Don’t give Target your Social Security number «
After announcing the massive credit-card breach, Target /quotes/zigman/253872/delayed/quotes/nls/tgt TGT -0.94% warned customers against giving out their Social Security number, driver’s license number and other personal details to fraudsters trying to profit from confusion and anxiety over the news. But what if Target itself wants your social security number?
On Wednesday, one Target customer received a call from the Target fraud-detection department about a suspicious $1,200 transaction on his store credit card. But Michael Baxter, from Sommerville, Mass., says he was surprised by the depth of confidential information the company asked him to fork over — and wondered if it was a scam. Target emailed him a fraud-investigation questionnaire requesting information such as his Social Security number, driver’s license number, phone number, credit card number, address and even his children’s names. “I told them they were insane to be expecting this information,” he told CBS News in Boston .
Click to Play Target hackers wrote malware partly in RussianThe holiday data breach at Target appeared to be part of a broad and highly sophisticated hacking campaign against multiple retailers. Danny Yadron reports. Photo: Getty Images.
Target later said the disclosure wasn’t necessary. “Our policy is to investigate all fraud claims even if the form is not filled out, and filling out the form is not a requirement,” it said in a statement. “However, if we don’t have the form filled out, it makes our investigation more difficult.”
Some consumer advocates disagree. “With all due respect to Target, I’m not sure how it makes their job more difficult,” says John Ulzheimer, a credit expert at CreditSesame.com, a firm that provides online credit and debt analysis to consumers. Companies should never ask for a full social security number or driver’s license, they should confirm your card number, zip code and one or two security questions. To set up a store card in the first place, Target should have all that information on file already, Ulzheimer says, and asking customers for that information is merely a time-saving shortcut.
“The Target form was total overkill,” says Adam Levin, co-founder of online security company Identity Theft 911. “When a consumer is a victim of identity theft or fraud, the last thing you do is pressure them to give you more information.” To be sure, Target’s credit-card agreement requires customers to “ comply with the procedures ” it may require for its investigation. But other forms, like this Navy Federal Credit Union affidavit of fraud, doesn’t ask for the consumer’s social security number, Levin says.
Reuters Assume every call is a phishing scam, experts says. Consumers should never give out personal details over the telephone, even if the caller seems to represent Target or the email appears to be from a Target email address. “Consumers need to be careful whenever they are contacted by an unsolicited caller,” says Linda Sherry, director of national priorities at Consumer Action. Hang up and call the number on your card. Target itself warns against “phishing” scams — calls, emails or text messages that appear to offer protection, but are actually trying to get more personal information from customers.
Bottom line: “Don’t share any information with organizations that they don’t absolutely require,” says Chester Wisniewski, senior security adviser at Sophos, an online security consultancy. There is no federal legislation governing what information a consumer can withhold in the event of a data breach and it typically depends on the agreement signed. In the meantime, Wisniewski says, “trust no one.” A supermarket or coffee shop wants your birth date and zip code for their frequent shopper card? Choose Jan. 1. and 90210, Wisniewski suggests. “Thousands of security experts were born on Jan. 1,” he says.