The massive security breach at Target, which involved the theft of data from 40 million customers' credit and debit card purchases, raises a new riddle for consumers: If you were one of the data theft victims, should you get a replacement debit card?
Over the weekend, J.P. Morgan Chase, the nation's largest commercial bank, answered that question for its own affected customers when it sent email notification that it will be replacing all compromised Chase debit and Liquid prepaid cards over the coming weeks.
Other big banks, however, have not done the same. So what if your debit card was issued by one of them?
"If a consumer knew they used their debit card at Target during that time frame, I would definitely go ahead and ask for a replacement card," says Steve Robb, an executive at ControlScan, an Atlanta-based payments security firm.
We agree. Debit cards are tied to your checking account, which is your core money management tool. Although fraudulent charges to a credit card can be easily fixed and dealt with, unauthorized withdrawal of funds from your checking account could set off a cascade of bounced checks—for rent or mortgage, utilities, and credit card payments. That, in turn, could trigger bounced-check and late-payment fees.
Monitoring your checking account for fraudulent charges may not be enough, either. A crook with your debit card information can patiently wait weeks or months to steal from your account—after you've long forgotten about the threat—and you might miss a fraudulent charge that blends in with many others.
Surprisingly, no other banks have announced a similar replacement program as yet.
"If we believe the account is at risk for fraud, we will notify a customer and reissue the card," Bank of America told Consumer Reports in an email statement, which suggests that the Target breach doesn't necessarily put all affected cards at risk.
"We reissue cards as appropriate when we believe the customer's account information may have been compromised and may be at risk," said Emily Collins, a Citibank spokeswoman, also via email.
Debit and credit card fraud are only two of myriad rip-offs. Learn about other big schemes to beware of in our report, "Protect yourself from the latest scams."
Chase also set limits on debit transactions, which have since been relaxed some. Now, customers can withdraw up to $250 per day in ATM cash and make up to $1,000 worth of in-store purchases daily using their compromised cards. (That's up from $100 ATM and $300 in-store.) If you need more money, you must visit a Chase branch to get it from a human teller, with proper identification—an ironic personal-banking throwback in today's go-go digital world.
The automatic replacement and limits policies don't apply to Chase credit cards. However, credit, debit, and Liquid prepaid card holders do have zero liability for unauthorized charges reported to the bank.
All affected consumers should also take several other steps to protect their identity, including filing a fraud alert and placing a security freeze on their credit reports at all three national credit bureaus (Equifax, Experian and TransUnion) and monitoring their accounts for fraud daily, via their online or mobile banking apps.
Also today, Consumers Union, the policy and advocacy arm of Consumer Reports, called on the Consumer Financial Protection Bureau to investigate the Target security breach and look at ways to minimize the impact on consumers.
—Jeff Blyskal
Consumer Reports has no relationship with any advertisers or sponsors on this website. Copyright © 2007-2013 Consumers Union of U.S.