A customer prepares to sign a credit card slip at a Target store

On Thursday, Target announced that cybercrooks may have hacked into the data of 40 million of its in-store customers’ credit and debit card accounts. The breach started over Black Friday weekend, and security experts say consumers are often more vulnerable during the holiday season. Our panel of experts will take questions on identity theft, and how to increase your protection during the holidays.

Kim Zetter, senior writer who covers cybersecurity for Wired
Lisa Schifferle, attorney in the privacy and identity protection division of the Federal Trade Commission (FTC)
Eva Velasquez, CEO of the Identity Theft Resource Center, a nonprofit based in San Diego that provides assistance to victims of identity theft

  • Bob Fry

    We have a Target REDCard. Should we cancel it forthwith? Wait until we hear something from Target?

  • GaryWolf

    The guests commenting so far sound quite naive about the sophisticated strategies that guide these attacks. For instance, the advice to carefully watch your accounts and the blithe reassurance that you “won’t be liable” for fraudulent charges ignores the important fact that many of us use these cards for small amounts. Thieves know that they can bill millions of accounts regularly for small amounts with innocuous names in the “merchant” field, such as “IDA PARKING PDC.” This means that you must not only check your accounts, but you must remember clearly every single small charge, correctly understand the merchant name, and be willing to devote your time to resolving a small matter. Most people will ignore these small charges.

  • Fay Nissenbaum

    In the banking industry, Debit cards are called “sucker cards”. With credit cards, you are not liable for any amount charged, while with debit cards, you are at the mercy of each bank’s policies as the money stolen is sucked directly from your bank account. Why use them? The industry is not being point blank – debit cards save you nothing and put you in harm’s way.

  • Aaron Marks

    I try to use 30 character passwords, including “special characters”, for every account that I want to keep secure. Unfortunately, many financial institutions prohibit my passwords, for example restricting passwords to be no longer than 14 characters, or rejecting special characters. Why would they do this??

    • Fay Nissenbaum

      I have been annoyed by their restrictions in the special characters I try to pick. One wants six characters while another allows 17. Stupid and inconvenient.

    • utera

      It tends to mean their back end is running old software. At least that’s how its explained by steve Gibson from the security now podcast from what I remember. Theres no rational reason to limit the length that way otherwise.
      I generate my passwords with something like keepass, but any method as long as its long and random works.

  • Bob Fry

    The guest is not helpful, basically implying the consumer is responsible. While that’s generally true, for the millions of people who are affected by Target’s incompetence, avoiding dodgy websites or other worn-out advice is pointless. What to do about that? Is Target doing anything? Or is it entirely up to us to check our bank accounts and credit reports for years to come?

  • Freida Ravasco Neiman

    I recently shopped at Target and I used my debit card for shopping. However, I used my debit card as a credit card and didn’t use my pin. Would the hackers still have access to my bank account since I didn’t use my pin?

    • Bob Fry

      Good luck trying to get an answer from Target or the corporate apologists on today’s show.

      Edit: Jeez, the corporate defenders are simply guessing at the correct answer!!

    • Reid

      Yes. It’s processed as a credit transaction, no PIN needed. The hackers can use your card number to rack up purchases that clean out your bank account, just as they could use it to run up a huge bill on a credit card account. If you don’t need to use a PIN, neither do they.

    • Dianne Eckert

      The answer depends. If your debit card has a Visa or other logo on it, it can be used just like a credit card and the funds will be deducted directly from your bank account. The only key difference is there will be a delay in posting to your account of 1 to 2 days. If your card does not have a logo such as Visa, the PIN would be required.

  • Fay Nissenbaum

    If you dont use a debit card, your bank account is secure and you dont have to change your pin. Debit cards are not called sucker cards in the banking industry for no reason. Why would you increase your risks, and allow money to be sucked directly out of your bank account? There is no reason to use a debit card over a credit card, so dont!

    • Bob Fry

      Well, Target offers a 5% discount for using it as a debit card, so there is a reason…

  • GaryWolf

    Bob’s comment is right on the mark, there is a strange mix of false re-assurance and “buyer beware” attitudes among the guests that fail to acknowledge that this is a systematic flaw in the credit card infrastructure. There are some fairly obvious things that could be done. For instance, credit card transactions could require a PIN. PIN codes could automatically expire regularly. Retailers could be required to ask for ID. Of course this is an ongoing battle, but the philosophy of “put as much of the cost of managing security breaches on the individual user as you can get away with” is fundamentally misguided.

  • WilliamWL

    if a retailer only sends to the billing address, then all my packages will sit on my doorstep all day until I get home in the evening. anyone walking by will be able to walk away with my packages.

  • Deepak

    Island stores in malls are quite unsafe for credit cards. Use cash there.

    • Reid

      Not to mention annoying!

  • John

    The callers that are touting cash as the solution seem to not take into account that cash can be lost or stolen. After a full year of using cash, you’re probably at more risk of losing it than you are of having your credit card account compromised.

  • Reid

    Peter in SF is welcome to hold up the line using checks, which are easily and frequently washed and forged. He’s also welcome to use only cash. When our wallets get stolen, I’ll cancel my credit cards, and he can cancel his cash — good luck! I prefer the buyer protections and very limited liability of credit cards.

