Friday, October 10, 2014

Another day, another breach

It seems like almost every week another business is in the news for having their payment network compromised and leaking customer information, often in the form of payment card data. Target, Home Depot, Jimmy Johns, Goodwill Industries, JP Morgan Chase, KMart/Sears, the list goes on. Today, Dairy Queen was (formally) added to the list.

I say formally, because Dairy Queen was strongly suspected to be on that list as of late August, but only now made a public statement confirming the fact. This incident hits a little closer to home because my hometown Dairy Queen is on the list of those compromised.

In fairness to DQ, their franchise model makes it extraordinarily difficult for the corporate office to know whether and how many franchisees might be affected. Unlike a Target or Home Depot, each restaurant is owned by a local franchise, each of which may have its own payment processor. If an individual franchise were hacked, the corporate office has no established requirement that the franchisee report such case. Perhaps as a business contemplating expanding through franchising, this should be a lesson learned: write into the contract a requirement that franchisees report confirmed or suspected Personally Identifying Information (PII) breaches to the corporate office within a defined time.

What can you as a consumer do? You can't control how a business uses your information - which has been a repeated theme the past few years. You can chose whom to do business with, but until a breach actually happens, you have no real way of knowing how strong their security practices are.

You can however take a few steps to make your life easier:
  • Save debit / ATM cards for the bank. Yes, I know small businesses don't like this advice - payment processors typically charge more to run a credit card than a debit card, but as a consumer you're the one that chooses how to pay. For purchases, credit cards have inherent consumer protections, and your cash is separated from the transaction. In the US, the Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently).

    Most banks now guarantee $0 liability for fraudulent use - hence it is in their interest to prevent fraudulent use in the first place. Many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. If you generally use your card at merchants in Miami, and a charge is recorded in Omaha (or Cambodia), there's a good chance the bank will flag that as suspicious and either call you, or require the merchant to verify your identity.


    The liability law
    for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.

    Of course, if you use cash, there is nothing to steal (electronically) in the first place.
  • Separate recurring bills from in-store purchases. Consider using one credit card for recurring bills (utilities, trash service -- things that are paid every month and that don't involve providing payment info for each transaction), and a different card for on-demand transactions. For me, the only real trouble of having a credit card number stolen is, I have perhaps a dozen automatic payments set up, and I have to update each and every one with the new credit card number. I've never known one of these to be compromised, so using a credit card dedicated to these automated payments saves me the hassle altogether. If a card is compromised in a store, it's easy to throw it away and get a new one from the bank, completely eliminating the hassle of updating every recurring payee.
  • Use strong password for your online accounts, and when possible enable two-factor authentication. Strong passwords are long (ideally, a phrase rather than just one word); include a mixture of upper case, lower case, numbers, and special symbols; and are never, ever, shared between accounts that matter. Make sure you aren't the source of the breach.
  • Strong passwords that are unique for every account are a pain to remember - so don't try to remember them. Use a password manager program that remembers the passwords for you.
  • Put a fraud alert on your credit report - and renew it every 90 days. This doesn't help with fraud on existing accounts, but if (as is the case with JP Morgan Chase) the theft was of identifying information instead of account numbers, at least that info cannot be used to open a new credit account in your name.