Banks had enough trouble with 40 million debit and credit cards being hacked in the Target (TGT) security breach, but the larger threat could come from secondary scams that are now targeting the 70 million consumers who had their information stolen in that same time frame.
Lenders working with customers or experiencing suspicious activity — whether mortgage-related or not — should be on heightened alert since scammers can use this information in many deceptive ways.
That letter in your mailbox with a fake Target logo, asking for your social security number so they can contact your bank? Fraud. The email from the credit bureau that just needs your bank account number to clear everything up? Scam.
"The biggest threat comes from the perpetrators using that database information to get the last two keys for identity theft — your social security number and birth date," said William Kresse, director of the Center for the Study of Fraud and Corruption at St. Xavier University. "These bad actors will contact people under a pretext that they are Target or a credit bureau and just need to confirm information."
Consumers who mistakenly give that information then have credit cards and loans taken out under their names, potentially cratering their credit for years to come and making it harder for them to qualify for loans — including mortgage loans — in the future.
This threat can also come from an endless supply of “copy cats” Kresse said, who weren’t involved with the original breach but who will exploit the publicity to target consumers in mass emails. Clicking on a link in these emails will often result in downloading a virus that can give thieves access to personal information.
According to Kresse, black market sites on the Internet have seen a 10 to 20 fold increase in the number of credit card numbers offered since the breach, and he expects the number to just keep rising. Part of the problem is the sheer size of numbers we’re dealing with. Even if only 1% of 70 million people give thieves the information they are fishing for, that’s still 700,000 people.
All of this means the banks end up paying over and over again — first to make whole the consumers whose credit or debit card information was stolen directly from Target, then for the wave of fraudulent credit cards and loans that are never going to be paid back, and finally when they have to sort out bad credit risks from true hacking victims.
"It will be a major headache for credit bureaus and those who rely on those credit reports to sift all of that out," Kresse said.
And the problem is likely to keep growing. Neiman Marcus recently reported a security breach, and Kresse said there are likely two or three other retailers hit at the same time who have not announced yet. Banks having to deal with another major retail security breach is a matter of when, not if.
"Target has an excellent security system, which just shows how sophisticated this breach was, if they got Target’s information," Kresse said."If you’ve gone to the trouble of building a virus as sophisticated as this was, you’re not going to just leave it on the shelf. The question is, who’s next?"