If you appreciate the benefits of online shopping, you’re not alone, as for the 2015 holiday season, revenue topped $83 billion, 11 percent more than 2014. Who doesn’t appreciate the comfort and speed that online shopping provides? But like every other modern convenience, with the good comes the bad. Whether for online shopping, paying bills or other purposes, you’re putting yourself at risk from online security and identity theft crimes, especially a credit card breach.
These invasions are types of data breaches (also known as data leaks, data spills or unintentional information disclosures). These incidents involve secure information — sensitive, protected or confidential — being taken or stolen from systems without the knowledge or authorization of the owner. A data or credit card breach may occur accidentally or intentionally and can involve both personal and business-related data. Examples may include: credit card numbers, trade secrets and intellectual property (IP), customer data and even high-level, government secrets. Once the information is obtained, it can be copied, transmitted or viewed.
Credit card breach can be damaging to victims’ financial lives, and the impact may impact other areas, such as their healthcare, personal safety and well-being. But credit card breaches also take a serious toll on a targeted company’s reputation, not to mention their bottom line. With the internet and online shopping so popular in today’s culture, it’s not surprising that credit card breach crimes are increasing, with more consumers feeling the effects.
Research shows that in 2014, there were 1,540 cases worldwide, with more than one billion customer records being compromised; a 46 percent increase from 2013. In 2014, an estimated 31.8 million U.S. consumers experienced credit card breaches, more than triple 2013’s amount. Even worse, a study found that in January 2014, 18 percent of American adult Internet users stated that their personal information had been stolen. These crimes are expensive, as well; in 2014, 90 percent of all victims received replacement credit cards, which cost issuers up to $12.75 per card.
These credit card breach attacks have impacted virtually every industry and type of business. Even Experian, a credit reporting agency, experienced a credit card breach that stole 15 million consumers’ information. Other notable industries and companies affected, include: retail, which represents 11 percent of all breaches (Wal-Mart, Home Depot); restaurants (Wendy’s, Landry’s); financial institutions (JP Morgan Chase); education (the University of Central Florida); and popular websites (eBay).
While credit card breaches are a global phenomenon, the United States is clearly the leader. A Barclay’s study found that the U.S. accounts for 47 percent of all card fraud, even though it only makes up 24 percent of total worldwide card volume. However, these many credit card breaches have also made an impact on other countries. For U.K.-issued credit cards, breaches in the U.S. made up 35 percent of losses; this compares to 10 percent for French and Australian losses, 9 percent for Canadian losses and 6 percent for German losses. It may be the U.S.’ reluctance to adopt a global credit card model, known as Europay, MasterCard and Visa (EMV) cards. Research suggests that those countries utilizing these cards have lower credit card breach rates.
There are other preventive measures to take against credit card breaches, for both companies and consumers. As with any other type of identity crime, the best defense is to constantly monitor your personal online information for any errors or strange activities. Should a credit card breach discrepancy be found or suspected, you must report it to the proper agencies or organizations as soon as possible. Other credit card breach guidelines involve ensuring the security of computer networks and devices and accounts and passwords. It’s also vital to keep track of receipts and statements.
Credit card breach cause and effect
Yes, a data or credit card breach can cause major problems for consumers, tying up their bank accounts and ruining their credit. But these thefts actually have a much larger impact, including all parties involved in the payment card industry (PCI). These credit card breaches, as well as the involved companies’ actions taken, have resulted in a substantial loss of trust and faith among consumers.
In the fall of 2014, American consumers were asked about their credit card issuers’ ability to secure their data. Only 9 percent reported being “very confident,” and 29 percent said they were “somewhat confident.” Once customers lose trust in merchants or financial institutions, their credit can be even more negatively affected. In turn, the merchants and institutions lose their own credibility. Their profits can be impacted, and they may face numerous financial liabilities, as well. But a credit card breach isn’t limited to just online and brick-and-mortar companies and businesses. They’re also common among companies and businesses’ call centers, with 2014’s breach attempts increasing by 30 percent over 2013. In 2014, mobile fraud, involving cellphones and other personal telecommunications devices, was shown to be closely associated with credit card breaches; cards were found to be used in 53 percent of all cases.
As for how a data or credit card breach occurs, there are generally three stages: research, attack and exfiltration (removal of data). In the research stage, the cyber criminal selects a target, and then looks for any exploitable weaknesses. These may include: disgruntled employees, lost or stolen devices, infected devices (malware or other viruses) or simply sharing sensitive information with friends or family. Once the attack stage begins, the cyber criminal initiates contact with the target. This could be accomplished through a network-based attack, in which the target’s weaknesses are used to gain access to their network.
Cyber criminals may opt for a social attack, in which “social engineering” is used to gain access to the target’s network. This could include specialized emails designed to catch that specific employee’s attention, such as “phishing” emails; these trick people into providing personal information to the sender. If successful, the cyber criminal gains access to the target’s network, and the exfiltration stage can begin. At this point, they can steal data from the company’s infrastructure and transmit it back to themselves. A credit card breach may be tied to various harmful purposes, including blackmail, additional attacks on the infrastructure, organized crime and foreign governments’ attacks. Here are two credit card breach examples and their online shopping risks:
1.) TJX – To illustrate how not to handle a credit card breach, TJX, the parent company of Marshalls, HomeGoods and TJMaxx holds the dubious honor of having experienced the largest loss of consumers’ personal information in history. They then mishandled and under-reported the full scope of the credit card breach. First reporting the crime in May 2006, it later came out that the breach wasn’t actually discovered until mid-December, 2006. But TJX had to revise this earlier statement, as an investigation revealed that the crime may have occurred as far back as July 2005.
