Three times this year, cybercriminals stole Brad Porter’s credit card data by hacking a retailer’s payment system.
Each time, the bank or financial institution sent him a new card almost immediately. But when his data was stolen in a system breach this fall at Home Depot Inc., it took two days to receive a new card. That forced Mr. Porter to close his Toledo-based Green Results Lawncare Co. briefly because he couldn’t buy fuel and other items.
“The big boxes are supposed to have these million-dollar security systems to keep this from happening. But they don’t have something going on right because this keeps happening,” said Mr. Porter of Perrysburg.
Mr. Porter has quit shopping at Home Depot because of the breach, and he says he might shelve his credit cards altogether for the upcoming holiday season.
“I think I’m going to be paying with cash instead of credit because I see [criminals] hitting everybody pretty hard,” Mr. Porter said. “This is just the beginning of it.
Many consumers share Mr. Porter’s sentiments following high-profile data breaches over the last year at Target, Home Depot, Michaels Stores, Staples, and Kmart.
According to an Oct. 2-5 survey by CreditCards.com, a Web site that helps consumers compare credit-card offers, 16 percent of respondents said they would not return to a store where data had been compromised.
Twenty-nine percent said they probably would not shop at that store.
Forty-eight percent of the 865 adults who responded to the survey said a security breach was more likely to cause them to use cash than credit cards this holiday season.
But while replacing a credit card is inconvenient, security experts say credit cards still are the safest and best way for consumers to protect themselves from cyberthieves.
“There’s nothing consumers can do in regards to a Target or Home Depot breach,” said Robert Siciliano, an online security expert for security software firm McAfee Inc. “But here’s the thing — don’t worry about it. It’s really not your problem.”
Federal law limits the liability of cardholders to $50, regardless of the amount of the fraudulent charge, if their credit card is physically stolen, provided the theft is reported within 60 days of receiving their monthly statement.
“The only thing the consumer is responsible for is the first $50, but the bank is not going to go after you for $50,” said Kurt Helwig, executive director of the Electronic Funds Transfer Association.
If only the account data is stolen, a cardholder is not liable for any fraudulent charges.
But experts say consumers should be vigilant against fraud and take several steps to protect financial data.
“Keep track of your statements, whether you do it online or whether you do it the old fashioned way in the mail.
“Keep track and be aware. It’s always good to do these things,” Mr. Helwig said.
“When the time comes to use your card, don’t be afraid to use it. There’s no need for that, to not use your card for fear it’s going to be breached.
“These breaches were very high-profile losses and the financial industry is working closely with the government to mitigate these things,” he said.
“Just be smart,” Mr. Helwig said.
Mr. Siciliano said surveys show that 9 out 10 people don’t monitor their credit card statements, even though it’s easier than ever to do so.
“Most banks and credit card companies now provide mobile phone apps whereby you can look at your statement every day if you want,” he said.
Some banks even will send text alerts each time a charge is made on a card, Mr. Siciliano said.
Debit cards give consumers direct access to their bank accounts and usually are protected by a personal identification number, or PIN, that a cardholder provides during a transaction.
But experts said stolen debit-card data can be even more aggravating than a stolen credit card.
Matt Schulz, senior industry analyst at CreditCards.com, said only the card issuer loses money on a stolen credit card. But it’s the consumer’s money that is taken if it is a debit card that is stolen.
“A stolen debit card can let someone take money out of a checking account almost immediately. Though you’re not responsible for the loss, it could take up to two weeks to get money back. That can be a hardship,” Mr. Schulz said.
Mr. Helwig said a debit card and PIN should be guarded closely.
“We see cases where people write their PIN on the back of their card so they don’t forget it. Don’t do that,” Mr. Helwig said.
Be on lookout
Using cash-only for shopping “opens a whole other can of worms,” Mr. Helwig said.
“If you carry around $2,000, people aren’t going to get hit over the head? The fact is, anything that involves money is going to carry some level of risk in it.”
That includes online shopping.
Mr. Helwig said when shopping online, look for anything unusual, including sites that direct you to other Web sites.
“If you get an email saying you’re being contacted by your bank, don’t give out any information. Call them up and ask them if they contacted you,” he said.
Mr. Siciliano said when shopping online order through a reputable retailer whenever possible. “Amazon, Best Buy, eBay, those are pretty safe,” he said.
Additionally, he said, make sure the site’s Web address begins with “https:” rather than “http:” — the former means communications with that Web site are encrypted.
“If you’re ordering using Wi-Fi, make sure that you’re on a secure Wi-Fi network,” Mr. Siciliano said.
