As if the Target data breach was bad enough, experts say it’s almost inevitable this kind of thing will happen again. “There’s already a lot of breaches related to the Target breach that aren’t being disclosed,” Gartner analyst Avivah Litan told NPR, saying there’s roughly an 80 percent chance another big data breach like the Target mess will occur in the future.
It’s especially frustrating because the big fixes to improve security aren’t the kind of thing ordinary consumers can do, aside from calling your bank and asking for a new card (if you haven’t been issued one already). Although EMV (aka. “chip and pin” cards) are more secure and used pretty much everywhere in the world, experts say it will take months if not years to switch our infrastructure. The financial services industry is pushing for a switch to EMV in October 2015, but it’s going to be a slow process getting banks and merchants all on board.
In the meantime, we’re stuck with outdated technology that leaves our cards vulnerable. While you can’t eliminate it, financial security experts say there are a few steps you can take to at least cut down on your risk.
Use credit if you can. Credit cards have two big advantages over debit cards when it comes to fraud. “You don’t have the same protection you’ve got with a credit card, and your bank account is at risk, ” says Scott Dueweke, senior associate in the virtual identity and anonymous payments division of Booz Allen Hamilton. The other issue is that there’s a much shorter window of time (just two days!) for cardholders to report a suspicious transaction made on a debit card versus a credit card before their liability climbs from $50 to $500. (And if you wait more than 60 days, you could be left holding the bag entirely.)
Sign instead of keying in your PIN. Opt for signature over PIN transactions with your debit card. Merchants would prefer that you use your PIN because it’s cheaper for them, which is why most payment terminals are set up with a PIN prompt as a default, but it’s riskier because it gives data thieves the option of creating a fake debit card and hitting the ATM to take out your money, says
“Visa and MasterCard also offer zero liability coverage for signature transactions,” says Al Pascual, senior analyst of security, risk and fraud. This means that consumers need to protect their PINs from compromise or theft, as they could end up holding the bag in the event that their debit card is misused for a PIN based transaction.
Keep watching your statements. Monitoring your statements for any unfamiliar activity is basic advice, but — let’s be honest — many of us don’t, maybe figuring if our information was compromised, we’d have found out by now. But if you shopped at Target during the period when the breach occurred and you haven’t been issued a new card, keep a super-close eye on your account activity at least through the end of this month, Dueweke says.
Criminals who steal batches of payment card information usually sell it right away, and those buyers tend to use those numbers as soon as possible. But in this case, the breach was so big that there’s a veritable bumper crop of stolen card data floating around the black market. In other words, it could take a little while for the bad guys to get around to yours.
Disable automatic transfers to linked accounts. Many banks offer customers the option of linking a savings account or line of credit to their checking account, with an automatic transfer of funds if a transaction would trigger and overdraft. (There’s usually a fee for this, but it’s a fraction of the $30 or so most banks charge for overdrafts.) If your debit card is used by thieves, this means they can wipe out both of your accounts, so consider temporarily disabling this function.
Use more — and better — passwords. “These database breaches often include online username and passwords, and if you are one of the 55% of all consumers who use the same username and password for all of your online relationships, then a data breach at a retailer can also result in the bad guys getting access to your online banking accounts,” says Julie Conroy, a research director at the Aite Group, a consulting company.
Compounding the problem, most of us still use really lame passwords: SplashData, a company that makes tools to help people manage their passwords, put together a list of 2013’s worst passwords. No-brainers like “123456,” “password” and “qwerty” were among the top five. “Even passwords with common substitutions like “dr4mat1c” can be vulnerable to attackers’ increasingly sophisticated technology,” the company warns.
Set up account alerts. Most banks let customers set up alerts, generally sent via email or text, that tell customers if certain types of transactions are made. “The alert parameters are often configurable, so consumers can choose to be alerted on what is truly out of pattern for them, and not have to put up with a lot of ‘noise,” Conroy says. You can set a dollar amount or a geographic range as a trigger to receive an alert, for instance.