There have been many conflicting stories and there’s been plenty of advice given by information security and cybersecurity “experts” since the story first broke on December 18th. FRSecure has put together this series of frequently asked questions to help set the record straight as it is tired and disappointed by many of the so called “experts” and fear mongers.
Date of Occurrence
November 27th – December 15th, 2013
Who does this affect?
According to all credible reports, the breach affects people who used their credit and/or debit cards in store between November 27th and December 15th, 2013.
Who is not affected?
The breach does not appear to affect online purchases or customers who only made online purchases.
How many credit and debit cards were affected?
Current and credible reports put the number at more than 40 million.
Is this the largest credit/debit card breach in U.S. history?
No. This looks like the 3rd largest in terms of number of accounts affected.
The two largest credit/debit card breaches in U.S. history involved the same person; Albert Gonzalez. He was indicted for the Heartland Payment Systems breach in 2009 that affected more than 130 million credit/debit cards, and he was indicted for the TJX (TJ Maxx) breach in 2007 that affected more than 45 million credit/debit cards.
What information was stolen?
Full magnetic stripe data, also called “track data,” from credit and debit cards. The magnetic stripe contains the following information (only):
- Cardholder name
- Cardholder account number
- Card expiration date
Card Security Code 1 (CSC1), also called the Card Verification Value 1 (CVV1)*. This code is stored on the magnetic stripe and is used to validate “card present” transactions. Card present transactions are those that are made in-person, at the merchant, using a swipe.
What information was NOT stolen?
There was no other data stolen. The following information was not included in the breach:
- Card Verification Value 2 (CVV2)*. This code is printed on the back of credit and debit cards. This code is used to validate “card not present” transactions. Card not present transactions are online transactions and those made by phone or form.
- Card holder physical addresses
- Card holder Social Security Numbers
- Card holder birth dates
- Transaction history data
- Personal Identification Numbers (PIN)
Attackers found a flaw in Target’s systems and used this flaw to gain a foothold into the system. Attackers used a method called “social engineering” to trick a person working for target into installing a program that allowed access to the system. Many of the so-called “experts” were quick to point out that Target mentioned that the CVV code was compromised. They were quick to jump on this and claim that “card not present” purchases could be made by attackers.
THIS IS NOT TRUE. They are mistaken in what they know about credit cards and credit card security. There are two CVV codes (see above.) The CVV code that was stolen is the one on the magnetic stripe, not the one on the back of the card (used for “card not present” transactions.)
How did this happen?
The details on this are not fully available yet. The most likely method of attack would be one of two things:
- Attackers found a flaw in Target’s systems and used this flaw to gain a foothold into the system.
- Attackers used a method called “social engineering” to trick a person working for target into installing a program that allowed access to the system
It appears as though attackers targeted the point of sale systems.
If I shopped at Target between the dates mentioned, what should I do?
All of us at FRSecure have made purchases at Target using our cards between the dates mentioned in the breach. Here are some things that we are doing:
- Monitor your credit and/or debit card accounts closely online
- If you are really concerned, take some cash out of your account and keep it in a safe place.
- If you detect or find fraudulent transactions on your account, call your financial institution, close your account and open a new one.
- Use the cash that you took out earlier to get you by until your new card arrives in the mail.
- Validate that your financial institution has returned your funds Just because your card data may have been stolen, does not mean that it will be used for fraud
Should I cancel my credit or debit card?
No, and here’s why.
1. Target knows which accounts could have been compromised and has notified all of the card brands; Visa, MasterCard, American Express, and Discover. This list is known as a “compromised list” and has been routed to card issuers as well. Card brands and card issuers are all on alert and are monitoring these accounts for fraudulent behavior.We can validate that at least three of the issuers that our banks use have been notified.
2. You might have trouble getting your new card in less than two weeks given the unusually high volume of these requests. If there are any fraudulent transactions that get processed (even after the monitoring done on the accounts), you are not liable for any of the lost funds. The bank will close your account, open a new one for you, refund your money, and issue you a new card.
3. There have been many so-called “experts” who have been telling people to cancel their cards now, and they have been telling people to do it with a sense of urgency. This is unnecessary fear mongering in our opinion.
Am I at risk for identity theft?
Not anymore than you were before the Target breach. The Target breach is not related to identity theft. Losing your credit card data is not the same as losing your identity data.
If your Social Security Number were compromised, this would be a different story. There were no Social Security Numbers stolen in the Target breach.
What can the thieves do with the data that was stolen?
They can do a few things with this data:
- They can sell it to other thieves.
- They can create a fake credit or debit card by writing the magnetic stripe data from your card to a magnetic stripe on another card. They can then take the fake credit card and make purchases at various merchants in-person.
What can the thieves NOT do with the data that was stolen?
There are many things that the thieves cannot do, including:
- Thieves cannot make online or other “card not present” purchases
- Thieves cannot steal your identity
- Thieves cannot obtain other credit or debit cards using your information
- Thieves cannot obtain loans using your information
- Thieves cannot take cash out of your account at an ATM (no PIN)
As you can see, there are few things that the thieves can do with this information.
How long should I continue to be concerned about this breach?
You should always be concerned about financial fraud in general, and you should always be monitoring your accounts for unusual and/or unauthorized activity. If you are vigilant, you will be fine.
On one hand, the credit and debit card numbers are exposed, and there is no way to “un-expose” them. On the other hand, the card brands and issuers are all on alert and monitoring for unauthorized activities.
The full details about this breach could take weeks or months to become publicly known.
Should I stop shopping at Target?
FRSecure does not work for Target, and has no vested interest in the organization. FRSecure needs to state this fact because some people will question the objectivity of its advice.
All of us at FRSecure shop at Target, and all of us will continue to do so. All of us use our cards at Target, and all of us will continue to do so.
Target might just be the most secure place on the planet to use your cards right now. The U.S. Secret Service, and numerous real experts are monitoring the systems like a hawk right now.
Did Target do something wrong?
This is hard to say without details about what took place, but FRSecure suspects that somebody at Target did something wrong. FRSecure will be able to make a better determination of this once more is known.
Be careful not to confuse “wrong” with “negligent.” If Target was negligent in our opinion, FRSecure would be one of the first to let you know!
This article was contributed by FRSecure’s President, Evan Francen. FRSecure is under contract with DCIG to produce DCIG’s forthcoming DCIG SIEM Appliance Buyer’s Guide scheduled for release in the first half of 2014.