Will data breaches scare away consumers?
Earlier this month, Home Depot confirmed that hackers had broken into its in-store payments system and stolen the credit card numbers of as many as 60 million customers – potentially the biggest breach of a retailer’s computers. Will this latest in a long line of such breaches finally scare consumers into changing their shopping habits and credit card use?
Last year’s breach at Target (TGT) provides an early indication that shoppers may now be more inclined to shy away from retailers who have lost their trust. Ordinarily after such breaches, sales have fallen but soon rebounded. In 2007, for example, the parent company of TJ Maxx, the TJX Companies (TJX), suffered a massive data breach involving 90 million card accounts. Customers didn’t care – sales were barely affected in the quarter when the breach occurred and rose 9% in the following quarter. But the fall off at Target persists. In August, the company reported second-quarter earnings of $234 million, compared with earnings of $611 million in the same period last year – a drop of 62%. And customer transactions fell 1.3% compared with the same period last year.
But avoiding Home Depot (HD) or Target, as some customers appear to be doing, won’t protect you from breaches at other companies in the future. Data theft is big business in many parts of the world, and large-scale breaches will undoubtedly continue. With the rise of the “internet of things,” there are more points of entry for thieves than ever – Gartner estimates that the number of nodes may grow to 26 billion by 2020.
The real question is whether the disenchantment with retailers who compromise customer information will translate into a change in the way consumers use their credit cards. It’s too early to say, but the main alternatives to credit cards aren’t particularly safe either, and have their own drawbacks.
Credit monitoring. In the wake of data breaches, the victimized companies often provide their customers with identity protection services like free credit monitoring, typically for a year. Home Depot announced such a program shortly after they discovered their recent breach. But monitoring services only detect fraudulent activity on your account after it has occurred, and they do little to block that activity. Further, they are simply one more place from which your data can be stolen. Last year, for example, the three biggest U.S. credit-reporting companies – Experian, Equifax and TransUnion – acknowledged that hackers had gained access to users’ information, even posting online the credit reports of famous people, including Michelle Obama, former FBI director Robert Mueller, Ashton Kutcher, Beyoncé and Paris Hilton.
Reverting to cash. This solution trades the risk of credit card fraud for the risks of loss and theft. And it’s inconvenient – for large purchases you must plan ahead, then go to your bank and withdraw the money you need.
Doing nothing. In some ways, this is the most attractive solution. Since the card issuer indemnifies users against losses, why worry? If fraudulent activity occurs on your credit card, the bank will make you whole. But this ignores the danger to your debit card, which can be used directly to drain your bank account even if, as in the Home Depot case, no PIN numbers have been compromised. With just a few pieces of easily found information like your Social Security number and date of birth, thieves can change your PIN number, create a counterfeit card, and use it to make debit purchases and directly withdraw money from your account.
By far the better solution is a combination of doing nothing about your credit cards and zealously protecting your debit card. Never use it as a charge card, anywhere. And don’t use it to debit, either – not for groceries, not for gas, not for anything. Use it only as an ATM card at your bank. Charge everything to your regular credit card – and start racking up the air miles or other bonus points.
The objection to charging everything? Many people fear running up large credit card debt, with its high interest rates. But with today’s online tools, you can pay off your credit card weekly. You will not only be regularly monitoring your statements for signs of fraud, but you will also get better control of your spending when you see precisely where the money goes every week. That is a far more effective and practical restraint on spending than the wishful thinking of a budget.
Be vigilant also about retailers and banks pushing more liability onto consumers. But until they do, you can confidently return to Home Depot and Target – why needlessly forgo the good value that both are known for? As one information security professional, who practices the solution proposed here, recently said to me about Home Depot, “I can’t wait for the inevitable sale to lure customers back – there are some things I really need.”
Glenn Kapetansky is Chief Security Officer for Trexin Consulting a management and technology consulting firm specializing in the application of advanced technologies.