Even Cybersecurity Guys Lose the Battle from Time to Time

By: Jerry Horton, Technology Director

Financial fraud and identity theft are like the Hydra of ancient myth: if you cut off one head, two grow in its place. Target, Home Depot, and even Equifax have had breaches which exposed millions of customers to financial fraud. Having made purchases from both Target and Home Depot during the time of the exposures, I had to deal with the inconvenience of contacting my banks and card companies to disable my cards and get new ones issued. Even though folks nationwide experienced financial fraud as a result of these breaches, the total effect was relatively limited, given the scope of the breaches. Both the forthrightness of the companies involved, and national media coverage of the breaches helped to keep the damages low, as well as ensuring those affected had ample opportunity to react. As alarming as the large, well-publicized events can be, they unfortunately do not give a complete picture of the full threat facing the consumer and can even lull people into believing that such things happen ‘somewhere else, but not in our small town’.

Unless you are from the Northeast Kansas region, this story probably didn’t show up on your radar. In the small town of Wamego, Kan., folks, including your friendly cybersecurity-geek author, were going about the business of their daily lives, purchasing goods and services from local merchants using debit and credit cards as they normally do. Suddenly, these good citizens, including me, woke up to discover transactions on their accounts had occurred in faraway cities – transactions they did not make or authorize, in cities they were not in. As this case is still under investigation by multiple law enforcement agencies, I am going to avoid divulging much detail about the breach or method of attack, but suffice it to say many people in several local communities were adversely affected. Regardless of the amounts of money stolen, those victimized have been left feeling violated and far less trusting of our neighbors. Allow me to express my gratitude and admiration for the law enforcement agents working with me and the others. These public servants have been sympathetic, patient, and diligent in their collection of evidence and pursuit of the criminals. Well done!

As stated earlier, I cannot reveal significant detail about this incident, but I can offer advice to protect yourself and how to respond to such event.

  • Check your account statements at least once a week.
    •  While this may sound overly paranoid, there are several reasons to make frequent account reviews part of your routine. By law, the quicker you report an improper or unauthorized transaction on debit or credit card accounts, the less money you are required to forfeit. Credit cards are regulated in part under the Fair Credit Billing Act (FCBA) and cap the consumer’s liability to $50. Debit cards, on the other hand, are subject to the Electronic Fund Transfer Act (EFTA) have a matrix of liability:
If You Report: Maximum Loss:
Prior to unauthorized charges are made $0
Within 2 business days after you learn of the loss or theft $50
More than 2 business days after you learn of the loss or theft, but less than 60 calendar days after your statement was sent to you $500
More than 60 calendar days after your statement was sent to you The entire amount of the transaction, plus any transaction fees that might be due

Site: (Federal Trade Commission - Lost or Stolen Credit, ATM, and Debit Cards)

  • Keep your transaction limit on cards as low as you can. This is essential for a few reasons:
    • Debit and ATM cards are directly connected to your bank account, sort of like a plastic version of a check, but much faster. Once a transaction is made, that change happens immediately to your account.
    • If your card and PIN number have both been compromised, it may not trigger alerts because the transactions appear to be legitimate. The burden of proof will rest on you and those funds may or may not be available to you until the matter is resolved.
    • While your liability may be legally limited for a lost or stolen card, the answer isn’t as clear when both card and PIN number have been compromised. You may be liable for the entire amount if you have insufficient proof.
  • Use the chip on your cards whenever possible. Credit and debit cards have used magnetic stripes on the back of the card for years which is well-known and easy to compromise.
    • Skimmers are a physical hacking device placed on card readers specifically to read and steal the data encoded in a magnetic stripe.
    • A magnetic stripe card can be easily duplicated once the data has been captured.
    • Chips on the cards are encrypted; the magnetic stripe is not.
    • The data in the chip on the cards changes constantly, making them extremely difficult to skim and nearly impossible to duplicate.
  • As silly and outdated as it may seem, keep your receipts! (P.S. There’s an app for that. More to come in a future blog.) Physical or electronically reproducible copies will help you:
    • Quickly and easily reconcile your accounts.
    • Provide evidence of locations, dates, and transaction history.
    • Stay compliant with best accounting practices and the law (if the expenses are for a business).
  • Notify authorities immediately!
    • If you find a skimmer on a gas pump or other card reader, contact the police and stay on-site until they arrive. If you find unauthorized transactions on an account, notify the card issuer(s) and contact law enforcement, both in the jurisdiction where you live and where the unauthorized transaction took place.

In an electronic, digitally connected world, it is inevitable you will be a victim at some point. Make sure you have developed good habits for using credit or debit cards, minimized your exposure, and kept a good paper trail.

And to the deputy who is assigned to my case, I owe you a cup of coffee…or two!