TBO.com - Tampa Bay Online
Sweetbay Breach Underscores Credit, Debit Card Risks
ADVERTISEMENT
Published: March 19, 2008
On Monday, the parent company of the Sweetbay grocery chain said a security breach of its computer system may have exposed 4.2 million debit and credit card numbers to theft, making it one of the largest such cases in the nation.
Hannaford Bros. says it has secured its credit and debit card transaction system to block future unauthorized access and the Secret Service is investigating. So far, 1,800 cases of fraud are linked to the breach.
The Tampa Tribune interviewed several cybercrime, network security and identify theft experts about how thieves gain access to these systems, how common such incidents are and what consumers should do to protect their accounts.
How do hackers break in to retailers' computer networks?
Kevin Mandia, president of Alexandria, Va.-based computer security firm Mandiant Corp., said retailers are most vulnerable during the processing of the credit or debit transaction. Hackers can create a type of software called a "sniffer" that acts like a wiretap and can intercept credit and debit card data as it travels between the retailer's point of sale and the credit card processing company. It can be very difficult to detect sniffers.
How common are security breaches?
The Privacy Rights Clearinghouse, a San Diego-based nonprofit group, estimates that at least 218.8 million records containing sensitive personal information have been involved in security breaches since January 2005. That figure does not include this week's Hannaford Bros. breach.
Mandia said his firm has responded to five computer security attacks involving the use of software sniffers in the past two months.
Bart Weitz, a University of Florida professor and executive director of the school's Center for Retailing Education and Research, suggested there may be more to come. "When you have companies that collect massive amounts of data, and a large number of transactions go on in their stores, they're vulnerable to this," he said.
How long could my credit card be vulnerable?
As long as the account is open. If a hacker gains access to your account number, that person could begin manipulating it immediately, later, or years down the road. Cardholders should be examining statements from exposed accounts regularly.
Should I close out my credit card account and get a new one if I used my card at Sweetbay?
Beth Givens, director of the Privacy Rights Clearinghouse, said people shouldn't necessarily close out their credit card accounts. Federal law has strong protections for victims of credit card fraud that limit their loss from unauthorized charges to $50, and in some case the potential loss is zero.
Also, closing out a credit card account and opening a new one can create hassles. For example, Givens pays some of her bills with automatic payments that charge her credit card. It can take a few hours to switch over to a new credit card number for all those automatic payments, she said.
Stacy Arruda, who oversees the FBI's cybercrimes squad in Tampa, said consumers may want to set up a fraud alert with the three credit reporting agencies, TransUnion, Equifax and Experian.
What about debit cards? How vulnerable are they?
Givens said people who think their debit card number may have been compromised should consider getting a new card because - counter to public perception - consumers are more vulnerable with a debit card than with a credit card. In fact, the Privacy Rights Clearinghouse advises people to dump their debit cards, whether or not they suspect fraud.
Paul Stephens, director of policy and advocacy at the PRC, said debit cards have fraud protections. However, victims have to meet certain deadlines for reporting the fraud or they risk losing some or all of those protections. For example, federal law limits your liability on debit card fraud to $50, but only if you notify your bank within two days of discovering the fraud, according to the PRC.
You could also be on the hook for substantial losses if you don't report the fraud within 60 days of receiving your bank statement. That can be a problem for people who are on extended vacations and don't check their bank statement in the meantime. Most often, banks return stolen money to consumers' bank accounts, but only after investigating. The bank has 10 days to investigate suspected fraud, during which time you will not have access to the money. For people who live paycheck to paycheck, that may be a long time to wait, Stephens said.
Stephens suggested that consumers replace their debit cards with ATM-only cards from their banks. Some retailers accept ATM cards as payment, and ATM-only cards require the use of a PIN. Debit cards, in contrast, can take a PIN or signature, he said.
Aren't debit cards safer because of personal identification numbers?
Not necessarily, Mandia said. Criminals can create fake ATM cards and use your account information to withdraw money. "Attackers would prefer to find debit card information because they can turn it into cash," Mandia said.
What do experts and credit card companies say people should do to detect this kind of theft?
According to Visa, here are some tips on what to look for:
•A lost or stolen purse or wallet often contains credit cards and other personal information, such as a driver's license. A stolen checkbook has your bank account number on it. If such information is found by the wrong person, trouble could follow. Even if the information isn't used, it could be sold to organized crime rings that may use it.
•Thieves rummage through trash cans for pieces of personal information that they can use or sell. They look for anything from canceled checks to utility bills to credit card statements. All such statements should be shredded.
•Thieves search mailboxes for pre-approved credit offers, bank statements, tax forms or convenience checks. Make sure your mailbox is secure.
•Visa estimates that half of all identity fraud is committed by friends, relatives, co-workers and trusted people who have access to personal information.
•Identity thieves can legitimately get into your home. Babysitters, household workers, health care workers, friends or roommates have opportunities to take your personal information.
•The risks of cyberspace are real. Internet users should be careful about sending information online. E-mail or online chatting can be easily intercepted by thieves.
•The best protection is being alert. Monitor monthly credit card statements closely, with an eye toward charges you did not make.
•When using a card in public, try to keep the number concealed. Some thieves have good memories and will try to memorize your number if you let them. Keep the number hidden or, better yet keep the card tucked in your wallet until you need it.
