Theft of payment card information through retail and restaurant data breaches is becoming more common. According to the Identity Theft Resource Center, there were more than 1,000 confirmed data breaches in the United States in 2016. So far in 2017, data breaches at Arby’s, Intercontinental Hotels Group, Kmart, Brooks Brothers and Chipotle have made headlines.
When a retail data breach occurs, the source of the attack is usually a point-of-sale terminal. Hackers research weaknesses in a company’s security system and introduce malicious software into its network. Each time a credit or debit card is swiped at an infected point-of-sale terminal, criminals are able to collect customers’ names, card numbers and personal identification numbers. Criminals use the data collected to drain debit card-linked bank accounts, make cloned versions of cards or make purchases online. Some cybercriminals even sell the stolen card information in bulk to other criminals online.
Gary Warner, an internationally renowned cybersecurity expert and director of the Center for Information Assurance and Joint Forensics Research at the University of Alabama at Birmingham, says that while industries are taking measures to better protect consumer information — like the addition of computer chips to credit and debit cards — there are some things consumers can do to better protect themselves against data breaches.
Never swipe your card if it has a chip
Since the shift to chip cards, also known as an EMV or Europay, Mastercard and Visa cards, began roughly two years ago, VISA and Mastercard estimate counterfeit fraud has decreased by about 50 percent at chip-enabled merchants. However, only about 39 percent of merchant locations in the United States have made the switch and are ready to process chip card payments.
The magnetic stripes on traditional credit and debit cards store data, such as a cardholder’s name, the card number, expiration date and country code. Whoever accesses this data has all they need to make purchases online or to create a copy of the card, which is why traditional cards are a prime target for criminals.
Unlike magnetic-strip cards, each time a chip card is used to make a purchase, the chip creates a unique transaction code that cannot be used again. EMV technology will not prevent data breaches from occurring, but it does make it much harder for criminals to be successful in stealing consumer information.
“It is theoretically impossible to copy the computer chips that have been added to credit and debit cards,” Warner said. “However, if you are swiping for purchases with your chip card, criminals don’t have to worry about the chip because they can use the information from the magnetic strip on the back to make a duplicate copy of the card.”
Warner urges consumers to use their chip cards only in chip-compliant places. While many large retailers, such as Walmart, Target and Costco, have upgraded their point-of-sale terminals and have activated them for chip card acceptance, it will likely be two to three more years before chip-ready terminals reach smaller merchants, restaurants, gas stations and ATMs.
Consider using another form of payment
Point-of-sale terminals that are out in the open are easy targets for criminals to manually upload malicious software, or they can place a card skimmer on the device if they are not able to gain access remotely through a company’s network. ATMs and gas pumps are also prime targets for skimmers. If a merchant is unable to process chip card payments, consider using cash or mobile payment such as Apple Pay, Android Pay or Samsung Pay.
“In situations where you don’t have enough cash or have to give your card to someone else in order to pay, like at a sit-down restaurant, consider using a credit card instead of your debit card,” Warner said. “Doing this will prevent your debit card-linked bank account from being drained if your payment information does become compromised. If fraud is committed against a credit card, nothing is lost directly since the line of credit represents borrowed funds.”
Sign your name instead of using your PIN
If paying with a debit card is your only option, sign for the purchase instead of typing in a personal identification number. You can do this by asking the cashier to process the card as a credit card or by selecting credit card on the display. Doing this will help reduce the chances of a hacker stealing your PIN, which would allow them to do even more damage to your account by printing a duplicate card and taking money out through an ATM.
Be cautious when opening emails about data breaches
When a point-of-sale data breach occurs and draws national attention, hackers often ramp up their efforts to capitalize on the breach by sending malicious emails about the data breach or offers for free credit monitoring. A malicious email will contain links that direct you to fake websites that try to steal your information. If the email looks credible, go to the company’s main website instead of clicking on any links inside the email. If a data breach has occurred, companies almost always provide information and instructions for those affected on their website.
Monitor your accounts
Scan credit card and bank statements every month for any unauthorized charges. If your information has fallen into the hands of a cybercriminal, they will often test the account by making purchases for small amounts first. If they have obtained information for millions of a company’s customers, they need only steal a small amount of money from each one to cash in big.
Most banks also provide options for customers to receive text alerts anytime a purchase is made from a registered account. It is also a good idea to check your credit report periodically for any open accounts you did not authorize. Credit reports are available free from Equifax, Experian and TransUnion, every 12 months at AnnualCreditReport.com.