How To Protect Yourself And Your Data After Target Hacker Breach

It was reported that some 40 million people may have been victims of a hacking spree at Target recently. What should people who may have been in that group do now to protect themselves and their accounts? Robert Siegel speaks with Mark Rasch, a security expert and former Department of Justice cyber crime prosecutor, for more advice for those who may have been affected.

Copyright © 2013 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

ROBERT SIEGEL, HOST:

Target may be suffering a bit from the news that its customers' account records were hacked. Target made three to four percent fewer transactions over the past weekend than it did at this time last year. That's according to the research firm Customer Growth Partners. The drop in business follows last week's revelation that hackers stole 40 million credit and debit card numbers from Target. Well, if your credit card is among those 40 million, what should you do about it?

We're joined now by Mark Rasch, who is a security expert and former Department of Justice Cyber Crime prosecutor, to answer that question. Welcome to the program.

MARK RASCH: Thank you.

SIEGEL: And tell us, if someone shopped at Target during the days in question - that's between November 27 and December 15th, and we should say this applies to in-store shoppers, not online purchasers - the first step would seem to be obvious, check your bank statement, but what do you do after that?

RASCH: Well, not just your bank statement, but also your credit card statement and your bank balance, particularly if you used a debit card. The next thing you should do is you should call the 800 number that Target has set up to find out whether they consider you to be a victim. And then, you have to be vigilant because if your card number was stolen last week or two weeks ago, it doesn't mean that the bad guys are going to use them this week or next week.

They can wait weeks or months or sometimes even years before they actually turn them into cash and start using them. If you're really worried, of course, one of the things you can do is just call your bank and have them issue you a new credit card.

SIEGEL: Well, should people do that since, as you say, you can't prove a negative. Just 'cause no one's used your number doesn't mean they're not going to pretty soon.

RASCH: It's probably overkill and inconvenient to do that if your number has not been compromised, but if Target says that your number was actually compromised, then it's probably a good idea to get your credit card number changed. But remember now, all those things that are linked to your credit card, all the automatic payments and your PayPal account and all that that's linked to your credit card are all going to have to be updated and changed as well.

SIEGEL: Well, when somebody steals your credit card information, does that mean that all of those other things that you're connected to are open to the hacker as well?

RASCH: No. If they've stolen your credit card number, it just means that they can start making charges just like they had stolen your credit card itself. It doesn't mean they have access to your PayPal account or to your Amazon account, it just means that they can now start and open their own PayPal and Amazon account in your name.

SIEGEL: There are now reports that stolen credit card information is flooding the black market. Is there a second wave of concern for consumers coming?

RASCH: Sure. What's happening now is once having stolen the credit card numbers, now I want to make money off of that. So what these carders do, and they're called carders, people who make fake credit cards or use stolen credit card numbers, what they do is they sell them on the black market through these carder websites. A lot of them are in Russia and Eastern Europe.

And they can sell them by bank, they can sell them by location, they can sell them by expiration date or credit limit and so there is a whole market out there to sell them for $100, $200 per card.

SIEGEL: Now, just in terms of security and protecting oneself, when you're given that choice, is this credit or debit, is one especially more safe or less safe than the other?

RASCH: Well, the problem with a debit card is, if somebody takes money out of your bank account, it may take three, four, five, six days to get that money back into the account. And during that period of time, it's very difficult for you to draw on the funds that you think are still in your bank. In either case, your actual liability is zero. You're going to get the money back. It's just more inconvenient when there's a debit card.

SIEGEL: Is there any reason to avoid Target to be more safe?

RASCH: Not particularly. You know, first of all, I would estimate that in the next couple of weeks, Target's going to be probably one of the safest places to buy things because they're going to be doing everything they can to get the customer's confidence back. But any large merchant is going to be a target, pardon the pun, of hackers 'cause there's lots of credit card numbers there, and the smaller merchants are targets because they have less robust security.

So these are all costs of doing business with the modern credit card.

SIEGEL: Mark Rasch's field is security. He's a former Department of Justice cybercrime prosecutor. Thanks for talking with us.

RASCH: Thank you, Robert.

Copyright © 2013 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.