In March 2007, it was announced that the credit card breach affected at least 46 million national and international TJX customers’ MasterCard and Visa cards, along with checks and returned merchandise without receipts. But in October 2007, at least 94 million TJX customers were said to be affected. This forced multiple banks and credit unions to block and reissue thousands of payment cards. The credit card breach cost TJX $5 million, including the investigations, notifying customers and security system improvements. Not surprisingly, they were hit by a wave of lawsuits; in July 2009, a 41-state consumer protection settlement forced TKX to pay $9.75 million.
2.) Target – Compared to TJX, Target handled their credit card breach relatively well. Between late November and mid-December 2013, they announced the theft of 40 million credit and debit card accounts. However, 70 million customers were found to have had at least some of their information compromised, making it the second-largest debit and credit card breach, so far. It was later revealed that in addition to payment card information, the credit card breach hackers obtained customers’ names, mailing addresses, phone numbers and email addresses.
Faced with an angry customer base, the company spent $240 million on to remedy those affected by the credit card breach; this included offering free credit monitoring and working with a third-party forensics firm. On March 19, 2015, Target reported that they’d agreed on a $10 million settlement for victims of the credit card breach. They also revealed such security policy changes as: appointing a chief information security officer, a written information security program and security training focusing on personal identifying information.
Preventing a credit card breach
Among identity-based crimes, a credit card breach is particularly valuable for cyber criminals, as data can be transmitted electronically and anonymously. It also allows hackers to quickly and conveniently steal funds from compromised accounts. While retailers and companies are striving to keep their networks and customers’ accounts safe, they face a massive challenge, as the attacks and their effects are growing. The majority of these credit card breaches are due to customer’s own security errors. This includes not putting protective safety measures in place or failing to report potential breaches when first detected.
In regard to the specific authorities and organizations that should be notified, many jurisdictions have passed data breach notification laws. In 2003, California became the first state to implement a law requiring consumers to be informed consumers about stolen or lost personal data. Currently, 46 states, as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have data and credit card breach notification legislation. Under these laws, consumers are contacted by specific businesses or banks regarding any personal data breaches.
According to the nonprofit consumer group, Privacy Rights Clearinghouse, besides informing consumers about information compromises, these laws spur organizations to implement better data security. Some states’ laws require credit reporting agencies be contacted about breaches. Others make it necessary for affected businesses to provide consumers with credit monitoring services or security freezes. But their main goal is to ensure that consumers are quickly contacted about any personal information compromises to better protect themselves.
Credit card companies typically don’t penalize targeted consumers with any charges due to a credit card breach. Another agency tasked with credit card breach prevention is the U.S. Secret Service’ Electronic Crimes Task Forces. Charged with identifying and locating international cyber criminals, this agency has been directly involved in the theft of about $600 million in credit card numbers from financial and retail institutions.
For stores and businesses, cardholders’ data is generally captured at the point of sale (POS), where it flows into the payment system. So, it’s recommended that retailers avoid storing any cardholder data (online and print), including: card readers, POS systems, store networks and wireless routers and online payment applications and shopping carts. The growing adoption of EMV cards, and particularly, pin and chip cards, may help to eventually reduce credit card breach attacks. While popular internationally, the U.S. has been slow to utilize EMV cards, even though countries using them had much lower breach rates. These cards contain computer chips that actually authenticate card transactions.
But as chip cards aren’t completely protected against credit card breaches, there are steps to safeguard personal information. First, you should try to shop (in-person, online) in chip-enabled retailers, although the majority of U.S. retailers have yet to install these devices. Again, you need to monitor your transactions (daily, if possible) and statements. You should also sign up for card issuers’ text alerts, to stay aware of any suspicious charges. You should ask the card’s issuing bank for a virtual card number, as this enables online shopping without having to provide actual card information. And when entering your PIN, cover the keypad to hide your information. Here are some additional safety measures to prevent credit card breach attacks:
- Website precautions — When entering online credit card information, check that the website’s URL (address) starts with “https,” rather “http.” “Https” ensures that your data is being encrypted, making it more difficult for an identity thief to steal it. You should also avoid leaving your card information “saved” on retailers’ websites, as this increases identity theft risks.
- Credit, not debit – It’s better to make online purchases with credit cards, as by law, they must offer greater protection from fraudulent purchases. Even if debit cards have zero liability, if fraudulent purchases are investigated, you’ll lose access to the associated bank account, causing automatic bill payments to bounce during the investigation.
- Password protection – You should have different passwords for all accounts; that way, if one is hacked, identity thieves can’t access all others. In terms of passwords, you should ensure that each one is strong. A good trick is to combine upper- and lowercase letters, numbers and symbols. Many retailers offer two-factor authentication, in which your smartphone receives a one-time code that you to input in order to access your account, thereby boosting your security. And, be sure to change your passwords frequently, regardless of any issues.
- Smarter search engines – Just because a website shows up high in your search, it may not be legitimate. Knowledgeable identity theft cyber criminals can disguise their fraudulent websites to rank well in online searches. You should be aware of anything that looks too good to be true, especially retailers offering incredible discounts in emails or on social media. Typically, you’ll be safer with well-established companies.
- Safeguard your computer – When shopping online, be sure that you have the latest, anti-virus and anti-malware software on your computer, smartphone and any other devices.
- “Good-bye” to Wi-Fi – With online shopping, you can’t be sure that the public Wi-Fi is provided by local stores or criminals. For that reason, consider using aVirtual Private Network (VPN), your own secure, physical computer network. A VPN encrypts and protects your information when you use the Internet on a portable device in public.