One in three victims of Target card breach could face fraud

A survey released by Javelin Research shows a sharp increase in 2013 in the number of data breach victims seeing fraud

One in three data breach victims in 2013 later experienced fraud, according to a survey released Wednesday, a sharp increase that doesn't bode well for millions of Target shoppers.

That's up from one in four in 2012, according to Javelin Research, which polled 5,634 U.S. adults over three weeks last October about financial fraud incidents.

[ Also on InfoWorld: Target hackers have more data than they can sell. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

"The correlation between a fraud victim and a breach victim gets stronger every year," said Al Pascual, senior analyst for security risk and fraud, who co-authored the report.

Target said on Dec. 19 up to 40 million credit and debit cards may have been compromised between Nov. 27 and Dec. 15, the busiest shopping period of the year. It later said malicious software was installed on its point-of-sale devices, which harvested unencrypted payment card details.

Neiman Marcus disclosed in January it was affected by the same kind of hacking, while two other companies, the arts and crafts chain Michaels and the hotel management company White Lodging Services, are also investigating suspected breaches.

Target later said 70 million other personal records were also stolen. Pascual said those details are less likely to result in fraud because cybercriminals are intensely focused these days on payment card details, which are easier to monetize.

Banks and card issuers replace cards used fraudulently. For stolen cards that have not been fraudulently used, they frequently opt not to reissue cards since it is expensive and is inconvenient for their customers.

The glut of stolen card details on underground marketplaces has likely caused a large drop in so-called "new account fraud," where criminals amass a person's personal information in order to open financial accounts. New account fraud fell from $10 billion in 2012 to just $3 billion 2013, Javelin said.

Although the financial industry has improved checks around creating new accounts, the "less rosy explanation of fraudsters' abandonment of new-account fraud is that it is simply becoming too easy to make a buck by misusing and taking over existing accounts," the report said.

The cost of fraud caused by criminals abusing payment cards and other accounts, such as checking, savings and loan accounts, jumped by 36 percent to $16 billion, up from $11 billion in 2012, Javelin said. About 5 percent of U.S. consumers were affected in 2013.

"For only a few dollars, criminals can purchase card numbers or other account credentials," the report said. "The misuse of existing account credentials is a less onerous process than opening a new account in many cases."

Pascual said people using payment cards are always on the defense.

"When it comes to figuring out whether or not you are going to be a victim of a data breach, it's a crap shoot," he said. "If you monitor your accounts, you are in a better position. There are so many breaches. You can't expect your bank to replace your card every time it happens."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Copyright © 2014 IDG Communications, Inc.