Financial Information Breach

When you’re bidding on eBay for the perfect pair of vintage 1950s heels, ordering bulk diapers from Amazon or sending in your final car payment on BB&T’s website, chances are you trust these and similar merchants with your financial information. Online checkout makes it easy to buy goods or make payments with a few simple clicks, and you don’t even have to enter your password if you’ve set up your browser to remember you. Unfortunately, data theft is at an all-time high. By making online financial transactions easier, companies are making it even easier for hackers to get in, steal your information and get out before you even realize what’s happening.

In 2014, there were 1,540 data breaches around the world, an increase of 46 percent over the previous year. More than a billion data records were compromised, and 12 percent of data breaches happened in the financial industry. If you think that user error and negligence accounted for most of these cases, then sadly, that’s not the case. More than half of all breaches were caused by malicious outsiders, with an additional 15 percent coming from malicious insiders.

We depend on financial institutions to keep us safe from security breaches and hackers, but the truth is that consumers should bear some responsibility for keeping data secure. Today’s society makes it almost necessary to transmit personal financial data online, but there are ways to reduce your risk of theft and mitigate the effects of a breach. With most card fraud committed in the U.S., it’s time to take a hard look at what’s driving financial breaches and what we can do to stop the numbers from rising.

The High Cost of Stolen Financial Data

Credit card fraud is popular because cybercriminals can steal card info without being present. In 2014, 45 percent of card fraud was committed online, and issuers had to pay nearly $13 per card in replacement costs. With nearly 32 million people affected by card fraud that same year, the numbers add up quickly. Yet as costly as the face value of the loss is to issuers and consumers alike, there are hidden costs to stolen financial data. What do hackers do with the financial information that they steal? Once your card gets stolen – or your bank account hacked – what happens to the data?

In 2012, CIO.com surveyed security experts on data breaches and found that “[p]ersonal information is the currency of the underground economy.” Hackers use data, including financial details and personally identifying information, to make big bucks on the virtual black market.

How much cyber criminals can get for different types of records depends on the long-term value of the record. The fresher the find, the more it will garner on the market. Credit card numbers are surprisingly low on the totem pole, fetching less than $1 per record. Medical records generate 10 times as much. Email accounts are only worth a few cents to some buyers. But even at a few cents per email, black hatters can generate hundreds of thousands of dollars from a simple phishing scam. Plus, there are lots of other things that a cyber criminal can do with your personal information, including:

• File phony tax returns
• Buy or rent a house, or refinance your home
• File for bankruptcy
• Garner a criminal record in your name
• Steal and collect government benefits
• Empty your bank account
• Buy a car and open credit cards in your name

Most victims won’t realize what’s going on until it’s been happening for days or even weeks. And while there are safeguards in place to protect financial data, such as the funds in your bank account, cybercriminals know this and will act quickly to cause as much damage as possible before you notice.

Once your credit card gets stolen, it will be listed on a black market website in a batch with other stolen cards. The more info a criminal has to sell with it, the higher its value will be. Your address, full name and phone number are good additions, but more important – and most valuable – are your shopping habits. If a criminal knows how you usually spend your money, then she’s likely to make a few test purchases with the card to verify its usefulness. The card issuer will think it’s you. After so many trips to Old Navy, an extra charge here and there will seem like no big deal. And unless you’re monitoring your credit card statement each month, you probably won’t think too much about it either.

Hackers are smart and calculating, and they know how to game the system. Before you know it, your card could be sold to other cyber criminals, who in turn will use the card to buy high-ticket items to resell. In 2014, a report by the RAND Corporation’s National Security and Research Division found that hacking has become more profitable than illegal drug trading. One of the biggest problems, though, is that consumers don’t think of a credit card breach as anything more than a nuisance. Too often, a person who misplaces his card simply calls up the issuer and gets a replacement, not thinking about the potential ramifications if the card falls into the wrong hands. Consumer complacency is driving financial data breaches.

How Hackers Get In

There are several methods for stealing your financial information. In fact, data solutions company Acuant offers a list of 101 ways that your identity can be stolen and used against you. Still, all of these schemes boil down to four basic techniques:

• Hacking: Most hacking happens to businesses because the reward is better than what you can get from the average personal computer. Hackers implement a number of techniques to enter a computer system, mine for data and steal what they determine to be valuable. While businesses are usually primary targets, you can get hacked as an individual. Hackers don’t discriminate when infiltrating a network.
• Middlemen attacks: Sophisticated criminals can make you think that you’re visiting a trusted site only to have your information recorded and sent to a third-party cybercriminal home base. By creating fake websites and managing both ends of the transaction, criminals act as middlemen, and neither entity is any the wiser until it’s too late.
• Spoofing: Similar to a middleman attack, spoofing involves creating fake websites and emails to lure people into divulging critical data, such as credit card numbers or login info.
• Phishing: Phishing is the most common form of online data theft. Data thieves will email, text or call you under the guise of a trusted entity, like your bank, claiming that they need personally identifiable information from you in order to resolve a dispute, update your records, verify your account or achieve some similar made-up purpose. Many people fall for phishing scams because they seem like legitimate requests.

