes.com/business/la-fi-target-anger-20131221,0,5146223.story#axzz2o5EaMbfZ  This latest LA Times article has more bad news and links to other articles.

http://www.forbes.com/sites/anthonykosner/2013/12/20/targets-biggest-pr-mistake-with-credit-card-security-breach/     <<< Then this article criticizes Target for burying the answer to a critical question to the bottom of their official notice in the link below.

Here is an update from the UK newspaper, The Daily Mail.  Some info conflicts with earlier reports above.  http://www.dailymail.co.uk/news/article-2527243/Theft-Apple-products-New-York-Target-stores-linked-40-million-compromised-credit-card-data.html      

Update Sat., Dec 21 - Chase Bank sets limits on about 2-million cards used at Target and starts mailing replacement cards.   Read it here:  http://www.usatoday.com/story/money/business/2013/12/21/jpmorgan-chase-target-debit-credit-cards/4158951/     

Update Dec. 25:  This Reuters article cites a source that claims Target customers who used their credit cards may have a new worry - the thieves may have their pins - but no clear details and Target disputes that.   http://uk.reuters.com/article/2013/12/24/uk-target-databreach-exclusive-idUKBRE9BN0L420131224  

Updated Dec. 28 - The AP says Target has finally admitted that the credit card number thieves also got customers' encrypted PIN numbers.   Target says the PINS were encrypted, which reduces the risk of usage by thieves, but the article points out that previous credit card data theft crooks WERE able to get through the encryption codes and used the PIN numbers.   http://www.washingtonpost.com/business/technology/target-customers-encrypted-pins-were-obtained/2013/12/27/5e88e7fa-6f1e-11e3-a5d0-6f31cd74f760_story.html      

Added Dec. 31, 2013 - Orlando's WFTV found a local who has had his credit card number used fraudulently 26 times after shopping at Target.  http://www.wftv.com/news/news/local/titusville-man-possible-victim-target-credit-card-/ncYQm/?ecmp=wftv_social_201316452024  

Added December 31, 2013 - Now Target has admitted in Cincinnatti that some folks who purchased Target gift cards can't use them because they were not fully activated.  Isn't this getting better?  Target did say that the cards would be honored.   http://www.local12.com/news/features/top-stories/stories/target-gift-glitch-6760.shtml  

Here is what Target told their customers via their website - if you go to their Target.com website, you have to squint to see the tiny line at the top of the page that says "Important Notice..." but I found it for you.

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca?intc=importantguestinfo

"For extra assurance," Target is giving "free credit monitoring services for everyone impacted. We’ll be in touch with you soon on how and where to access the service."  So if you did shop at Target, they will notify you later, which is a good customer service common when these breaches are detected.  (This one was huge, however.)

Target was very responsible and transparent with the above link which contains many valid details on what to do, including if your card number WAS used fraudulently .  They were criticized for not revealing the breach when they first detected it on the 18th, but did so on the 19th.  But, they really didn't answer the question about how the data theft occurred and how it was fixed.

I would also save a copy of any related online document from Target in case they delete it or modify it.

Here is my Take on this Fraud, and my response, since I DID shop at Target during the affected dates.

As a former Certified Information Security Auditor (CISA), here is my take and what I did since I DID buy from Target using a debit card during the "security breach period".  Yesterday, I changed my online password, AND my Bank of America Visa debit card PIN (a separate process).  I had to go to the Bank branch to use their ATM to change the PIN number, since you cannot do that online.  The branch manager offered to help me, but then she would require a signed form and access to my info, so I went outside and used the ATM.  I called Bank Of America customer service to find out how they would protect my debit number from being used for types of credit card transactions not requiring the PIN number.  Target says the thieves only got data on the magnetic stripe on the card, which does not include the PIN number, but I changed mine anyway. 

It is unclear whether the thieves took the security codes, expire date or other info on the card when it was "swiped" at Target, but one article above says those data elements were taken.  The BankOfAmerica help center said I didn't need to get a new debit card because they know about the Target "breach" and have implemented procedures to prevent fraudulent use. However, just in case, I implemented online email alerts to tell me if anything was charged to the card, since the thieves could use just the card number in some places to charge small test fees, then charge larger items and services if the first test charge works. Thus even if one penny is charged by an unknown vendor, you need to react quickly.

The safest way would be to get a replacement card with a new number, but then you have to update all the accounts that use it like Amazon, etc.    After reading the above TechCrunch article, I considered going to my bank, asking for a temporary debit card while a new one is mailed to me.  That will prevent possible fraudulent usage of any type from the Target security breach.  Thanks to Target's security failure, that also means that I would have to update the several online accounts using the old card number like Amazon, and when some vendors try to bill the old account for an annual invoice like subscriptions, I will have to make sure they have current emails to notify me when it doesn't work so I can give them the new number.  It is a pain, but I don't want to rely that B of A will prevent fraudulent use of a DEBIT card.  And with Debit cards, the money is gone immediately - it is not like a credit charge that can be reversed.

You might decide to NOT replace your card, relying on the bank or Target assurances of safety, or be safer and get a replacement card.  If you really have to use a replacement card, ask your bank branch staff in person for a temporary replacement card until a new one is mailed to you.

Good luck and happy shopping!  I will be at Target tomorrow to get an added 10% off that hamster cage I have always wanted to send to Lake County Roundtable radio host Ralph Smith.

Note:  Another credit card security weakness is that many new cards have RFID chips, which can be read over the air by special readers.  So far, this Target issue doesn't seem to involve the RFID chips.  (My card does not have one).

Vance Jochim

FiscalRangers.com a fiscal watchdog blog for Lake County, FL