It’s a sad fact of modern American consumer life. Every time we swipe a piece of plastic at a gas station, grocery store or anywhere else, we’re vulnerable to virtual pickpockets.
Increasingly, credit and debit card numbers have become commodities sold by cyberthieves who harvest them from banks, businesses, restaurants and retailers.
“The sophistication of these attacks is unprecedented,” said G. Mark Hardy, president of National Security Corp., a Tampa, Fla.-based cybersecurity consulting firm.
Last year, targeted attacks on businesses jumped 42 percent, according to security software firm Symantec. Attacks spiked 31 percent among companies with fewer than 250 employees.
In recent years, restaurants, grocery stores and even the city of Sacramento, Calif., have had their computer systems hacked or compromised.
It’s part of a shift from mass attacks by computer viruses, worms and other cyberthreats to more pinpointed, targeted infiltrations, say online security experts.
The attackers, often located overseas, “find this method more effective because it allows them to fly under the radar and avoid drawing widespread attention to their malware,” Brian Burch, vice president of consumer and small business marketing at Symantec, said in an email.
Small businesses are frequently targeted because they often lack adequate security practices, said Burch. Additionally, because small firms often partner with bigger organizations, cybercriminals “sometimes use them to gain access to a larger company.”
That reality hit the Raley’s grocery chain earlier this month when it said it had been the victim of a cyberattack targeting customers’ credit and debit card numbers.
Raley’s spokesman John Segale said forensic computer experts arrived “within hours” of the company being alerted to a possible security breach on May 30, and continue to investigate. The West Sacramento-based grocery chain also said it reported the incident to the FBI.
In an email, FBI spokeswoman Gina Swankie said the Sacramento office was aware of the Raley’s incident but could neither confirm nor deny that a formal investigation is under way.
Typically, the thieves who steal the data from retailers and other targets aren’t the ones who use it to rack up fraudulent charges.
“There’s an underground ecosystem for the sale, transfer, purchase and exchange of stolen credit card and debit card information,” said security expert Hardy.
Retailers such as Raley’s that process credit card transactions must follow the industry’s safe-practices guidelines, known officially as the Payment Card Industry Data Security Standards.
The so-called PCI guidelines require retailers who accept credit and debit cards to maintain a computer network firewall, employ tough passwords and take other precautions.
Retailers who don’t comply face fines of up to $100,000 per month and can be held financially responsible for fraud investigations and compensation to victims.
Raley’s said it recently passed its PCI audit.
Unfortunately, said Hardy, retailers can do all the right things but still get attacked.
For consumers, the best precaution is simple: Routinely check your monthly credit card and bank statements for suspicious charges.
If the charges are due to fraud and reported promptly, consumers are not held liable.
Ultimately, there’s one surefire defense: Cancel your card, and ask your bank to re-issue a new one.
HOW TO PROTECT YOURSELF
• Check your statements: “Unfortunately consumers’ hands are tied and cannot truly protect their credit card information,” said Robert Siciliano, a Boston-based security expert for McAfee. His best advice: Be diligent about regularly checking your credit card and banking statements for phony charges.
• Report fraud fast: If you spot a suspicious charge or something you don’t recognize, report it immediately to your card issuer. There’s a phone number listed on your bill.
Even if it’s a small amount, say $2 or such, flag it. Cyber-thieves are known to “test drive” a stolen card number by running small charges to see if anyone notices.
Generally, if it’s fraud due to a stolen account number and you report it within 60 days, you are not responsible for any fraudulent charges.
(It’s slightly different if your physical credit or debit card is lost or stolen. In that case, you could be held responsible for the first $50 in charges, as long as you report the loss or theft promptly.)
• Card denial: If you try to use your plastic and the transaction is denied, it could be because of fraud. If that happens, don’t delay in contacting your card issuer to find out what’s wrong.
• Guard your cards: Avoid letting your credit card out of your sight. Choose ATMs in well-lighted, very public spaces, such as bank lobbies.
When using an ATM machine, look for suspicious attachments or unusual wear/tear.
Shield your screen when typing in your PIN number. If you feel someone is too close or watching you, walk away and find an ATM machine somewhere else.
• Keep a list: Have a list — in a safe spot — of all your cards, the account numbers and expiration dates, and each company’s 24-hour reporting line, in case of fraud or a stolen/lost card.Claudia Buck writes for The Sacramento Bee.