What can you do if your credit card information is stolen because some third-party company got hacked?
It's an important question to ask, especially given how frequently credit card data breaches make headlines. The latest: In August, Citi and Bank of America reportedly closed some customers' credit and debit card accounts, respectively, because of data security failures involving retailers. This was just a few months after Citi announced that its database had been hacked, giving thieves access to thousands of Citi cardholder's records and leading to nearly $3 million in losses.
A June report issued by Javelin Strategy & Research scored 23 credit card issuers on their ability to protect customers from identity theft. The top five: Bank of America, Discover, U.S. Bank, USAA and Capital One. The three lowest scores belonged to: State Farm Bank, which had the lowest score of the group; Associated Bank and SunTrust.
The report notes that in 2010, identity theft losses totaled $37 billion. That number will keep growing. "Card-not-present fraud is now higher than card-present fraud," says Philip Blank, managing director, security, risk and fraud for Pleasanton, Calif.-based Javelin.
Credit card holders shouldn't feel powerless if their information gets hacked. "Consumers have shown they want to play an active role in their own protection," Blank says. Indeed, experts outline nine steps consumers can, and should, take to protect themselves now and in the event of a future breach.
1. Make sure there's really been a breach. "When you get the scary communication, make sure it's legitimate," says Steven Weisman, a Boston-based attorney and author of "The Truth About Avoiding Scams." "People get phony security notifications and that can turn into identity theft," he says. His advice: Don't trust email, the U.S. mail or even a phone call. Call your bank yourself to confirm a breach.
2. Find out exactly what information was stolen. "There's a big difference between a credit card and checking account," says Jeremy Miller, director of operations for Kroll's Fraud Solutions, a division of Kroll Inc., a Nashville-based security company. With a credit card account, consumers are responsible (in most states) for only $50 of unauthorized charges. However, most banks will forgive that, particularly if the breach is their fault. "But a checking account is different -- you might get your account cleaned out," Miller says.
3. Find out what your bank will do. In late June, thieves breached CitiGroup's database, accessing 360,000 records and stealing a total of $2.7 million from 3,600 credit card holders. The bank agreed to compensate the cardholders. Other banks may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. Use them, advises Ed Bellis, CEO of HoneyApps, a Chicago-based data security firm. "The best thing consumers can do is have alerts and triggers on their credit card and bank statements," he says. Such alerts will tip you off to fraudulent activity before it spins into major trouble. Keep in mind that the free alert offer will expire; find out when so you don't end up paying an automatic monthly fee.
4. Cancel your cards. If the bank didn't do so automatically after the breach, do it yourself. Cancel your credit cards and debit cards that were issued by the institution that suffered the breach. Be sure to notify companies that have your card on file for automatic monthly fees, say for website hosting or a newspaper subscription, that your card was cancelled.
5. Reset your passwords, and make them challenging. Weisman says that "123456" and "password" are the most common passwords: Easy for good guys to remember, easy for bad guys to steal with. Avoid choosing easily findable information, such as your birthday or street address. Choose something more obscure, and make the password a mix of letters and numbers. For extra security, create a different password for each account. Just make sure to write them down and store them in a safe place, such as a home lockbox.
6. Monitor credit card statements closely. Bellis says thieves love to test the viability of accounts with a small purchase, say a 99-cent iTunes download. Review every statement -- each purchase, each charge -- to make sure you or a household member with access to your card made that purchase. If you see an unauthorized charge, report it to the card issuer immediately.
7. Pull your credit reports. Federal law requires the three main credit bureaus -- TransUnion, Equifax and Experian -- to give you a free credit report if your account information has been stolen. Review each report carefully for errors or fraudulent activity; if you find any, go to the reporting institution and fix them. If there's a chance your Social Security number has been stolen, put a security freeze on your files. At minimum, issue a fraud alert, suggests Sheila Adkins, spokeswoman for the Council of Better Business Bureaus, Arlington, Va.
8. Beware of email asking for personal, financial or account information. "Legitimate companies you rely on for your online shopping, financial needs and college tests will not request this information -- they already have it," Adkins says. If you want to communicate with an online company, find its website and use that website's contact information.
9. Tighten up your own security. This won't keep your data safe if someone hacks into some other company's database, but it's a smart move anyway. Update your home computer's security. Don't click on links sent by strangers; such links can contain invisible malware that will monitor your computers' keystrokes and thus steal passwords. If you bank online, dedicate a browser to online banking, and use it for nothing else. "You have to have data and information discipline," says Daniel Mohan, president and chief operating officer of ID Watchdog, a Denver-based data monitoring, detection and resolution firm.
"Information sits out there in those databases," Mohan warns. "Hackers know it and keep digging for gold."