ID Theft Concern For Consumers As Security Breach Expands Beyond Target

MAUREEN CAVANAUGH: This is KPBS Midday Edition, I am Maureen Cavanaugh. The Target credit card security breach story keeps expanding. Last week we discovered six more retailers across the US has been expected infected by the same malicious software that stole data from target. Meanwhile officials have not been able to activate the cost of this breach, the sophisticated hacker compromised customer credit and debit cards as well as names addresses and phone numbers, it is estimated that more than 100 million people may have been affected. Before you tear up your critic cards I would like to walk my guess, Murray Jennex and Beth Givens. Thank you for coming in. The malware involved in Target and the latest hacks have been identified as Black POS, what is that and what does it do? MURRAY JENNEX: Black POS is a piece of software that gets embedded into a target and captures stuff that is being entered in and for the copy to the set location in addition to letting the war goes through, so it is just designed to act in the background and acts as a harvester, and it acts without letting people know that it is there. MAUREEN CAVANAUGH: I heard it described as a RAM scraper? What is that? MURRAY JENNEX: A RAM scraper is a thing that scrapes the memory to harvest what is being stored on the memory chip. As it is being entered and saved and the computer for processing, it just takes what is there and puts it into a message to send to a hacker. MAUREEN CAVANAUGH: Is this a sophisticated as it sounds? MURRAY JENNEX: It is, but not as sophisticated as it could've been, because what it captured was encrypted information, it did not capture unencrypted information. If it captured everything unencrypted, everyone would've been in a loud of hurt and we were at a had a lot of money artist on. MAUREEN CAVANAUGH: Had to talk about it, but a school in, as the state used by the people who collect this information? How are they going to, this is a message amount of information, how will the user? MURRAY JENNEX: Remember that businesses of arty have better tools to analytics on data, such as because it is a lot of data does not make a hard to use, they can organize it and can search it like tingling things together, and create bundles of related information for identity theft, the good thing in this case is because it is encrypted, they can read what they have, and it's easier harder to organize it. Note the we see that they are on the black web trying to see people who can decrypt it for them. MAUREEN CAVANAUGH: So people are keeping up with these cyber criminals to find out the process of getting this? MURRAY JENNEX: People try to sell the services to the hackers who got the data so that they can use it. MAUREEN CAVANAUGH: Great, so what are some of the ways that a individual shopper can find a third personal information has been compromised? BETH GIVENS: Patient look at account statements for all accounts, no matter what kind of tool they are using to shop with, whether the debit or credit card. I recommend going online and checking online do not wait for the syndicate on the mail, check frequently to see if there's any use of any of your cards including the Target red card, where you would've used it to shop at Target. MAUREEN CAVANAUGH: People with debit cards, they shopped with debit cards at Target, their banks for one, from what I know have been pretty proactive in trying to get ahead of that, tell us about that. BETH GIVENS: I don't want major bank that limited the credit limit so that if someone did get a hold of that data was able to clone card, they would only spend up to a certain amount, and the same bank was open on Sundays just to take care of its customers and terms of debit cards, but we would recommend that people do not use the cards because they goes directly into your checking account, and if it's used fraudulently your account could be wiped out. The committee has ten days in which they investigate fraud during this ten days you do not have access to this funds, most likely. MAUREEN CAVANAUGH: So in other words, some you can go in and wipe out your bank account, and they would not necessarily be able to walk away with that, the bank may be of the members you within a period of time where you would not have access to your fonts. BETH GIVENS: That is correct. MAUREEN CAVANAUGH: So use credit cards instead? BETH GIVENS: We recommend credit cards, it's like having a free loud and we recommend a low limit that a card with no annual free fee and began paying attention to credit statements to watch for fraudulent or things that you did not spend. So, we think that the first credit card is far more safe than a debit card and also the law that covers credit cards, it's more consumer protective than a law because debit card fraud. MAUREEN CAVANAUGH: Interesting, target is offering free credit monitoring for customers and identity theft protection to all customers, do you think that is going to prevent any problems? MURRAY JENNEX: Yes and no, having it to monitor it does help you, the new because it is creating it that opportunity, the real problems unnecessarily this theft it's what you're going to go through no a year from now where people try to give you information following up on that, like the email that came up reporting to be from target that it dear customer, we want to give you a year of credit protection in place at this link and we'll set you up, that was fraught. It was purposefully trying to get you to give them information, so that they could use with what they already stole. MAUREEN CAVANAUGH: Right, so you think that the follow-up, the fishing expeditions that a lot of malware people are going to an cyber criminals will be trying, it's going to actually find more people in identity theft etc.? MURRAY JENNEX: Were getting to jump onto the bandwagon traded this information, it is an opportunity and we are all aware of it now, or 110 million people and I think conservative of the budget, I think it will be a huge number by the time is on done. We'll all be watching our email for potential problems, that is an opportunity to send something that does make it to do something, I got an email this morning say what my credit card transactions and not go through, will again it was a phishing email because it was not addressed to me personally, it said dear customer, and wanted me to click a link to download the statement. MAUREEN CAVANAUGH: I got one too and it's pretty horrifying. In general, you think that the identification identity theft protection services are worthwhile subscribing to? BETH GIVENS: With these are offered to people who are affected by breaches, take advantage of them and just be aware that when you're to those around they want to get you to pay for, in this case the protection service are offered by Target