Cyberattacks on the rise

Credit card and debit card numbers have turned into commodities among modern-day thieves

The Sacramento BeeJune 29, 2013 

  • Protect yourself

    • Check your statements: “Unfortunately, consumers’ hands are tied and cannot truly protect their credit card information,” said Robert Siciliano, a Boston-based security expert for McAfee. His best advice: Be diligent about regularly checking your credit card and banking statements for phony charges.

    If you do online bill-paying, you can check your credit card or bank statements weekly, even daily. If you’re not online, be sure to check your monthly statement when it arrives in the mail.

    “I recommend doing so online,” Siciliano said. “Mobile phone apps offered by your credit card companies make it even easier.”

    • Report fraud fast: If you spot a suspicious charge or something you don’t recognize, report it immediately to your card issuer. There’s a phone number listed on your bill.

    Even if it’s a small amount, say $2 or such, flag it. Cyberthieves are known to “test drive” a stolen card number by running small charges to see whether anyone notices.

    Generally, if it’s fraud because of a stolen account number and you report it within 60 days, you are not responsible for any fraudulent charges.

    It’s slightly different if your physical credit or debit card is lost or stolen. In that case, you could be held responsible for the first $50 in charges as long as you report the loss or theft promptly.

    • Card denial: If you try to use your plastic and the transaction is denied, it could be because of fraud. If that happens, don’t delay in contacting your card issuer to find out what’s wrong.

    • Guard your cards: Avoid letting your credit card out of your sight. Choose ATMs in well-lighted, very public spaces, such as bank lobbies. When using an ATM, look for suspicious attachments or unusual wear and tear. Shield your screen when typing in your PIN. If you feel someone is too close or watching you, walk away and find an ATM somewhere else.

    • Keep a list: Have a list – in a safe spot – of all your cards, the account numbers and expiration dates, and each company’s 24-hour reporting line, in case of fraud or a stolen/lost card.

    • Track credit history: It’s also smart to keep track of your credit reports just to be sure no one is fraudulently opening accounts in your name. By federal law, every consumer is entitled to one free copy every year from each of the three credit reporting bureaus: Experian, Equifax and TransUnion. You can order your credit reports directly by phone (877-322-8228) or online from

    • “Think before you click”: By disclosing account information on bogus websites or responding to urgent appeals in emails or on social media, we can be vulnerable, said Brian Burch, vice president of consumer and small business marketing with computer security firm Symantec.

    “It’s essential that people learn to spot the telltale signs of social engineering tricks,” he said, such as undue pressure or a false sense of urgency (“Reply now!”), an offer that appears too good to be true, and bogus “officialese” intended to make something look authentic.

    Consumers should avoid pirated software and “marginal websites,” particularly those with adult content. Do not install unsolicited plug-ins if prompted to do so, even on legitimate websites. Links in emails and social media messages should always be viewed skeptically, even if sent from someone you know.

    By Claudia Buck

It’s a sad fact of modern American consumer life: Every time we swipe a piece of plastic at a gas station, grocery store or anywhere else, we’re vulnerable to virtual pickpockets.

Increasingly, credit and debit card numbers have become commodities sold by cyberthieves who harvest them from banks, businesses, restaurants and retailers.

“The sophistication of these attacks is unprecedented,” said G. Mark Hardy, president of National Security, a Tampa, Fla.-based cybersecurity consulting firm.

Last year, targeted attacks on businesses jumped 42 percent, according to security software firm Symantec. Attacks spiked 31 percent among companies with fewer than 250 employees.

In recent years, restaurants, grocery stores and even the city of Sacramento, Calif., have had their computer systems hacked or compromised.

It’s part of a shift from mass attacks by computer viruses, worms and other cyberthreats to more pinpointed, targeted infiltrations, online security experts say. The attackers, often located overseas, “find this method more effective because it allows them to fly under the radar and avoid drawing widespread attention to their malware,” said Brian Burch, vice president of consumer and small business marketing at Symantec.