    I’ve only had a card number stolen once, the bank contacted me and shipped me a new card, and it cost me nothing. I do, however, try to use cash at small local businesses to save them the fees.

  • Christina

    Unfortunately, I shopped at target in the breached period. My primary bank account is with Capitalone 360 (formerly INGDirect) and one annoyance I always had was that when shopping at Target specifically, if I wanted to spend over $200 using my credit card, my account would be automatically locked until I called to verify the purchase. This was a huge pain, and they said it wouldn’t happen if I used the debit option with my pin. When I asked why they do that for target only, they said that target purchases over $200 were identified by them as being high fraud risk. I certainly am understanding that now and will be replacing my card, especially since because of the purchase freezes, I usually use the debit option to avoid this, and I’ll definitely be replacing my card.

    • Reid

      I don’t think this is a company-wide policy. It’s been a year or two, but I bought an iPad (among a few other things) at Target and nobody batted an eye at the $800 bill. Amusingly, I got a fraud department call from my credit card company the next day. I told them “yes, I spent a large amount of money at Target yesterday. Nope, that wasn’t the suspicious charge. The suspicious charge was $100 at Zappos (who I’ve bought from before). I guess my credit card company knows that me buying shoes is a lot more suspicious than me buying electronics!

  • Reid

    Your guests were missing the point about using a debit card as a credit card. It doesn’t matter if your PIN is stolen or not. It doesn’t matter if they’re taking cash out of your account or making fraudulent debit transactions using your check card. Either way, your account is cleaned out.

  • Fay Nissenbaum

    If you lose a pre-paid card, you lose all the money on it!

  • Dianne Eckert

    Any retailer that accepts credit cards has financial incentives to minimize fraud. The greatest driver is the fee paid to the merchant banks and the credit card processors. Riskier retailers and web sites pay a greater percentage of their gross proceeds from credit card transactions to the authorizing merchant bank. This hits the retailer’s bottom line.

    • Fay Nissenbaum

      Nonsense. Retailers use the system they subscribe to and are not asked do to any more than that. The fees charged by c.c. companies do not rise when the theft fraud totals go up or down. The connection is too attenuated.

      • Dianne Eckert

        Fay, I’m interested to hear where your expertise falls related to this topic. My perspective comes from work I do in the eCommerce field. My clients invest time and money to reduce credit card fraud on their sites. One key driver is so they can reduce the amount of money withheld by their merchant banks to cover fraud. They definitely recognize a direct link and receive a financial benefit by preventing fraud.

  • Fay Nissenbaum

    Please comment to consumers to not be duped by discounts for opening a new card. You will pay in your credit FICO score. Target’s red card for 5% is a joke.

  • Fay Nissenbaum

    Paypal is horrible for accepting payments for things you sell. The buyer can easily reverse charges and paypal wont help!

  • Dan Lambert

    I am surprised that one of your guests has suggested not using your debit card anywhere except at an ATM machine. In my opinion, this is fear-mongering reminiscent of Dick Cheney suggesting we all go out and buy plastic sheeting and duct tape during the anthrax scare. Of course we should all be careful with our cards, but using credit cards adds an additional financial burden on the merchant as credit card transaction carry higher merchant fees than debit cards. In the fast-paced world that we live in, telling people to not use their ATM cards is like asking us to all drive in the slow lane becasue that is where it is safer. Dan, Santa Rosa

  • greendogdemo

    The lady who called about Amazon is right that it is a scam. I get those too, every single day, and I have no orders at Amazon. Tell people NOT to open those emails. They are fake.

  • barbara

    These mass thefts would not occur if it wasn’t so easy for thieves to use the stolen information.. Why isn’t anyone holding the banks accountable for keeping our personal information safe?

    We are a small business that operates a website and people are constantly trying to use stolen card information to purchase from us. We are extremely diligent and have fraud filters in place, but some orders slip through. If we don’t catch it and send the product, then the bank charges us, the merchant with no follow up with the actual criminals that have supplied their address, I have contacted the bank directly with suspicious information and they do not care. They simply charge back the merchants. We pay up to 3% per transaction and receive zero protection.

    The banks are the root of the problem and profit greatly from their “Fraud Protection” division- protecting us from the bank’s own system? If they have the ability to protect us against fraud, then why dont they just do it? The very industry that allows our information to be stolen, profits from “protecting” it. In my opinion, that is the fraud.

  • Owen

    I wanted to comment that I to have gotten the fake Amazon e-mails. The first thing to do is log on directly to Amazon.com and check the status of your orders. Though I tend to order frequently from Amazon, I have no outstanding orders, so that was a red flag. Also there were a large number of e-mail addresses in the TO: field. All of them were somewhat similar to my own e-mail. This is a sure give away that something is amiss. Also the attached file was a zip file which contained an exe file. Both of these facts are red flags. The attachment was supposed to be the order details and the invoice. These type of documents would usually come as a pdf file and not an exe file which contains executable code which could install a virus or other malware. All of these factors strongly pointed to fraudulent e-mail.

Sponsored by

Become a KQED sponsor