Random Thoughts – Randocity!

Unless you’ve been living in a cave, Target stores recently disclosed that it had potentially lost up to 40 million credit and debit card numbers when their point of sale systems became infected with malicious software. Let’s explore how to protect yourself from these situations.

Knee-jerk Reactions

A lot of people who are not very tech savvy immediately jump the gun and presume all credit card systems are vulnerable and that carrying and using cash is safer. Unfortunately, this is an incorrect assumption to make. Cash, while useful, is not always safer to carry around. If you are carrying, for example, thousands of dollars on your person, when you get robbed or mugged, your money is gone and is not replaceable on top of whatever injuries you may have sustained when they robbed you.

You’re probably thinking, “How is anyone going to know I’m carrying it?” You have to open your wallet to buy things. People can easily peer in and see how many bills you have tucked in there. It’s very simple. They’re not going to mug you immediately following seeing the money. No, they’ll wait and do it a much more opportune time for them, but when you are most vulnerable (alone in a garage or someplace else similarly alone and dark). So, carrying loads of cash is not the answer. Money is also not replaceable when it’s stolen.

When and what happened in the breach?

Target confirmed that cards swiped through its terminals between November 27th and December 15th were likely exposed in the breach. However, Target hasn’t been forthcoming describing exactly how the breach was accomplished. But, what has been said is that the point of sale terminals appear to have become infected with malicious software. This would likely include both the customer card terminal reader and the register itself since both are connected together. It has also been stated that the hackers only received data contained on magnetic card stripe, which indicates that the malicious software only infected the actual card swiping hardware device.

However, if the entire register and card-reader terminal was infected with malicious code, it’s possible they also captured all input from these terminals which would include PIN codes and signature digital data. So, I’d suggest proceeding on the assumption that they did potentially obtain keyed-in data including PIN codes.

To be the absolute safest in your response to any breach announcement, always assume the worst to take the most appropriate action in anything dealing with credit or debit cards.

Who is Most Vulnerable?

Mastercard, Visa and Amex card holders or debit card holders which contain Visa or Mastercard logos are the most vulnerable card holder types in this breach. These cards can be used anywhere, especially at online sellers without signatures. So, it’s easiest to use these cards all over the Internet.

The least vulnerable cards are Target RED cards without Visa logos. These cards would actually protect you against use. Since these cards are only usable at Target and must be presented at the register to be swiped, they cannot be used at Target without creating a physical card. Because these cards do not look or feel like regular credit cards, they would be a bit harder to duplicate. Though, it’s not impossible. Because the non-Visa RED cards only work at Target, this means that the perpetrators would likely use the ‘low hanging fruit’ first. That is, the perpetrators would opt to use card numbers that can be used anywhere and can be used online without needing to print a card. Or, more specifically, Visa, Mastercard or Amex branded cards. Cards without logos, like Target’s RED cards can only be used at Target which limits where the card can be used.

The RED card can be used, however, at Target.com. This means they could use your RED card on a Target.com account.

What should I do?

If you have a credit or debit card bearing the Mastercard, Visa or Amex logos, you should flip the card over, call the number on the back and ask to have the card replaced. Don’t try to contact Target, don’t ask questions at Target, just have the card replaced immediately. Yes, I know this is the height of the holiday shopping season and may make it inconvenient for you, but just consider how much more inconvenient if the perpetrators max out your card and you have to clean up that mess in addition to not being able to shop? It’s always better to err on the side of caution and replace your card.

If you have a RED debit card, log into Target’s RED card management site and change your PIN. You can get to it from the main Target.com web site. Go ahead right now and do it. I’ll wait. You can finish reading the article when you get back.

So, now that you’re all done changing your PIN to your RED card, that’s really all you need to do. If the perpetrators obtained your RED debit card number, it cannot be used without the PIN code. By changing your PIN, you have now just protected your RED debit account from unauthorized use.

