Back in ye olden days — say, a decade ago — many holiday shoppers worried about using credit cards to buy gifts online. They feared their information would end up in the hands of computer hackers.
Turns out, walking into a store and swiping a credit card can be plenty risky, too.
"There aren't good statistics measuring which one is a greater risk," said Greg Brown, chief technology officer for McAfee, a computer security company. But either option — shopping in real life or online — can let bad guys into your wallet, as Target shoppers learned Thursday.
If you shop through a shady website, "your risk goes up, just as it would if you bought merchandise off the back of a truck," Brown said. "You have to be diligent" about who sees your credit card, he said.
But that's what is so disturbing about the revelation that Target, with nearly 1,800 U.S. stores, suffered a huge theft. The company said that between Nov. 27 and Dec. 15, information from 40 million card accounts may have been stolen. The data loss involved customers' names, credit and debit card numbers, expiration dates and three-digit security codes imprinted on the cards. Target said it's working with law enforcement and financial institutions, and has "identified and resolved the issue."
The theft involved cards used to make purchases inside the stores, where lights twinkle and Christmas carols play, not through the company's website.
That freaks out many customers who thought they could make themselves safe, just by refraining from flashing cash or throwing card information out on the Internet.
"I don't carry cash with me because I'm a senior citizen," said Betty Singletary-Flythe, who was at a Target store in Washington, D.C., on Thursday. To shop, she likes to pull out her plastic in person.
The Target news shook her confidence. "I want to feel secure when I'm shopping, and this frightens me," she said of the Target announcement.
Target's statement acknowledged only that there had been an "unauthorized access to payment card data." It did not explain exactly what happened, but the exposed account information can be used to create fake cards.
The breach involves all sorts of cards, not just the Target-branded ones.
The company says anyone who sees suspicious charges on account statements should contact their credit card company and call Target at 866-852-8680. If you suspect identity theft, you also can report it to law enforcement and the Federal Trade Commission.
Brown says legitimate retailers and the card issuers typically don't hold card holders responsible for illicit purchases made by others. Still, even if you don't have to pay for false purchases, identity thieves can cause problems that take lots of effort to undo.
The timing of this security breach is terrible for Target. Coming up is the last weekend before Christmas, a time when shoppers want to feel good about heading to the store with a wallet full of plastic.
Target says the problem — whatever it was — has been fixed. And the company certainly isn't alone in having customers question its security. A similar-sized data breach hit TJX Cos., which operates T.J. Maxx and Marshalls stores, in 2005. Sony got hit with a huge hack attack in 2011.
In fact, stolen-data stories have gotten common enough that some shoppers take it in stride.
"To be honest, I'm not that worried about it," said Brendan Smith, another Target shopper in Washington. "Maybe I should be, but I figure my credit card's got fraud protection, so I imagine they'll take care of it if somehow if it gets in the wrong hands."
McAfee's Brown says Smith's view is common now because most shoppers don't really want to change how they do business with merchants. "People have got to buy their gifts," so they will go shopping anyway this weekend, he predicted. "Cash is not king anymore. People like the convenience of cards."
NPR Intern Rachel Quester contributed to this story.