Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Should I take the security protection offered after the most recent security breach?

//
What is the current status of a company that wants to offer security protection for your credit card purchase and your identity? Is it “Target” initiated?

Target, a retail chain in the United States, is the company whose security was breached recently in a fairly massive theft of account information from their customers. Unfortunately, this gets really complicated really quickly. Compromised companies like Target try to do the right thing for their customers, but of course there’s always somebody who wants to come along and take further advantage of the situation.

Become a Patron of Ask Leo! and go ad-free!

Stolen credit card information

I’ll use Target as my example, although there have been other companies who’ve suffered similar issues since then. The security breach happened during the 2013 holiday season. Their point of sale terminals apparently were somehow hacked, and customer credit card information, sometimes quite complete, was stolen and then resold or reused by hackers.

So the scenario is like this: Target had their database or their point of sale terminal hacked. Some large number of customer records were copied. This information included a combination of things like credit card numbers, perhaps even pins, addresses, names and much more. So now, hackers have some millions of credit card numbers that they can then go out and start using. Or as is more typically the case, the hackers actually start selling these credit card numbers to others who then in turn use them and rack up fraudulent charges.

The wrong thing, followed by the right thing

Credit Card SwipeTarget did the wrong thing of course in not being secure and allowing the breach in the first place.

However, they’re doing the right thing by offering at least a year of free credit monitoring from one of the larger credit bureaus to victims of the attack. Target contacted all of their customers who’ve been affected with this offer, either by snail mail or email, or some some kind of combination thereof. And as I said, all’s well and good so far.

Target’s doing the right thing, trying to recover from this breach.

Trust me, I’m from Target

Now, another wave of hackers came along. What do they do? Well, they send out spam that looks like it came from Target, claiming that your card was part of the breach. They make you an offer of free credit monitoring, and direct you to a website to sign up, where this sign up requires your personal information, perhaps including your social security number.

The problem is that this is spam. Or more accurately, it’s a phishing attack based on the news: that sign up site is completely bogus. Rather than doing something to protect yourself, you’ve just given away your personal information to a hacker.

So, there are legitimate emails from Target with a legitimate offer. But there are also bogus emails from phishing hackers that look like they’re from Target but are not. How do you tell the difference?

Don’t click that link

This is one of those cases where you never, ever click on links in the email. It’s just too risky.

If the email contains a link that looks like it’s on the company’s corporate domain, for example, then instead of clicking or even copy/pasting, just type that URL into your browser. If you’re not certain, just go to the corporate domain yourself, (target.com in this case), type it in and look for information about the breach.

If you’re still not certain, go to the corporate website. Again, type it in by hand and look for the customer service numbers or contact information and initiate a conversation that way.

Unfortunately, it’s just too risky to actually click on the links in the email that looks like it’s from the affected company.

Ultimately, I do believe that it’s probably worth taking Target up on the offer of free credit monitoring if you know that your credit card was in fact compromised during the breach, but it’s critical that you don’t get fooled in the process.

2 comments on “Should I take the security protection offered after the most recent security breach?”

  1. Very timely. And nothing like a second wave of social hacking with the follow-on fake emails from fake Target employees – and phone calls!
    Sometimes phishing attempts look so real, it’s hard to believe that it’s not from the real company (“I Can’t Believe it’s not Wells Fargo”).
    May I offer an article of mine on the same subject?
    http://burgessforensics.com/article_social_hacking.php
    Thanks!

  2. Whenever you get an E-mail from some company requesting you click on a link to do something, don’t do it. Even if it is a company you do business with, like your bank, don’t click on the link. Go to the companies web site and access the information there. That way you know it is legitimate and will not be getting infected with malware or giving out your account information and password!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.