If you have a RED credit card without a Visa logo, assuming this card only requires a signature to purchase, then you are also vulnerable to easy purchases online at Target.com. Even with a non-logo Target credit card, there’s much less that can be done with it as it only works at Target. Still, I suggest you also visit the RED card management portal and choose to replace your RED credit card. There’s a link in the management site to do this. I suggest doing this online rather than trying to call the number on the back and waiting on hold. Due to the extremely high volume of calls that Target is experiencing at the moment, it’s really a whole lot faster to use their web management site. However, before you run off and request a replacement card, I suggest reading the rest of this article first.

If you own a Target Visa card, you should replace it immediately just as you would any Visa branded card.

Should I cancel my RED card?

The answer to this question is not as simple. If you use no other card than the RED debit card to make purchases at Target, you are actually more protected than any other card you can use. So, I wouldn’t recommending closing out your RED debit card if you want to continue shopping at Target. However, if you no longer wish to shop at Target after this breach, then I would suggest you close out all of your RED cards as you don’t want these cards hanging around unused.

If you own a Target Credit card and especially a Target Visa card, you might want to consider closing these cards and replacing them with a RED debit card instead. Debit cards are protected by PIN codes. Without the PIN, the card is useless. With a credit card, only a signature is required in-store. For web purchases, no verification is really required other than the security code on the back (and not always even at that). With debit cards, your PIN code protects you. With a credit card, very little protects you other than fraud liability coverage and even then you can still be held liable.

The Best Card To Use

The RED debit card is the safest card to carry into Target to shop. It’s safer than a Visa, Mastercard or Amex branded card because it can only be used at Target. It’s safer than carrying loads of cash. It also gives you a 5% discount off of purchases. You won’t even get that discount with cash. It requires a PIN code to use the card and PIN codes are relatively easy to change on the Target management site by the authorized user. It’s not so easy to change by a hacker. The one downside to using the Target RED debit card is that it requires giving Target ACH access to your bank account. But, if you set up a separate account strictly for shopping purposes as suggested in Randosity’s Don’t Trust Paypal article, you can even protect your bank account from unauthorized ACH access by Target.

How do I protect myself?

There are limits to what you can do to protect yourself against technology. We are all vulnerable to attacks every day when using our phones, our computers, at work, in our cars. Technology is everywhere and malicious code is being developed as you read this article. There is no protection against malicious code technologies. Most technologies are written for the greater good, such as checking you out at the store, helping run your phone, helping run bank ATMs, etc. These are all good uses of technologies. However, there are people who’s goal it is to disrupt these technologies for their own pleasure, for political reasons, for terror reasons or simply to disrupt the flow of society.

Basically, sh*t happens. You can’t predict it, you can’t manage it, you can’t really do much about it. This is why your bank cards have limited liabilities and why they allow you to change PIN codes and ask for replacement cards. The banks are well aware problems happen and they have safeguards in place to help prevent these problems.

However, only you can protect you. If you want to be the safest you can be, then monitor your transactions in your accounts closely. Also, choose technologies and technology strategies that help you safeguard your accounts. Don’t expect the banks to do this for you. However, some banks do offer limited monitoring services and will contact you when suspicious activities appear. But, it is up to you to make sure your account information is safe. Basically, if you don’t trust in the current payment technologies, you’ll be left behind. If you do trust the technologies, you have to take the good with the bad. Cash paper money won’t last forever. Eventually, it will be replaced with something else. But, these new payment technologies will continue onward.

For now, cash is one way to handle the technology issue, but it is not the best way. Of course, you could go back to using paper checks, but even checks are vulnerable to electronic attacks. While the paper check is an older concept, it still suffers from technology attacks because checks are scanned by computers and from there they become digitally vulnerable. It can also be difficult to buy things with cash or checks at online retailers unless they accept Paypal. The bottom line, if you choose not to participate in the new payment technologies, you will find it difficult and inconvenient to buy things, especially online. If you choose to embrace the newest payment technologies, you will need to also embrace the new security paradigm that goes along with these new technologies. Target has just unwittingly become a poster-child for these new paradigms.