Not so. Not yet, anyway. In fact, according to one fraud-fighting company, there’s little sign of an increase of fraudulent charges among Target breach victims. What gives?
There’s a difference between having your account number compromised and actually being hit with credit card fraud. One often leads to the other, but not always. At least, not right away.
BillGuard is a third-party service that lets consumers register their credit cards, then uses software to scan bills for fraud. Mick Weinstein, vice president of marketing at BillGuard, says 32,000 BillGuard customers were among those whose account info was stolen in the Target card heist — meaning they used their cards at the retailer during the nearly three-week stretch when hackers were siphoning off the card numbers.
Among those 32,000 accounts, about 2% were hit with fraud by the end of last week, Weinstein said — almost exactly the same fraud rate as a control sample of BillGuard customers who weren’t Target victims.
That suggests there isn’t widespread fraud hitting Target victims, at least for now. Of course, there have been anecdotal reports of fraud against Target victims; and only bank security officials really know what’s going on. But it seems a fraud outbreak hasn’t occurred. Why?One possible explanation is bank and retailer back-end fraud systems are dialed so high that most of the attempted fraudulent transactions are being foiled, and consumers are blissfully unaware of that. However, selective rejection of transactions is very tricky, and criminals are pretty good at masking fraud to look like routine consumer transactions.
Another explanation is that banks have canceled or replaced many impacted cards, making them useless for fraud. However, banks are using a mixture of strategies to help exposed customers, so there certainly haven’t been across-the-board cancellations.
That makes sense: Reissuing cards is a hassle, and costs the banks real money. So many banks are taking a wait-and-see approach.
But so are the criminals.
Hackers know their cache of stolen cards is under the fraud spotlight right now. There’s no mystery around the compromised account numbers — by now, every fraud-screening program has them loaded onto some kind of watch list. So bad guys with the “good” numbers likely plan to wait out the heightened attention.
“This was a very high profile breach, so the thieves — or those to whom they sell accounts in bulk — see more value in biding their time and waiting for card owner victims to lower their fraud sensitivity guard,” Weinstein said.
Credit card hackers routinely sit on stolen account numbers for months — or even a year or two — before attempting fraud. Eventually, banks’ and retailers’ focus on the Target cards will wane, as will the paranoia that consumers feel in the wake of the hack announcement. After all, there will be other credit card heists, and other incidents that require attention. Criminals with millions of stolen account numbers can afford to wait.
What does that mean for you? Now is no time to declare victory or end vigilance. Use your bank’s website to scan for unexpected charges at least once a week for the next several months. It only takes a few moments. And don’t forget — another common credit card hacker technique is to sneak small charges, often under $10, past banks and consumers. Hitting 10,000 cards with a $10 fraud is easier than hitting 10 cards with a $10,000 fraud. Your bank could very well miss such low-dollar fraud, and if you miss it, too, you’ll pay for it.
(Ed. Note: A sudden drop in your credit scores can be a sign of identity theft. To monitor your credit scores in the long term, you can use a free tool like the Credit Report Card to check two of your credit scores each month.)