Lessons from the Debit and Credit Card Breach at Target

Target and news services disclosed late last week the PIN numbers of debit cards were also obtained as a part of the data stolen during the debit and credit card breach at US Target stores from November 27th through December 15th.  Security analysts recommend anyone who used their debit card at Target during these dates go ahead and change their PIN number.

Even though the PIN number is encrypted at the keypad and remains encrypted within Target’s system and when the data is removed from the system, security analysts agree this information is vulnerable.  Such data has been decrypted or unlocked before.  Computer hacker Albert Gonzalez pleaded guilty in 2009 to conspiracy for leading the group that stole data from T.J. Maxx Companies, Barnes & Noble, and OfficeMax.  Gonzalez’ group did in fact decrypt the PIN numbers from the card data they stole.  While encryption technology has changed, nothing is infallible.

The credit and debit card data breach at Target was only one of about 600 publicly disclosed data breaches in 2013.  The ongoing investigation being conducted by the Secret Service and Justice Department will uncover how this happened and may eventually discover who did this.  While these questions are important and may even lead to better security procedures, the real question consumers should be asking is what can each of us do to protect ourselves from future breaches of debit and credit cards?

CNBC posted an interesting article on Saturday, December 28th that answers this question with 5 points.

  • Credit cards offer better fraud protection
  • Credit monitoring won’t protect you from a data breach
  • A security freeze will not protect you from a data breach
  • Debit Card Issues
  • Best practices for debit & credit cards

Credit cards offer better fraud protection than debit cards.

  • Federal law limits a cardholders financial responsibility for unauthorized charges to $50
  • Visa, MasterCard, American Express, and Discover have “zero liability” policies

When it comes to debit cards there are some key differences between the card providers:

  • Your limit on fraudulent charges is capped at $50 if you notify the bank within 2 days
  • If you miss the 2 day window, the cap jumps to $500 but the bank must be notified within 60 days of the fraudulent charge occurring
  • Visa and MasterCard provide zero liability policies on debit card purchases if the cardholder signs for the transaction rather than using their PIN number
  • It may take up to two weeks for your money to be returned to your account while the bank investigates

Credit monitoring services are good tools; however, they are designed to protect people from thieves who open new accounts in your name using your name, date of birth, account passwords, social security number, etc.  Since this wasn’t the case for the Target shoppers impacted by the data breach, this service would be of no help.  In addition, fraudulent use of your card does not trigger alerts to your credit bureau, and debit card purchases are not reported to the credit bureaus.

A security freeze is designed to protect your credit by preventing access to your credit report to open or process a new credit card application.  If your social security number is stolen, this is exactly the step you should take; it just doesn’t prevent fraud to an existing account.

Now that it’s been verified the data thieves also obtained the PIN numbers of people’s debit cards, changing your PIN is the minimum step that should be taken.  Changing it will prevent cash being withdrawn from an ATM, but it won’t prevent someone making a purchase with your stolen account data.  To fully protect yourself have your bank issue you a replacement card.

When making a purchase with your debit card, you may be asked “credit or debit?”.  Nothing turns a debit card into a credit card regardless of who issues the card.  Regardless of which purchase type is chosen, there’s no extra protection from a data breach.  The only potential benefit is the zero liability offer from Visa and MasterCard when you sign for the purchase.

Banks and card companies will implement chip based cards that replaced the magnetic stripe cards in use today by the end of 2015.  These cards are in use in Europe now and much less susceptible to the type of data breach Target experienced.  Until then, there are steps you can take to protect yourself.

Respond immediately to any notice from your bank in the mail.  The same goes for an email alert from your bank; however realize your bank will not send you an email asking you to verify personal information such as PIN numbers or social security numbers.  Verify all communication from your bank by calling the security department.  Review your accounts regularly.  If there’s a charge you don’t recognize, regardless of how small it is, call the bank’s security department.  What are you doing to protect yourself from credit card fraud?  Share your suggestions, comments, or questions with me in the comments section of our blog or on our Facebook page.  I’d love to hear from you!

Evie Wise
Evie Wise


Evie Wise
Evie Wise

Share this post with your friends

Leave a Reply