Hey, did you hear about the Target breach?\tAs people tuned into the morning news, anchors around the country opened with a solemn look and the proclamation that they were about to reveal a story of significant national interest: the retailer Target experienced a data breach.\tFor morning news, this is a trifecta: connection to Black Friday and holiday shopping, "hacking," and a recognizable household name. This is the sort of thing that generates interest!\tMaybe.\tFor most, this is a story to skip. Another day, another breach, another generic story about another complex, confusing attack, followed by the same generic and somewhat confusing guidance.\tLike the stories and headlines themselves, the call to action rapidly fades into the background noise of life.\tDon't believe me?\tWalk around and ask a few people if they've heard the news about Target (don't mention the breach). Most likely, they have, and they'll recall a headline about the Target breach. Or that Target decided to boycott selling Beyonce's latest album.\tProbe further, though, and the awareness doesn't reveal much in terms of specifics. After all, people are focused on winding down work and starting their vacations. They have shopping to finish, presents to wrap, houses to clean, parties to attend, and trips to take or guests to host.\tThis lack of understanding isn't, in itself, surprising or problematic. It's not an indictment of people. It's just an optional exercise to reframe the challenge we need to overcome if we want to make a difference.\tIt begs the question: does the Target breach matter?\tTarget was breached. So what?\tHere\u2019s the reality: it\u2019s another breach. People are essentially immune to breaches. They don\u2019t care about the details.\tIn the security community, Brian Krebs broke the story yesterday [link]. Shortly after, the parade of security folks posting it up via Twitter and Facebook started.\tSome even added comments along the lines of, "if you shopped at target, check your accounts." I even read one person suggesting that people should *cancel* their credit cards. That's bad advice.\tBut the real challenge is that these brief attempts to inform people link to industry views and technical discussions that don\u2019t likely read well by people without our background, passion, and interest.\u00a0Linking people to the sites we glean our information from does them\u00a0no service.\tTo provide value, focus on the relationships. Offer a service\u00a0to the people in our lives. That means we need to first consider the impact, and then offer specific, actionable advice that people can use.\tConsidering the impact of the Target breach\tAnytime a breach rises to the level of national headlines, we have a few basic opportunities to provide value:\t\t\tanalyze the situation, and in the case of the Target breach, assure people commerce is okay (I don\u2019t think they need much assurance)\t\t\tprovide appropriate context and guidance to help them better understand what happened with realistic potential impacts\t\t\thelp them take actionable steps, if appropriate, to protect themselves from payment card fraud or, in some cases, identity theft\tSort out what we know\tBased on reporting and the official statement issued about the Target breach [link], the initial assessment is 40 million affected accounts.\tThis passage is interesting:\t\t\t"We have determined that the information involved in this incident included customer name, credit or debit card number, and the card\u2019s expiration date and CVV (the three-digit security code)."\tTo get more insight into the significance of the Target breach and suggestions on how to handle it, I spoke with Branden Williams. Branden literally wrote the book on PCI [Link] and has been involved at the leading edge of these issues for nearly a decade. Currently the EVP of Strategy at Sysnet Global Solutions, he wrote an excellent commentary on the Target breach this morning [Link].\u00a0\tWilliams noted the Target breach is reported as affecting the retail stores only, and does not currently appear to affect online transactions.\tThat likely means the magnetic stripe data on the back of the cards. What's interesting, then, is that this is not the 3-digit code on the back of the card as suggested in the official statement. Williams pointed out it's nothing to worry about, and it likely an oversight and misuse of somewhat confusing terms as a result of the pressure and timing to issue a statement.\tAssess what we don\u2019t know, and avoid speculation\tThis is a fresh, fast-moving story. The challenge for security professionals is to avoid the tempt of speculation and wait for actual information.\t"Be careful of what speculation you engage in or consume," cautioned Williams. "The people who are engaged and know what actually happened are unable to speak about it. And those folks take that responsibility seriously."\tPreparing to provide value: timing is everything\tAs we race to the end of the year, people have less time and attention than normal. To make a difference means we need to spend a little extra time to think about how to explain this to parents, grandparents, siblings, and other family members.\tThe way to provide value is to translate the technical into understanding:\t\t\tGather the known context and give people a general sense of what happened and if they should care\t\t\tShare relevant experiences and stories to help connect actions to impact. Pull back the curtain on what really happens, the potential impacts, and what people should specifically\u00a0be concerned about\t\t\tDistill to 3 or less actionable steps; ideally, provide steps that people can incorporate into their normal routines (outlined below)\tIn the case of the Target breach, the fact that the attack appears to have been on magnetic stripe data itself is interesting.