As many as 40 million Target customers had their credit and debit card information ripped off by thieves over 19 days this holiday shopping season, including the Black Friday weekend. While thieves will only use a small percentage of the black magnetic strip data taken from those cards, it's still a smart idea for shoppers take precautions immediately if they think their information could be in danger, experts say.
Here's what you should do if you think you might be a victim.
Should I cancel my credit or debit card and get a new number?
The safest answer is yes. While banks are monitoring all the stolen cards carefully, and under federal regulations and company policy you will be able to get your money back or zap unauthorized charges, fighting them can be a hassle.
"If it was my debit card, I would probably cancel it," said Avivah Litan, a fraud analyst at technology research company Gartner. "I don't like anyone going into my bank account." Even temporary fraudulent charges on a debit account can lead to unexpected fees and bounced checks, requiring even more work to untangle.
What is stored on the cards' black magnetic strip that thieves can use?
The little black strip on the back of every credit card has almost everything needed to run up charges on your account. That includes name, credit or debit card number, and expiration date. Home addresses are not stored on cards. "CVV2" codes, the three or four digit security code on the back of cards, were not stolen, but a different code, called a "CVV," was.
Could this lead to identity theft? How can I protect myself?
Conceivably, yes, though not right away and the odds are longer. Data thieves can resell their plunder on the global black market. It can be recombined with other public and stolen data to piece together parts of your identity to open up credit cards, cellphones and even take out a home loan in your name.
For maximum protection, you can contact one of the three credit reporting agencies and put a security freeze on your credit report. That means no one can access your credit information without your prior written authorization. It can also mean a hold-up for you when trying to apply for a job, mortgage, or if you like to get a discount by opening an in-store credit card. A less drastic approach is a fraud alert, which will let the agencies know to give requests for your credit report information more scrutiny without outright stopping it. That also can lead to some delays.
How can I contact the credit reporting agencies?
There are three of them. Contact Equifax.com or (800) 525-6285 , experian.com or (888) 397-3742, and transunion.com or (800) 680-7289.
How can I get a free copy of my credit report?
You can get one free copy from each of the credit reporting agencies once a year at annualcreditreport.com. Some folks like to request their report from just one agency every four months, cycling through the agencies to stretch out the monitoring.
When should I check my card for suspicious charges? Every week? Every month?
"I would monitor my statement very carefully," said Litan. Check now, then at least once a month. Even if the numbers aren't used right away, the numbers can get resold through private online forums and chatrooms. Fraud might not show up until months from now.
That doesn't mean your credit card is a ticking bomb. "It's not like you're going to eat the fraud; the bank is going to reverse the fraud right away," said Litan. Cards in these types of breaches also go on a "gray list" and get extra scrutiny when charges comes through.
"They've got pretty good fraud detection systems," said Litan. "As the consumer, it's just very inconvenient and awful."
What should I do to protect myself going forward?
Keep an eye on all your statements. If you swipe your debit card at checkout, always make sure to do it as "credit" rather than "debit." Though no reports indicate PINs were stolen during this breach, if they were, a thief could clone your debit card onto a new piece of plastic and turn your bank account into his own personal piggy bank from any ATM in the world.
What are the chances my card will get used by a thief?
"They steal a lot more of these cards than they can use," said Litan. She estimated that on average, about 5 percent get used by the thieves. With a breach this size, that's still up to 2 million cards.
Is it safer to shop online next time?
Snoops can also target your computer with keystroke loggers, lure you to phishing sites, or intercept transactions. The only way to absolutely avoid credit card or debit theft is to pay in cash, in person. But carrying around a wad of holiday shopping cash carries its own risks, of course.
Is it safe to shop at Target?
Target says the issue was "identified and resolved."
Who is responsible? Banks? Credit card companies? The store?
Under the "Payment Card Industry Data Security Standard" or "PCI compliance," stores are ultimately responsible for implementing fraud safeguards, and paying for the fraudulent charges when they fail.
The breach does include Target REDcard holders. Those customers who spot suspicious charges should contact Target. Target's phone line and website are jammed right now, however, so you'll have to wait until it dies down and they add more capacity.
All Target's approximately 1,800 stores were affected.
There's no good answer there. If you need to use your card over the holidays, instead of canceling, you can opt to monitor your statements for suspicious charges, and then cancel after the new year.
PIN numbers were not reported as being stolen in the breach. But the risk is your data can get resold and repackaged with other identifying data. Vigilance is the only safeguard.
Contact Ben Popken via ben.popken@nbcuni.com, @bpopken, or benpopkenwrites.com.
Ben will be answering consumers' questions about the Target data breach at 2:30 p.m. ET on the @NBCNews Twitter account.