Are you suffering from security breach burnout in the wake of the huge hacker attack on Home Depot? The do-it-yourself retailing giant says the data heist that went down from last April through September compromised 56 million payment cards, and it appears to be bigger than last year's Target breach.
"People are getting sick of hearing about it," Avivah Litan, a financial fraud analyst at Gartner Research, said.
But now is not the time to tune out.
In late August, the U.S. Deptartment of Homeland Security and the Secret Service issued an advisory about retail point-of-sale malware infections that have affected an estimated 1,000 businesses. So you can reasonably expect more breach notices to come.
Meanwhile, as we reported earlier this year, some major hotel chains have been lax in protecting consumers' data, and on Friday, The New York Times reported that Home Depot was slow to secure its customers' data, according to unnamed former cybersecurity employees.
Merchants who accept payment cards from American Express, Discover, JCB, MasterCard, and Visa are required by the Payment Card Industry Council, which sets minimum security standards for retailers who accept those cards, to assess their data security—but only once a year, with quarterly system scans.
Unfortunately, sophisticated hackers move a lot faster than that to find and exploit security vulnerabilities.
Also, those periodic reports are only are only the baseline floor for security, not the cutting edge pinnacle. "These are the bare minimum things you should be doing to protect credit card and any kind of data," Bob Russo, the PCI Council's general manager told us last spring. In addition, they are just "a snapshot in time," said Troy Leach, the PCI's chief technology officer. "The key is for retailers to follow those practices not just when the assessor comes to town, but every day," Leach said.
But Litan blames the payment card industry and banks for not providing a more secure payment processing system that employs encryption and tokenization—which generates and transfers a unique code for each payment transaction, instead of the actual account number, expiration date, and account owner's name, which can be intercepted and counterfeited by hackers for unauthorized charges. Even if a token were captured, it can't be used again after the original legitimate transaction.
"There's nothing they can do to stop these breaches right now, but there's plenty they can do in the next year," Litan said.
Check the guide to security freeze protection from Consumers Union, the policy and advocacy arm of Consumer Reports.
One current problem, Litan says, is that payment card data is not encrypted when consumers enter it into terminals at the checkout counter by swiping their credit and debit cards through the unprotected magnetic stripe card reader. So that's where hackers steal card account numbers and other personal information.
Home Depot now encrypts that data at the source, but other retailers need to catch up, Litan says.
Until that happens, consumers should lock down their financial data and personal information, especially in advance of the busy holiday shopping season, when Target was attacked last year. Here's how.
1. Demand a new replacement credit and debit card if yours was compromised. Chase Bank proactively took this step after the Target breach and has already notified customers that a new card is on the way to victims of the Home Depot breach. Don't wait for your bank to do the same. Initiate the call yourself.
2. Check your bank account register and credit card activity online to see whether your card was used at Home Depot or at any other place—fill in the blank of tomorrow's hapless retailer name here—that was recently hacked. Don't wait for your print statement to come in the mail; check the latest account activity digitally by signing up for online access to your account information or by using a mobile banking app. If that information is available online for only a certain period, for example the previous 90 days, check farther back by looking at your monthly print statements. Also watch out for changes to your debit card PIN.
3. Be alert for post-breach phishing attempts. Hackers don't always get everything they need to break into your accounts, so they will typically send you e-mails or even call on the phone and pose as your bank or card issuer to try to trick you into giving up the missing pieces, including mother's maiden name, account username and password, date of birth, and Social Security number. Learn to identify "phishing" attempts by following our advice.
4. Lock down your credit report with a security freeze, which essentially shuts off access to your credit history by new would-be lenders. If a hacker applies for a loan in your name, the creditor is less likely to approve it if he or she can't see your credit file. Freezes are typically free for victims of identity theft, which you are if you paid with plastic at Home Depot between April and September of this year.
5. Get as many as 18 free credit reports per year so you can regularly monitor them and keep an eye out for fraudulent new accounts. You can get three free credit reports (one from each credit bureau) from annualcreditreport.com and three more in many states that also mandate free annual reports.
You're also entitled to a free credit report from each bureau after you file a 90-day fraud alert, which you should do every 90 days if you've been a victim of the Home Depot or other data breach or have a good-faith suspicion that you're about to become a victim of identity fraud.
As we've previously reported, 22.5 percent of consumers who received notice of a security breach, like the one that occurred at Home Depot, subsequently became victims of identity theft, according to a survey of 5,000 consumers by Javelin Strategy and Research, a California consulting firm that has studied this crime for more than 10 years. That's almost eight times the 2.9 percent ID fraud rate for consumers who hadn't received a breach notice.
6. Ask merchants big or small if they're PCI-DSS compliant. If they don't know or have not even heard of this most basic of data security measures, pay with a credit card, rather than debit card, because fraud theft from your checking/debit account can set off a cascade of penalty fees for bounced checks.
7. Don't waste money on costly identity theft prevention services, which can cost $120 to $300 a year, because you can do most of what they do for little or no cost. If the breached retailer offers free credit monitoring, consider taking it, but beware that it could create a false sense of security and remember not to renew for an annual fee when the free period ends.
9. Don't panic, but take the breach threat seriously, because this problem is now a fact of life until the big payment card brands, banks, and retailers improve the security of the payment processing system.
—Jeff Blyskal (@JeffBlyskal on Twitter)