By Mitch Lipka
Dec. 19 (Reuters) - If you think yours was one of the 40 million credit or debit cards involved in a data breach at Target, security experts recommend a policy of watching and waiting: Watch the account you used at the retailer on a daily basis, and wait, because there's no telling when it will be tapped by thieves.
With the information that was obtained in the data breach between Nov. 27 and Dec. 15 - cardholder names, card numbers and the three-digit security codes - crooks can use them for online transactions or manufacture duplicate cards.
"This could be something that hits your card months from now, so you need to continue to be vigilant," says Yaron Samid, chief executive officer of BillGuard, a company that offers a free service monitoring credit and debit cards for unusual activity.
Don't look for crazy, big-ticket charges, Samid says.
Sophisticated hackers are more likely to make small purchases, sometimes aimed at checking the viability of an account.
"These folks are not going to put a $10,000 charge on one card," Samid says. "They're going to put a $1 charge on 10,000 cards."
Small charges are less likely to be noticed and disputed, he says, and a single charge - even if it's for just 99 cents - enables the crooks to resell the stolen information at a premium, according to Samid.
A validated stolen card number is worth more than an untested one, he says.
CREDIT VS DEBIT
If you used a credit card at Target, you have more protection than if you used a debit card. That's because consumers are protected from the fraudulent use of a credit card. You still have to report the fraud to your card issuer.
A fraudulent charge is typically credited back to the consumer's account after a fraud report is made. The card issuer then investigates the complaint and, unless the charge is found to be valid, the credit will be made permanent.
With a debit card transaction, money immediately comes from the consumer's bank account. After filing a fraud report with the bank, it is then in the bank's hands when - or if - to return that money.
Either way, if a fraudulent charge is spotted, consumers should get a new card.
But experts say it's better to err on the side of caution, and - at least for debit card holders - get a new card now.
"I do see this as a very severe breach. Take it very seriously," says Mark McCurley, senior information security adviser for Scottsdale, Arizona-based IDT911 Consulting, a company that does data breach prevention and post-breach analysis.
McCurley says he used his debit card at a Target store during the period the numbers were stolen. He requested a new debit card and PIN number.
"That's how seriously I'm taking the matter," he says.
At a minimum, change your PIN number, experts advise. If the thieves have captured your PIN, you can prevent them from getting a cash-back during a transaction or using your card at an ATM machine, McCurley says.
Molly Snyder, a spokeswoman for Target, says there is no indication at this point that PINs were collected by the thieves.
Target is getting out the word to potential victims through the media and on its website, Snyder says. Consumers who have the store's credit card or have an email address on file have been or will be notified directly, Snyder says.
Customers with questions about the breach are asked to call 866-852-8680.
At this point, credit monitoring is not being offered to potential victims. Additional information will be posted to Target.com, Snyder says.
A notice to the retailer's customers is posted on the company's site, with information about putting a security freeze on credit reports, and other post-breach basics.
"If you shopped in a U.S. store during that time period, we encourage you to watch your accounts." Target has addressed the problem, she says, and assures consumers that future transactions will be protected.
Robert Siciliano, online security expert for Internet security company McAfee Inc., says consumers shouldn't have to get identity theft monitoring or freeze their credit in this case.
"It didn't affect the users' Social Security number," Siciliano says. "This is plain and simple a credit card breach. Bad guys use (Social Security numbers) to open up a new credit card. In this case, they don't have to. They already have the best data they can to turn into cash."
Beyond checking on account activity and obtaining new credit cards, consumers should be on the lookout for scammers trying to take advantage of the data breach.
"Be wary of any communications from people claiming to be your bank," warns Lee Weiner, senior vice president of products and engineering for the Boston-based software security firm Rapid7.
"Incidents like this provide a great opportunity for other criminals to launch 'piggyback' attacks," Weiner adds. Scammers can contact you through a call or email claiming to be your card issuer, and then get you to give them your banking information, online security credentials, or visit a malicious website.
If you are contacted by what appears to be your bank or other financial service company, do not clink on links, and certainly do not provide the information requested by phone or email. Contact your bank, for instance, using the number on the back of your card, Weiner says, or by going directly to the bank's website.
Piggyback crimes are claiming more victims.
Just last week, Javelin Strategy & Research released a report that found the number of people notified after a data breach that they were victimized by fraud rose by 340 percent between 2010 and 2012.