The security breach at JPMorgan Chase, which compromised the names, addresses, phone numbers, and email addresses of 76 million households and 7 million small businesses, remains something of a mystery, and that means consumers should take precautions even though the nation's largest bank has said they've seen no signs of fraudulant activity.
For example, Chase said "there is no evidence that account information...was compromised," not account numbers, passwords, user ID's, dates of birth, or Social Security numbers. However, a a subsequent New York Times report said that the cyberattackers had deep access to 90 Chase computer servers from June to July.
Because burglars don't normally leave your cash and credit cards on your kitchen table and instead steal your address book, security experts are suspicious that something bigger is afoot, even though they only know what they read in the Times, including a follow-up report that said nine other unnamed banks were similarly infiltrated.
"Did we get the full story from Chase. I don’t think so," says Jeff Williams, chief technology officer with Contrast Security, a California-based vendor of security monitoring technology.
"I think they're still scrambling to find what's the extent of the problem," says Barry Thompson, managing partner of Thompson Consulting Group, which provides risk assessment and advisory services to financial institutions.
A spokesperson from Chase was not immediately available for comment. And the bank's disclosures to consumers have been carefully worded. "Here's what we know to date," is what the bank says on its home page. It's update says, "There is no evidence" that account numbers, passwords, user IDs, dates of birth, or Social Security numbers were compromised.
Thanks to federal regulations and consumer protections, account holders are not liable for fraud losses, if they detect and report them to the bank promptly.
Without complete information, what should you do to protect yourself? Assume that there's more to guard against than you've been told, and take reasonable extra precautions.
1. Start with our advice from only last week, to hold down the fort from the breach of of 1,000 other retailers hit by the same malware used against Home Depot–but not yet known–according to estimates by the U.S. Department of Homeland Security and the Secret Service.
2. Immediately change your Chase Mobile and online banking username and password. Chase says "We don't believe that's necessary," but that's ridiculous. Passwords should be changed regularly, and after a breach is a great time to do it. We recommend you also change your Chase online and mobile account username while you're at it. Use strong passwords that are harder for hackers to crack.
Data security breaches are a fact of life, so guarding your own personally identifying information, financial data, and privacy is an everyday chore. Learn how to do it with our Internet security guide.
3. Monitor your Chase (and other bank) accounts online for fraud activity now and into the future. We still recommend online and mobile banking, because it allows you to watch your account in real time from almost anywhere. Yes, it's now clear that Internet banking is not impervious to hacking, but "the convenience you get from banking digitally greatly supercedes any security risk," says Al Pascual, head of fraud and security research at Javelin Strategy and Research, a California-based financial services industry consulting firm. As part of your monitoring, watch out for changes to your debit card PIN.
4. Be suspicious of emails and phone calls from fraudsters who may masquerade as Chase. As we've previously reported, 22.5 percent of consumers who received notice of a security breach, subsequently became victims of identity theft, according to a Javelin survey of 5,000 consumers. That's almost eight times the 2.9 percent ID fraud rate for consumers who hadn't received a breach notice.
If the Chase hackers only got your name, address, email, and phone number, they don't have enough to commit financial fraud, so they will likely send you official-looking e-mails or call on the phone posing as Chase customer service to try to trick you into giving up the missing pieces, including your mother's maiden name, account username and password, date of birth, and Social Security number. Never give out any of that personal financial information online or over the phone when a stranger initiates contact with you, and learn to identify these so-called "phishing" attempts by following our advice.
These messages can look especialy authentic in the case of this breach, because the hackers also stole information about which lines of business you have with JPMorgan Chase, so they can refer to your checking, mortgage, private banking, credit card or other account when attempting to convince you that the fraud is genuine.
Never click on any links in an email or respond to pop-up windows that might suddenly open up requesting username and password. If you think the mesage is legitimate, independently find a Chase customer service phone number from your own research and call that, or visit your nearest branch in person.
If you're offered free credit monitoring or identity theft protection services by Chase or anyone else because of the Chase breach, do not click on any links or sign up. Chase is not offering these services, and such a deal could be a phishing attempt to get you to give up your Social Security number and other information.
5. Use Chase account alerts. Daily monitoring can be tedious, so automate some of the chore with account alerts that will send an email or text message to your cell phone when certain potentially fraudulent activities occur. On checking, for example, you can set alerts to be triggered if your balance falls below a certain amount, an outgoing wire transfer occurs, a new payee has been added to online bill pay, and an ATM withdrawal over a set amount happens.
Chase credit card alerts can set off alarm bells if an international charge is authorized, your available credit falls below what you expect, or a singla charge to your card exceeds a set threshhold amount.
6. If you find fraud, report it immediately. Chase and other financial institutions that lose your personal and financial data or give your money or credit to crooks will typically not hold you liable for the fraud losses, if you promptly report the theft. But there is also the hassle factor. How long will you have to get by with a drained bank account? By law banks have 10 days to straighten out your accounts and give you your money back, but most do so almost immediately, says Pascual. So get the clock running as soon as you discover a fraud.
—Jeff Blyskal (@JeffBlyskal on Twitter)
Copyright © 2005-2014 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.