\tAccording to Williams, this signals that the biggest risk is for thieves to duplicate the card using the captured magnetic stripe data and use it.\tHe pointed out that savvy criminals often sit on the information for up to year to allow attention and vigilance to die down. This is similar to the concept outlined in the value of identity black market story [link].\tProvide value: offer the minimum viable steps for the Target Breach and beyond\tBecause of the hype, it\u2019s a good time to think about it. It\u2019s the right time to talk about it. Because of the season, people have even less interest and less attention span.\tThese are the minimum steps I'll be advising my family on:\t1. Check their accounts\tThe common advice is to encourage people to "check their accounts," and review statements. The reality is that with online banking, this takes roughly 1-2 minutes a day. Even better, some banks now offer automated alerts and daily emails with a record of spending.\tThis should be easy.\tYet I see few people who do this or sign up for these services. Perhaps it's because the advice never explains what to look for.\tWhat people should look for:\u00a0\tLook for charges they didn't make, especially if they are small amounts ($10 or less), from vendors they don't know, and from locations they haven't recently traveled to.\tBranden Williams offers additional advice for reviews in light of the Target breach. He suggests thinking about places where a thief could use a physical card where they are less likely to be challenged, asked for identification, or caught on camera.\tWilliams offers these common categories to scan for in your account history:\t\t\tPre-paid calling cards or long-distance cards - from a telephone shop or carrier, sometimes overseas\t\t\tGift cards - but especially the small amounts of $5, $10, $20; he notes that if they are successful, the thieves quickly escalate the purchases and max out the card\t\t\tGas stations, usually $1-$2 transactions; this is used to test the card to see if it's active before they embark on their spending spree\tWhat to do when it doesn't make sense\tIf you see something that doesn't make sense, cut and paste the name of the merchant into a search engine, like Google, to see what comes up and where they might be located. Keep in mind that the business may be legitimate and is simply used by the thieves.\tIf it doesn't seem right, call your bank and ask them to help you figure it out. Often, it's because a company you made a purchase from uses a different name. Sometimes, however, it's the pre-attack to check if your account is valid. The bank is trained to help you here.\tHere's the good news: consider that anti-fraud systems and techniques are improving, often to the point of annoyance (since they sometimes are a bit too aggressive), which further reduces the risk for the consumer (and for us).\tFor the most part, the banks will detect and alert you to the fraud before you'll see it on your account.\t2. Check on the liability for their credit and debit cards\tWilliams pointed out that it's important for consumers to understand the liability they carry on their credit and debit cards. Understanding the difference helps guide which cards to use for which transactions.\tFor the US Consumer, credit card liability is zero.\tDebit cards are a bit different. Some banks honor zero liability, others have up to a $50 limit. But that limited liability doesn't necessarily mean they won\u2019t be inconvenienced.\tIf someone accesses and cleans out your debit\/checking account, it can be quite a shock -- especially during a holiday weekend. Consumers tend to get their money back, but it often takes 24 hours or longer. A long 24 hours.\tSometimes breaches like this foster a call to cancel credit cards and return to cash. While that works for some, Williams explains, "If you get mugged and someone steals your cash, you don't get your cash back. Because of the reduced liability of payment cards, it's still the safest and easiest way to buy goods."\tIf concerned about the need to replace cards,\u00a0work with the bank to determine if or when you need a new card issued. Sometimes, in place of assigning a new card, they may encourage you to visit a branch and reset your pin.\t3. If they don't already get their free credit reports, this is a good time to sign up.\tThey can go to the government run AnnualCreditReport.com [link].\tHere's the added value: Point out that individuals are entitled to one credit report PER agency PER year. There are 3 agencies,\u00a0 so only request ONE now, and then the next 4 months from now. And the third in 8 months. Set reminders.\tSimilar to reviewing bank statements, the purpose of requesing credit reports is to scan the information for surprises. Look for unexpected accounts, incorrect information, and anything else that seems out of place. Credit bureaus have different requirements and ways of handling errors, and each can be consulted for further information.\u00a0\tThe time to act is today\tThat's it. Three steps. Total initial investment is probably 15-20 minutes, but can easily be spread out over today, tomorrow, and the next day.\tIdeally, this is the potential to help cultivate new habits that take only minutes on a regular basis. In my house, we check banking statements as a matter of routine; more when I travel.\tRight now, take a few minutes to prepare, and then properly advise people on how to proceed (or share this article with them - they can even send me questions and I'll help with answers).\tActively reach out to people if you believe they need to act; provide them a reason, and explain the three steps -- and why they matter.\tDon't forget to include yourself in the process. Lead the change we need to see. It'll make handling the next breach just a bit easier.