is not a very good one, it does not cover all three credit bureaus only covers one of the credit bureaus being experienced, it's a real bargain basement but bargain-basement monitoring service and only one is for new account fraud, for that codified your Social Security number has been compromised. For this case it helps existing fraud, where data elements related to your debit or credit card are infected and you are more likely to be a victim of your own credit cards and debit cards they have now, this kind of a mixed mismatch but if this is else into spearfishing and that And could eventually become the kind of fraud that credit monitoring to have a value for, the just realized that this is a bargain-basement credit monitoring service. MAUREEN CAVANAUGH: Is there any indication of so security numbers were part of the speech? BETH GIVENS: Targets is no, but because target has its own credit card, it has to have your Social Security number and that is the foundation of the credit card application process, that's a security number, so wondering to see if this someday will tumble out is also being something that was compromised by this breach, but so far no. MAUREEN CAVANAUGH: Marie, this is obvious he going to cost the countries involved a huge amount of money, what about targets liability and they are already class-action lawsuits being filed, is this potentially, if the banks of the spinoff a lot of money issuing new credit cards and debit cards, but he going to get and try to get some of that money from Target? MAUREEN CAVANAUGH: Speaking he will try but they will succeed. MURRAY JENNEX: They will try but they will not succeed, there is a thing called credit card interface that is a standard that people use in his lawsuit to what is the best practice swords expected standard of protection, you will be rejected. Target was doing that standard, and from the standpoint it will be hard to say that they were negligent, and in reality I think that we will see massive changes in credit cards transactions. MAUREEN CAVANAUGH: That was my next question, we have technology here that does not seem to be that the companies use it that much, but it is used a lot in Europe and it has to do with having a chip in a credit card, tells about that? MURRAY JENNEX: This a smart card which it would can also hold a metric from you can be of some print or some other indication for your, so it is more geared towards positive and authentication to say that you're the person that owns the card with you on the transaction. The cost is that you had to buy readers to go with the machines, and also takes a little bit longer, some is why they've been reluctant to do so. MAUREEN CAVANAUGH: And so what keeps US companies from adopting the system? BETH GIVENS: Apparently a smart card costs five times more than next type card and companies have been able to absorb from losses because those have been less than the cost of replacing the entire infrastructure, with a chip card. MAUREEN CAVANAUGH: I see, so this was malware set up on the retailer system from what I said understand? So people can not too much about it, but in general what are some of the easy safeguards that people can do to make it less likely that the information will be stolen? MURRAY JENNEX: In this case nothing, store your records and then have some sort of proof of what your transactions really are. You have to be able to back up or you're saying, that is all you can do. The dimension to an interesting point that this was on the retailer system, how did they get there? That is what scares me. Now we see it is on six different retailers, and I believe that this may be something that is on every retailer. May have been put into the point of manufacture. It did not actually get hacked into the system, it went around the system. That is what will I will think that we will see a massive change in the way we actually insert software into retail systems. MAUREEN CAVANAUGH: Let me go back to companies and individual companies responsibility to tell people that they and their information has been compromised in their system is the past, there was a lack time when it came to target and the number of days that went by when apparently then you that there's something wrong, but they did not tell anybody about it, and people wanted to stores about things and their information was potentially compromised, so what is that obligation? If there's a problem with retailers software on the wide scale, what we know about it? MURRAY JENNEX: Visitors to question it last a long time and even this has possibly in effect for over six months before they knew about it. Target when several weeks before they knew about it, so yes there was a lag time in telling us that there was a long line time where they did not know there was a problem. MAUREEN CAVANAUGH: Our business is now actively seeing them during investigating to see if they are infected? MURRAY JENNEX: I'm positive that they are, that's why they could not listed there are six other we are told that have a problem but they won't say who they are to see heaven told anyone yet and they haven't got those copies to agree to it. MAUREEN CAVANAUGH: People listening to this say to start using cash, maybe I should take my checkbook and again, how can we feel a little more comfortable continuing to use not debit cards but credit cards? BETH GIVENS: Realize as I said earlier that the law that governs credit card fraud is actually stronger from the consumer perspective than the debit card, of so we are very strong on the credit card, it's better than cash frankly, it is with cash you can be having your personal modest old and have no way to get that money back, with a credit card you're not losing that money you have a short-term free loan, we recommend always pay it off at the end of the month, so that you don't have to pay the fees, and get yourself a low fee no annual fee card, and us it carefully. MAUREEN CAVANAUGH: It seems like if somebody is totally compromised by identity theft, most times if your credit card and security is preached or so forth, big steps in and you don't lose a lot of money, so doesn't really seem like it is costing a great deal, and the attitude is that who cares if it costs Bank of America or attorney to big great deal, but doesn't this affect all of us in terms of how much we pay for how much we pay for services? If they lose a lot of money we lose a lot of money. MURRAY JENNEX: Yes the cost gets passed on to the consumer, the cost of doing business. The regulation are such that they encourage you to use this past six this practice and there's a cost associated with that. How much do you wish to spend on security to get rid of all of risk? This is an event that will change that equation. MAUREEN CAVANAUGH: I have tended there, I've been speaking with Murray Jennex and Beth Givens, thank you both for very much.