QUESTIONS AND ANSWERS
The Tampa Tribune interviewed several cybercrime, network security and identify theft experts about how thieves gain access to these systems, how common such incidents are and what consumers should do to protect their accounts.
How do hackers break in to retailers' computer networks?
Kevin Mandia, president of Alexandria, Va.-based computer security firm Mandiant Corp., said retailers are most vulnerable during the processing of the credit or debit transaction. Hackers can create a type of software called a "sniffer" that acts like a wiretap and can intercept credit and debit card data as it travels between the retailer's point of sale and the credit card processing company. It can be very difficult to detect sniffers.
How common are security breaches?
The Privacy Rights Clearinghouse, a San Diego-based nonprofit group, estimates that at least 218.8 million records containing sensitive personal information have been involved in security breaches since January 2005. That figure does not include this week's Hannaford Bros. breach.
Mandia said his firm has responded to five computer security attacks involving the use of software sniffers in the past two months.
Bart Weitz, a University of Florida professor and executive director of the school's Center for Retailing Education and Research, suggested there may be more to come. "When you have companies that collect massive amounts of data, and a large number of transactions go on in their stores, they're vulnerable to this," he said.
How long could my credit card be vulnerable?
As long as the account is open. If a hacker gains access to your account number, that person could begin manipulating it immediately, later, or years down the road. Cardholders should be examining statements from exposed accounts regularly.
Should I close out my credit card account and get a new one if I used my card at Sweetbay?
Beth Givens, director of the Privacy Rights Clearinghouse, said people shouldn't necessarily close out their credit card accounts. Federal law has strong protections for victims of credit card fraud that limit their loss from unauthorized charges to $50, and in some case the potential loss is zero.
Also, closing out a credit card account and opening a new one can create hassles. For example, Givens pays some of her bills with automatic payments that charge her credit card. It can take a few hours to switch over to a new credit card number for all those automatic payments, she said.
Stacy Arruda, who oversees the FBI's cybercrimes squad in Tampa, said consumers may want to set up a fraud alert with the three credit reporting agencies, TransUnion, Equifax and Experian.
What about debit cards? How vulnerable are they?
Givens said people who think their debit card number may have been compromised should consider getting a new card because — counter to public perception — consumers are more vulnerable with a debit card than with a credit card. In fact, the Privacy Rights Clearinghouse advises people to dump their debit cards, whether or not they suspect fraud.
Paul Stephens, director of policy and advocacy at the PRC, said debit cards have fraud protections. However, victims have to meet certain deadlines for reporting the fraud or they risk losing some or all of those protections. For example, federal law limits your liability on debit card fraud to $50, but only if you notify your bank within two days of discovering the fraud, according to the PRC.
You could also be on the hook for substantial losses if you don't report the fraud within 60 days of receiving your bank statement. That can be a problem for people who are on extended vacations and don't check their bank statement in the meantime. Most often, banks return stolen money to consumers' bank accounts, but only after investigating. The bank has 10 days to investigate suspected fraud, during which time you will not have access to the money. For people who live paycheck to paycheck, that may be a long time to wait, Stephens said.
Stephens suggested that consumers replace their debit cards with ATM-only cards from their banks. Some retailers accept ATM cards as payment, and ATM-only cards require the use of a PIN. Debit cards, in contrast, can take a PIN or signature, he said.
Aren't debit cards safer because of personal identification numbers?
Not necessarily, Mandia said. Criminals can create fake ATM cards and use your account information to withdraw money. "Attackers would prefer to find debit card information because they can turn it into cash," Mandia said.
What do experts and credit card companies say people should do to detect this kind of theft?
According to Visa, here are some tips on what to look for:
•A lost or stolen purse or wallet often contains credit cards and other personal information, such as a driver's license. A stolen checkbook has your bank account number on it. If such information is found by the wrong person, trouble could follow. Even if the information isn't used, it could be sold to organized crime rings that may use it.
•Thieves rummage through trash cans for pieces of personal information that they can use or sell. They look for anything from canceled checks to utility bills to credit card statements. All such statements should be shredded.
•Thieves search mailboxes for pre-approved credit offers, bank statements, tax forms or convenience checks. Make sure your mailbox is secure.
•Visa estimates that half of all identity fraud is committed by friends, relatives, co-workers and trusted people who have access to personal information.
•Identity thieves can legitimately get into your home. Babysitters, household workers, health care workers, friends or roommates have opportunities to take your personal information.
•The risks of cyberspace are real. Internet users should be careful about sending information online. E-mail or online chatting can be easily intercepted by thieves.
•The best protection is being alert. Monitor monthly credit card statements closely, with an eye toward charges you did not make.
•When using a card in public, try to keep the number concealed. Some thieves have good memories and will try to memorize your number if you let them. Keep the number hidden or, better yet keep the card tucked in your wallet until you need it.
Reporter Jerome R. Stockfisch contributed to this report. Reporter Michael Sasso can be reached at (813) 259-7865 or msasso@tampatrib.com. Reporter Keith Morelli can be reached at (813) 259-7760 or kmorelli@tampatrib.com.
TBO.com - Tampa Bay Online Member Agreement | Privacy Statement | Work With Us
Post a comment
(Requires free registration.)
* Keep it clean
* Respect others
* Don't hate
* Don't use language you wouldn't use with your mom
* Use "Report Inappropriate Comments" link when necessary
* See Member Agreement for details