Thursday, December 19, 2013

IMPORTANT SECURITY ALERT

Target stores have been hacked, and 40 Million credit card accounts have been compromised.  Even worse, it seems that Debit cards may have also been compromised, and that it's possible that PIN codes were recorded as well.

If you have used your Debit card at a Target store since Thanksgiving, you need to change your PIN immediately.  While the credit card companies will cover losses on compromised credit cards, if the Bad Guys can clone your Debit card and use your PIN then they can clean out your bank account.  The bank may or may not cover this.

Mrs Borepatch and I are in the process of changing our PINs.  I strongly recommend you do the same, immediately.

Information is still sketchy on the details, but this is potentially so bad that I'm putting up an alert.  In five and a half years of blogging on security issues I've never done this before.  That's how serious this is.

UPDATE 19 December 2013 11:11: Reports are that this has been going on since Black Thursday.  My guess (and that's all it is) is that this could have been going on much longer.  If you've been using a Debit card at Target for the last 6 months or so, change your PIN.

9 comments:

B said...

Even smarter:

Don't use debit cards at all.

Use Credit Cards instead and pay 'em off. Worst case? You credit limit is reached and you get it all back when Fraud is proven. An inconveneience at worst.

If you must use a debit card, use one that is linked to an account that isn't your main bill pay account. Transfer money into it as needed.

That way, even if someone DOES get into that account, the damage is limited.

ProudHillbilly said...

Yeah, I used a credit card on-line with them, but didn't buy anything at a store with debit. Guess this is a reminder to watch the statements closer.

Jake (formerly Riposte3) said...

If you must use a debit card, use one that is linked to an account that isn't your main bill pay account. Transfer money into it as needed.

^^^^^THIS^^^^^

I use a debit card because I was stupid when I was younger and now I can't get a real credit card. But I have a separate account for my bills and my emergency money. If my card is ever compromised (again), I can still pay my bills, and can use my emergency fund for daily necessities until the bank replaces the card and covers the losses (which my bank will do).

Jake (formerly Riposte3) said...

If you must use a debit card, use one that is linked to an account that isn't your main bill pay account. Transfer money into it as needed.

^^^^^THIS^^^^^

I use a debit card because I was stupid when I was younger and now I can't get a real credit card. But I have a separate account for my bills and my emergency money. If my card is ever compromised (again), I can still pay my bills, and can use my emergency fund for daily necessities until the bank replaces the card and covers the losses (which my bank will do).

Anonymous said...

Is there a linkable source for this? Not doubting, just like to read it is all.

I never use a debit online. But I regularly do in person. Is this saying that the card#/PIN combination is stored when those POS systems are used? I can't think of a value add to the business for adding storage to that kind of transaction. It's all downsides IFAIK. This hack liability most obviously...

Borepatch said...

Andrew,

Brian Krebs has a good analysis.

http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

The concern is that the PIN was recorded surreptitiously. Nobody is supposed to store the PIN (other than the issuing bank).

Jake (formerly Riposte3) said...

Something else to be aware of: Most debit cards can also be used as credit cards, without requiring the PIN (I actually don't know my PIN, because I always have the stores run it as credit). If you've shopped at Target during the time in question, it may be a good idea to just get your bank to issue a new card.

Jake (formerly Riposte3) said...

More bad news. Looks like they got the credit card security codes, too.

"The stolen data include customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards. [Emphasis mine - Jake]

It sounds like the cards they got info on are all essentially completely compromised.

Richard said...

People should get fired and Target should reimburse credit card companies of costs and holders of cancelled cards for aggravation.