The massive security breach at Target, which involved the theft of data from 40 million customers' credit- and debit-card purchases, raises a new question for consumers: If you were one of the data-theft victims, should you get a replacement debit card?
Over the weekend, JPMorgan Chase, the nation's largest commercial bank, answered that question for its own customers when it sent email notification that it would be replacing all compromised Chase debit and Liquid prepaid cards in the coming weeks.
Other big banks, however, have not done the same. So what if your debit card was issued by one of them?
"If a consumer knew they used their debit card at Target during that time frame, I would definitely go ahead and ask for a replacement card," says Steve Robb, an executive at ControlScan, an Atlanta-based payments security firm.
We agree. Debit cards are tied to your checking account, which is your core money-management tool. Although fraudulent charges to a credit card can be easily fixed, unauthorized withdrawal of funds from your checking account could set off a cascade of bounced checks—for rent or mortgage, utilities, and credit-card payments. That, in turn, could trigger bounced-check and late-payment fees.
Monitoring your checking account for fraudulent charges may not be enough, either. A crook with your debit-card information can patiently wait weeks or months to steal from your account—after you've long forgotten about the threat—and you might miss a fraudulent charge that blends in with many others.
No other banks have announced a similar replacement program yet.
"If we believe the account is at risk for fraud, we will notify a customer and reissue the card," Bank of America told Consumer Reports in an email statement, which suggests that the Target breach doesn't necessarily put all affected cards at risk.
"We reissue cards as appropriate when we believe the customer's account information may have been compromised and may be at risk," said Emily Collins, a Citibank spokeswoman, also via email.
Debit- and credit-card fraud are only two of many rip-offs. Learn about other big schemes to beware of in "Protect Yourself from the Latest Scams."
Chase also set limits on debit transactions, which have since been relaxed some. Now, customers can withdraw up to $250 per day at ATMs and make up to $1,000 worth of in-stores purchases daily using their compromised cards. (That's up from $100 at ATMs and $300 for in-store purchases.) If you need more money, you must go to a Chase branch and get it from a teller, with proper identification—a throwback to the pre-digital world.
The policies on automatic replacements and limits don't apply to Chase credit cards. However, credit, debit, and Liquid prepaid cardholders do have zero liability for unauthorized charges reported to the bank.
All consumers with cards that may have been compromised should also take several other steps to protect their identity, including filing a fraud alert, placing a security freeze on their credit reports at all three national credit bureaus (Equifax, Experian and TransUnion), and monitoring their accounts for fraud daily via online or mobile-banking apps.
Consumers Union, the policy and advocacy arm of Consumer Reports, has called on the Consumer Financial Protection Bureau to investigate the Target security breach and look at ways to minimize the impact on consumers.
Consumer Reports has no relationship with any advertisers or sponsors on this website. Copyright © 2007-2013 Consumers Union of U.S.
- Banking & Budgeting
- JPMorgan Chase