Security firm uncovers six new date theft attacks on US retailers; could your credit card be affected?


#1

[Permalink]


#2

I think we've just found the exception to Betteridge's Law of Headlines.


#3

I wish the US had a group of hackers and electronic surveillance analysts that could protect us from this sort of thing.


#4

Using your credit card to send $20 to Al-Shabab is probably both cheaper and more effective than one of those 'identity-theft-protection' services!


#5

Yeah, it's funny how the NSA didn't pick up on it. What if all the stolen cards were used to fund terrorism?


#6

That headline is pretty much unanswerable, as no one is disclosing what other retailers are caught up in this. Meanwhile, Target is in the doghouse right now, but when all is said and done they will be hailed as being proactive and transparent, considering that no one else stepped forward to admit they were hacked.


#7

Yeah, I do wonder, especially after getting an emailed offer as a "Dear Target Guest" from TargetNews@target.bfi0.com to join Experian’s® ProtectMyID® on Target's dime, in order to protect myself, having been potentially (probably?) hacked by the thieves who targeted Target.

Seems kinda spammy to me, and I also don't know if Experian actually works. Does giving info to them put me at further risk? Did the Chairman, President and CEO of Target, who "signed" my email, actually even approve this move?

Oh, the things we can no longer know!


#8

It's a problem with too much constitutional oversight. If they just had the freedom to spy whenever and whoever they wanted to, then these things wouldn't happen. In other words, freedom=vulnerable.


#9

As I udnerstand it the credit monitoring service is just there to alert you if anyone tries to open an account or take out a loan under your name/identity. Certainly a net positive, even though not every credit bureau will know about every account.


#10

Yeah, it's funny how the NSA didn't pick up on it.

NSA, didn't notice it? If we were to look at probably suspects based on who has been caught recently hacking on a scale as big (or bigger) than this...


#11

The proactive part is a bit off though. Reactive is more appropos. And slow at that.


#12

Just gonna give my 2 cents as someone in the infosec industry. First of all, never heard of IntelCrawler, so take their findings with a grain of salt. If they're working with these companies, they suck at complying with NDAs. If they got this info from the carder underground, well, they're not what we would call a credible source. Card brands have a very strict investigation / forensics protocol and allowing a third party to "disclose" such compromises is not part of that protocol. So let's just assume it's true: if you didn't authorize a transaction (via PIN or signature), you're not liable. Simple as that. If a retailer was compromised, they must disclose the compromise at least to the issuing banks, acquirers and card brands. Depending on the state they're doing business in, they must publicly disclose the fact. tl;dr: if that's not your signature on the receipt, you might have a little bit of a hassle, but you're not liable.


#13

Are banks required to refund overdraft fees? This guy was told that his bank would not refund the fees. This woman was also told that she was responsible for overdraft fees. This states that banks are not required to refund overdraft fees and this class action lawsuit specifically mentions people who have suffered damages in the amount of overdraft charges. So, as far as I can tell, banks are not required to refund overdraft charges.

Regarding liability for the actual charges, I have seen multiple articles like this quoting $50 for credit cards and $50 (within two days) or $500 (2-60 days) for debit cards. The FTC website, however, says that you are not liable when your credit card or debit card number is stolen (for debit cards you have to report the charges with.


#14

This is a great point. The issue here is this: the actual card, the physical plastic and the data encoded in it belongs to the issuing bank. There's no question about this. If you challenge a transaction, the issuing bank must prove that the cardholder authorized said transaction. If your signature is not there, you didn't authorize the transaction (let's just remember that there's a finite number of credit card numbers, and they follow a pattern, so it's not that hard to come up with a "valid" number) and that's it. If you authorized a transaction though a PIN, things are a little bit more complicated. Let's say you went to Target, bought a bunch of stuff and authorized your credit/debit card transaction via PIN. Supposedly, your PIN is unique and bears as much value as your signature, but a POS malware can capture it. That's when these anti-fraud procedures come into effect: if you start looking at a bunch of fraudulent transactions that were authorized with a PIN and have a common merchant, say, Target, you're covered. I buy something at compromised Target, you buy something at compromised Target and 45 million people do the same. All of the sudden, our credit cards are being used fraudulently. The common denominator is Target. You can infer that Target was compromised and it was not your fault that your card was used fraudulently. Card brands have been trying to shift the liability to the cardholders for at least 15 years, but this is very complicated to do in the US due to the lack of EFT (aka chip and pin). The bottom line is: it costs less to the issuing banks to cover the costs of fraud than to adopt EFT. Until they do so, you're not liable. Again, you might have to fight it, but if you didn't authorize the transaction, you won't pay for it.


#15

Garymon, I read this a few times, and I still don't understand what you are saying. I apologize if it is abundantly clear, but I am drawing a blank.


#17

Here's a question: Where's the law protecting consumers by mandating banks and other institutions replacement cards for free? Let's be honest, a lot of the insecurity of using credit cards comes down to the financial institutions issuing them.


#18

No worries. You said it was strange the NSA didn't notice this happening. My poor wording was supposed to raise the question that maybe they didn't notice it because they were the ones behind the theft. It sounds crazy and I have a hard time suggesting something so paranoid but lately it seems this is what they specialize in.


#19

Oh, okay. Thanks for responding smiley


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.