Dedicated criminals don’t have to wait for you to give them information. Unfortunately, there are a variety of ways in which a cyber criminal can steal your financial data without a phishing scam or fake website. Credit card data in particular is easy to swipe for even newbie criminals.

Skimming devices, modified card readers and malware can glean user information quickly and unobtrusively. Skimming occurs most notably in restaurants and gas stations. Anyone who takes your card out of sight, such as a server, can skim your card’s information using a handheld device. At gas stations and checkout lines, criminals can install skimmers or modified card readers to swipe customer information, unbeknownst to employees. Malware, the name given to software that harms or infiltrates a computer, can be installed remotely and used to track and store personal data.

What to Do If You’re Hacked

Who’s responsible for the damage if your financial information gets compromised? Let’s say a hacker drains your bank account. What then? Fortunately, the instances of people having their entire accounts cleaned out are rare. Hackers usually target businesses and the super-wealthy, but there are times when your accounts can be breached, either by novice hackers looking to make a quick buck or by negligence on the part of your financial institution.

You have some legal protections when it comes to bank accounts. According to Bankrate.com, federal law entitles you to get your money back within 60 days of the reported incident as long as you meet the necessary requirements. These include notifying the bank as soon as you see the error on your statement, keeping a non-business account and doing your best to maintain appropriate security protocols beforehand. In other words, as long as you make every effort to keep your information safe, you should be able to recoup the financial loss for personal accounts.

Despite these protections, you’ll still have to jump through a few hoops to recover from a financial breach. It’s not as easy as it seems to have the money refunded to your account, and for many people, even the loss of a few hundred dollars could be the difference between an on-time and missed mortgage payment. If you’re the victim of a financial data breach and your account has been compromised, then keep the following in mind:

• Once you discover the incident, notify the institution within two business days. If you do, then you’ll only have to cover the cost of the transaction or up to $50 maximum, whichever is less.
• If you wait until the two-day limit has passed, you could pay up to $500.
• Past 60 days, you may be responsible for all fraudulent charges against your account.

Banks have rules that they must abide by as well:

• Once you report an incident to your institution, the bank has 10 days to investigate as long as the account has been open for longer than 30 days.
• More recent accounts justify a 20-day investigation.
• After the investigation is complete, the bank has to notify you of its findings within three business days.
• If a bank needs more time to investigate, then they have to refund all disputed transactions to your account less the $50 charge while they continue investigating.
• For established, domestic accounts, banks have to resolve disputes within 45 days. Exceptions include debit card point-of-sale charges, foreign transactions and accounts younger than 30 days.

There are additional steps you can take if your financial data gets stolen, but you should know that the process is often painful, slow, time-consuming and frustrating. You’ll need to contact all relevant parties, meticulously scan your credit report, file reports with the Federal Trade Commission and local law enforcement if applicable, and dispute any fraudulent charges. Hackers generally get away with their crimes, leaving their victims to sort through the aftermath alone.

Closing the Door to Cyber Criminals

If you’ve been a victim of financial data theft, then you know that recovering from an attack can be practically and emotionally difficult. When it comes to data breaches, a good preventive strategy from your card issuer or financial institution is critical to ensuring that you don’t experience long-term financial hardship or total identity theft. As a consumer, you can also take a proactive approach in dealing with financial theft. It’s easy to ignore suspicious emails or illegitimate video links, but you may be taken in by something as basic as a phishing scam or a hack into your smartphone while you’re on the coffee shop’s public Wi-Fi.

Sites like Scambusters.org help people avoid getting taken in by posting current scams that are circulating the Internet, and most companies will alert their customers if they’ve been breached. However, there are still precautions that you should take to avoid becoming a victim of financial data breaches, some of which start with paper evidence:

• Simplify your wallet. Keep your social security card locked in a safety deposit box or safe, and never carry it with you when you’re out and about. Limit what you carry to what you need for the occasion, and keep it on you at all times.
• Monitor your mail. If you need to mail in payments, skip your mailbox and head straight to the post office. Pick up mail promptly when it arrives. If you receive a lot of credit card offers, consider opting out of the pre-screened service. Fewer credit card offers makes it harder for thieves to apply on your behalf.
• Avoid having checks mailed to you. If you still use checks, go to your bank to pick them up when possible. No matter how secure an envelope is, it’s still too easy for a thief to steal.
• Shred documents with personal info. Not only should you shred obvious documents like credit card statements and bank info, but you should take care of prescription information, health records and other personally identifiable info before throwing it out. Even better, don’t throw away similar items using the same trash bag. Splitting up shredded documents makes it harder to steal.
• Ask questions. Some organizations really do need to know your social security number, but always ask before giving it out. A legitimate company won’t mind telling you why they need it, and you should know how they plan to use the information and what they do to keep it safe.

Online, take extra steps to reduce financial theft. Don’t store passwords in an accessible computer file, memorize your PIN numbers and create strong, random passwords that can’t be guessed based on your personal information. An online password manager may help you to create and maintain those random passwords that you just can’t remember. Cyber insurance, traditionally used by companies to offset financial losses following a data breach, may be beneficial for individuals as well. Other simple but effective ways to avoid becoming a victim include limiting your online spending accounts, keeping social media private, avoiding public Wi-Fi and checking out as a “guest” when you’re shopping online.