By now we've read the details of the Target breach. Attackers got away with home, email and credit card information from 70 million people (Source). How many people is that in the big scheme of things? According to a U.S. Census Bureau report from 2012, it's close to every single living person in the states of California (38.05 million), Texas (26.06 million) and Washington (6.897 million).
In fact, the Target breach has impacted one of my close colleagues, who explained to me the safety precautions taken by his credit card company. It should be noted that to date he has not received any acknowledgment from Target that anything bad may have happened with his information.
With regards to the chain of events that his bank took, he received two emails. The first detailed all of the steps he should take to protect himself.
The second email informed him that, like it or not, a new card was on its way. A few days later his new card arrived in the mail.
While the bank communicated to my colleague the steps that were being taken to issue him a new card, it should be noted that the communication vessel was email. And as we learned from our October 30 blog titled, "Trick or Treat: Can You Identify a Phishing Email?" we know that emails can be easily spoofed.
In a perfect world, readers of this blog would have a flawless understanding of phishing emails and would be able identify one if it appeared in their inbox. Unfortunately, we don't live in a perfect world. And what we discovered in that test is that even those who identified themselves as "experts" in security couldn't identify all of the phishing email samples in the test.
Considering that the attackers got not only credit card data AND email addresses, victims have to prepare for possible a second stage attack, where they receive a realistic phishing email from attackers that looks like it's coming from their bank and asking them for additional personal information. The email could include a bogus 800 number, and the email could ask the recipient to confirm receipt of the credit card and/or to verify that the card was, in fact, working properly. During this call the victim could be asked for the card's new number, expiration date and security code on the back to "verify" the card. Additional security information could be asked as well, such as social security number and mother maiden name.
We called Chase, spoke with a customer service representative and asked what users can do to prevent being scammed by a phishing email attack, and she said, "If the customer has any question about the legitimacy of an email from Chase, immediately call the 800 number on the back of the card and speak with a Chase representative." In addition, the representative reiterated, that when they're verifying a new credit card, they usually just ask for the last four digits of the card. Rarely do they ask for the entire card number. What's more, she said they refrain from asking for the three digit security code on the back of the card.
To compound matters, these attackers got people's home addresses. So, while a victim may have thwarted phishing email scams coming their way, they should to also be aware of physical letter scams that may be coming to their house in the coming days. Again, like email phishing, it's important not to let your guard down just because it's a seemingly trustworthy physical piece of paper and not an email. Be mindful of what the letter asks you to do. And like the email scam advice above, if you have any questions or suspicions about the letter you received, call the 800 number on the back of the card, not the 800 number or email address that's printed on the document.