As you’ve probably heard, Target had a bad month. Between the days of 27 November and 15 December, about 40 million credit card numbers were stolen, making it one of the biggest breaches of its kind in history. As far as we know, the card number and security code were stolen, but debit-card PINs and addresses were not.
Target says they have contained the breach and are cooperating with credit card companies and authorities. Cringely has some analysis, but it has more for people like me to think about how we do things at work than it does for consumers.
And, well, as luck would have it, I shopped a lot at Target between the days in question. And I used both my credit and debit card during that time. Here’s what I’m doing, some of which may be counter-intuitive.
Keep using the cards. Credit card companies have a pretty good idea of normal, so keep doing what’s normal. My debit card rarely worked while I was traveling to D.C., because my small-town Missouri bank regarded that as abnormal. One time, several years ago, my wife bought charged something online right about the same time I charged something at a store, and Discover called us to ask what was going on. So if you’re using your card while you’re out and about, a fraudster trying to use it is more likely to stand out, not less.
Watch my statements. This goes without saying, but what to watch for is important. A fraudster isn’t going to charge a 90-inch TV. At least a smart one won’t. A fraudster will try a small purchase first, to see if the card is good, then buy something bigger. So look for one or two small purchases you didn’t make. If you see any, call your card issuer immediately.
I didn’t change my PIN. PINs weren’t stolen, so fraud on your debit card will be run as credit.
I didn’t call and ask for new cards. It’s tempting, and not necessarily a bad idea, but changing cards is a royal pain. If the card issuer thinks it’s necessary, they’ll send new cards. Discover has done that several times in the past.
I’m going to call and tell them I used my cards at Target. I haven’t gotten through to Discover just yet–Discover’s call volume is through the roof–but at some point soon I will, and I’ll tell them. I’ll also call and tell my bank. I know both watch for suspicious behavior anyway, but knowing my two cards were candidates for compromise will probably make them more vigilant.