Indiana University Bloomington

IU expert to Target shoppers: 'Don't panic' about data theft

  • Dec. 20, 2013

By Jon Blau

About 40 million Target customers may have had their debit or credit card information stolen because of a data breach at the chain of stores, but Indiana University’s Fred Cate has a message for worried shoppers.

Don’t panic.

Because the security breach came via swipes at stores between Nov. 27 and Dec. 15, the incident proves theft of credit and debit card information is just as likely in-store as it is online, the director of IU’s Center for Applied Cybersecurity Research said. On the other hand, news of the breach this week reminds Cate of one “happy” detail — the Fair Credit Billing Act, section 1643.

The act, which holds credit card users liable for no more than $50 when there is fraudulent activity on their account, faced blowback from creditors when it was introduced. The financial industry was afraid it would lose money. But the act’s blanket of protection actually ended up bringing more people to own credit cards in the 1980s and beyond.

“If you are going to suffer a crime, suffer a crime that Congress has already said you aren’t liable for,” Cate said.

Sophisticated cyber thieves have multiple ways to steal card information from stores such as Target. That information is first stored on the terminal where a swipe is made, and it’s possible to retrieve the data via the terminal’s software.

That information also travels out of the store, often wirelessly to either the company or a “middle man” that processes card transactions for the company, Cate said.

An even bigger breach — a 2005 incident that made more than 45 million users’ accounts vulnerable from purchases at T.J. Maxx and Marshall’s — also involved information stolen from transactions in-store.

While Target is investigating its security lapse to figure out what happened, Cate doubts data was stolen directly from terminals at the store, because it would have taken a lot of effort to manipulate software and coordinate a haul of this size from individual terminals; the “middle man,” which has transaction details in mass storage, would be a more likely target, Cate said.

The means of theft makes little difference to customers who suffer a fraudulent charge with their credit or debit card. But all they have to do, Cate said, is check their statements regularly. “Unless you have a habit of making this claim, they will just take (a fraudulent charge) off your account,” Cate said. Target is asking customers who have noticed unauthorized activity on their accounts to contact their credit card company and the store at 866-852-8680.

This incident also highlights one key difference between credit and debit cards. If there is a fraudulent charge on a credit card, it’s only a credit that’s lost, Cate said, but if the same thing happens on a debit card, that’s money actually pulled out of the bank. Cate said people who use a debit cards should check their account balances twice a day, because banks will take more time to reimburse.

Faith in creditors and credit users’ ability to settle the score aside, Cate’s broader concern is with the electronics industry, where companies are sacrificing strong data encryption for better battery life. Information from cellphones has opened up a whole other Pandora’s box.

“And, at the end of the day,” Cate said of “faster” phones, “it doesn’t pay.”

Editor's note: This story from The Bloomington Herald-Times is being published here as a courtesy for readers of IU in the News.