When Debt.com writer Meghan Stewart heard this week about the millions of credit card numbers stolen at Target, her thoughts returned to two years ago — when it happened to her.
“The PlayStation Network got hacked, and it was tied to my online account credit card,” she says. The PlayStation data theft occurred over two days and affected 77 million users. Target is estimating as many as 40 million of its customers who shopped in-store between Nov. 27 and Dec. 15 are at risk.
The first thing Meghan did was check her accounts online to make sure they hadn’t been used for fraud. They hadn’t — but she kept a close eye on them for months, because a smart thief could just wait until you’re not on high alert to rob you.
“Since I only use this card for online shopping, that wasn’t hard for me to do,” she says. Just inconvenient. “I also reviewed my credit reports about six months later to make sure I didn’t see anything weird there either.” You can do that, too. It’s free at AnnualCreditReport.com.
What happened to me
I was both less and more lucky than Meghan. About two years ago, someone stole my debit card info and spent nearly $500 on DHGate.com. (It’s apparently something like a China-based eBay.) I never did find out how thieves got it, but because I used that card for day-to-day spending it could have happened anywhere. That’s the unlucky part.
The lucky part was I easily resolved it. I caught the charge right away because I check my account daily, and I reported the fraud to the bank. Someone there asked me a few questions and had me fill out a report. Then she shredded and canceled my card, gave me a new one on the spot, and provisionally credited the account for the stolen amount while the bank investigated. About a month later, I got a letter acknowledging the fraud and clearing me of any responsibility.
Your liability for card fraud
I learned there are some key differences between debit and credit card protections, though, and now I’m more careful about using debit. With debit card fraud, the money is already gone from your account — that’s a sucker punch you have to take until the bank reimburses you. But that’s not the worst part: If you don’t notice quickly, you’re liable for some or all of the money.
The Federal Trade Commission says credit card liability is limited to $50 if your card is stolen, and $0 if just the number is stolen, as Meghan’s was. That’s some pretty strong protection, especially if you have a high credit limit.
But for stolen debit cards, it starts at $50, and that’s only if you catch and report it within two days. It’s $500 if you catch it within 60 days of the bank statement containing the fraud. If it’s just the number that’s stolen — like me — you have two months to handle it and get off scot-free. But if you notice after that, you’re completely screwed and get nothing back.
I know what you’re thinking. If you have two months (longer with a credit card) to catch this kind of data breach fraud, why is everyone making a big fuss about protecting yourself? If you miss it for that long, blame yourself, right?
But with a debit card, even temporarily missing funds could trigger bounced checks or prevent you from making purchases you need right away. Even though the bank may eventually forgive all that, it’s a pain.
And regardless of whether you use debit or credit, there’s the possibility that other personal information was stolen along with your card. Target so far admits that stolen information includes “customer name, credit or debit card number, and the card’s expiration date and three-digit security code.”
Beyond your money, the biggest prize for data thieves would be a Social Security number, which could be used to apply for more credit in your name. But because of the way the Target heist was pulled off — apparently by tampering with in-store card readers at about 40,000 store registers across the country, according to The Wall Street Journal — they shouldn’t be able to get that.
However, if your info is sold on the black market, “it can be recombined with other public and stolen data to piece together parts of your identity to open up credit cards, cellphones and even take out a home loan in your name,” NBC News says.
In the PlayStation hack, Sony said a lot more was compromised: name, address, email, birthdate, login and password, and security question answers. That stuff could help break into other accounts you hold, especially if you have the bad habit of reusing passwords. You still need to keep an eye on things.
What you can do
Short of avoiding payment by plastic entirely, there’s no surefire way to prevent this kind of identity theft. There are services that claim to protect your identity, but it’s all reactive — you have to be proactive and take steps to minimize the risk and damage.
One thing you can do is what Meghan does: Have a card specifically for online purchases, keep a low credit limit on it, and check your transaction history regularly.
If your time is more valuable than your money or you don’t think you’ll remember to check, you might consider one of those monitoring services such as LifeLock, the best-known service that starts at $10 per month, or CreditPower, the cheapest service that starts at $7 per month.
They can do things to reduce your risk, like get you off credit card offer lists (you can do that yourself at OptOutPreScreen.com), help you replace missing or stolen cards, and notify you of credit requests.
If a debit user suspects his number was exposed, he should do what I did: Cancel and replace the card ASAP. Credit is different, because canceling a card could affect your credit score. Talk to your card issuer about options first.
There are two more drastic steps you can take, too: Fraud alerts and credit freezes. You get them by talking to any of the major credit reporting agencies: Equifax, Experian, or TransUnion. Any of them will pass the information to the others.
Think of fraud alerts as the yellow light on a traffic signal. They tell credit agencies to pay extra attention to information requests about you, and can slow down the process of getting a job, loan, credit card or mortgage. They’re free, easy to apply for, last 90 days, and can be renewed.
A credit freeze is the red light: No request is approved without written authorization from you. These aren’t always free, and the rules vary by state. ConsumersUnion maintains a list of credit freeze rules for every state.