Small businesses are frequently targeted because they often lack adequate security practices, Burch said. Additionally, because small firms often partner with bigger organizations, cybercriminals “sometimes use them to gain access to a larger company.”

Typically, thieves who steal the data from retailers and other targets aren’t the ones who use it to rack up fraudulent charges. “There’s an underground ecosystem for the sale, transfer, purchase and exchange of stolen credit card and debit card information,” Hardy said.

Pat Hoschler of Granite Bay, Calif., got a call June 3 from her credit union telling her of suspicious charges on her debit card.

“It gives me the creeps to think someone might be using my name and (debit) card information,” Hoschler said. “I worry about it. I may not use my debit card anymore.”

Investigations, arrests and convictions of cybercriminals are continual. Earlier this month, federal prosecutors in New Jersey announced charges against eight members of an alleged international ring that hacked into the computers of major financial institutions and the U.S. military payroll service, attempting to steal at least $15 million from customer accounts.

In April, a Russian cybercrook was sentenced in Washington to more than seven years in federal prison for trafficking in stolen credit and debit cards. When arrested, he was in possession of more than 2.5 million stolen credit and debit card numbers, according to the FBI.

The PCI guidelines

Retailers that process credit card transactions must follow the industry’s safe-practices guidelines, the Payment Card Industry Data Security Standards. The PCI guidelines require retailers who accept credit and debit cards to maintain computer network firewalls, use tough passwords and take other precautions. Retailers who don’t comply face fines of as much as $100,000 per month, and can be held financially responsible for fraud investigations and victim compensation.

Unfortunately, Hardy said, retailers can do all the right things but still get attacked.

“It’s like wearing your seat belt, putting your kid in a car seat and having air bags in your car,” Hardy said. “You can still be hit by someone driving through a red light.”

Under PCI standards, retailers cannot hold onto a card’s PIN, the three-digit security code, or sensitive information stored in a card’s magnetic stripe. In any card transaction, the company’s software must automatically delete that information.

Companies can, however, keep a cardholder’s name, account number and expiration date, such as when they ask your permission to retain the information for automatic payments, subscriptions and the like.

While the PCI standards are considered a good starting point, additional layers of software and computer security precautions are available, computer security experts say. Among them:

• Change default passwords so they’re not easy to guess.

• Restrict the use of PCs involved in processing card transactions so that employees surfing the Web don’t unwittingly pick up computer viruses.

• Train cashiers to look for plastic devices stuck into card readers to steal information.

Consultants like Hardy will conduct “penetration testing,” in which they deliberately break into a business’s computer network to pinpoint weaknesses.

Small businesses “need to come to grips with the fact that they could lose a lot more than just data,” said Robert Siciliano, online security expert for McAfee. “Their reputations are at stake, and their customers will lose confidence in their abilities to provide a safe haven for their data.”

Cybertheft can take many forms, such as card readers physically attached to ATMs to “skim” account numbers, or more sophisticated thievery that invades a computer network and gobbles up vast amounts of data.

The ‘watering-hole’ attack

In 2012, computer security experts identified a new type of widespread targeting, the “watering-hole” attack. In that scenario, cybercriminals seek to invade a group or organization by noting the kind of websites the victim frequently visits. When a weakness is detected in one of those sites, it’s injected with malware or spyware, which then infects the entire group.

According to Symantec, one watering-hole attack last year infected 500 organizations in a single day.

For consumers, the best precaution is simple: Routinely check your monthly credit card and bank statements for suspicious charges.

“All that consumers can do is to pay close attention to their statements weekly and (dispute) unauthorized charges ASAP, within 60 days as federal law” requires, Siciliano said. If the charges are because of fraud and are reported promptly, consumers are not held liable.

Ultimately, there’s one surefire defense: Cancel your card, and ask your bank to issue a new one.

“In this situation,” Hardy said, “that’s probably the easiest, cheapest action an individual consumer can take.”

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service