If the site isn’t secure, applications such as Avast! and Hotspot Shield can be installed on a mobile phone and provide data encryption, he said.
Check credit reports
Mr. Schulz said it also is a good idea for consumers to check their credit reports.
“If someone gets your Social Security number, they can open accounts in your name and you might not be aware of it for a while,” he said.
The best place to check a report is annualcreditreport.com — a federally mandated Web site set up by the three major credit reporting agencies, Equifax, Experian, and TransUnion.
By law, consumers get a free credit report from each of those three agencies once a year at the site, Mr. Schulz said. Seek a report from a different agency every four months, Mr. Schulz advised.
“They won’t be identical. There will be some differences to them. But generally, there’s not a ton of difference between those three,” he said. “Check it closely. You may see a credit card on there that you never applied for,” he added.
Experts are reluctant to say more data breaches won’t occur this shopping season.
“Unfortunately, there’s just no a silver bullet here because there’s so many things involved in a transaction,” Mr. Schulz said.
But better protection is on the way, experts said.
Next year the U.S. credit card industry will make a push towards so-called “smart cards” with EMV technology to reduce data theft. EMV — Europay, MasterCard, and Visa — cards have computer chips that randomly scramble and verify transaction data at a merchant’s point of sale terminal or at ATMs.
The old “swipe-and-sign” system is to be phased out in favor of terminals that read a card’s chip.
In some cases, consumers still will verify the transaction with a signature. But for added protection a card issuer can opt to add a PIN number to the card, a common practice in Europe where smart cards are widely used.
Capital One Financial Corp., which has millions of credit and debit card customers, began issuing smart cards this year to some cardholders and will replace all older cards with smart cards by the end of 2015, said Amanda Landers, a Capital One spokesman.
The bank holding company will offer debit smart cards with PINs and is considering options to enable PINs in the future on its credit cards, Ms. Landers added.
Some Toledo stores have installed the equipment to read the EMV cards.
The National Retail Federation, an advocate for merchants, is pushing hard for banks and credit card companies to go the extra step to “chip and PIN” cards to better protect consumers and retailers.
“While the banks and credit-card companies are pushing for new microchip cards, they are only a half-measure because they only protect the card companies and banks from counterfeiting but do little to protect consumers and merchants,” said Stephen Schatz, a retail federation spokesman.
“Incorporating a personal and secret PIN that only you know on the cards, much like a debit card, protects against fraudulent transactions at the point of sale,” he added.
But moving to smart cards won’t be cheap. A magnetic strip card now costs about 19 cents, but a smart card will cost $1. Industry estimates put the cost of switching at between $5 billion and $8 billion.
And for the system to work properly both the card and retailer’s payment system must use EMV technology. EMV has been around for years and is used in 80 countries. France claims EMV reduced card fraud by 80 percent.
The United States is “somewhat late to this game because our payment structure was already so well-developed,” Mr. Helwig said.
“But MasterCard and Visa got together to mandate this happening. They are in the process of converting the card base and it will be well under way early next year,” Mr. Helwig added.
Who gets the blame?
Banks and other card issuers are pushing hard to replace the estimated 800 million credit and debit cards now in use because moving to EMV technology will provide a “liability shift.”
Until now, banks and card issuers were responsible for nearly all of an estimated $8.6 billion in annual losses, according to the Boston-based Aite Group, associated with credit or debit card fraud.
But next October the four major credit card companies, MasterCard, Visa, Discover, and American Express, will enact policies whereby the liability for fraud shifts to whomever — bank or retailer — has the weaker technology.
If a customer uses a smart card but a retailer’s equipment can’t read it, liability for fraud shifts to the retailer. If the retailer has smart-card readers but the customer’s card isn’t a smart card, the bank assumes fraud liability.
The liability shift is expected to create a stampede to EMV next year by card issuers and retailers.
Mr. Helwig said retailers and credit card firms were moving to EMV technology, but the cybercrimes that irked consumers like Mr. Porter gave the issue prominence.
“I think that what these high-profile breaches have done is it has really galvanized the industry. The financial services industry and the retailing community, this has brought them together,” Mr. Helwig said.
“They don’t always see eye to eye on payments, but on this issue, they do.”
Contact Jon Chavez at: firstname.lastname@example.org or 419-724-6128.
Guidelines: Please keep your comments smart and civil. Don't attack other readers personally, and keep your language decent. Comments that violate these standards, or our privacy statement or visitor's agreement, are subject to being removed and commenters are subject to being banned. To post comments, you must be a registered user on toledoblade.com. To find out more, please visit the FAQ.