Zappos.com Customers Should Remain Wary Of Identity Theft

If you are one of Zappos.com's estimated 24 million customers, you will be getting an official notification that some of your personal data has been compromised in last weekend's massive cyber attack.

A security expert at Indiana University (IU) says you should take it very seriously. But the threat is not that credit card information will be stolen.

"Credit cards are covered by a federal law that limits consumer liability in the case of fraud up to $50, and card issuers universally waive even that small amount," said Fred H. Cate, a professor at the IU law school. "Compromised credit card data is not the major area for concern."

Sensitive information

Instead, according to Cate, who also serves as director of the IU Center for Applied Cybersecurity Research, the data that were reportedly accessed in the Zappos breach -- customer names, addresses, phone numbers, email addresses and encrypted passwords, in addition to the last four digits of customer credit card numbers -- pose the greatest risk to affected individuals. That risk falls into three categories.

First, he says, it sets up Zappos.com customers for phishing scams.

"Think about it," Cate said. "If you get an email from a company that includes your correct name and contact information and refers to the last four digits of your credit card number, wouldn't you think it is real?

Cate says it's not clear how customers will be able to distinguish real messages from fraudulent emails claiming to come from Zappos itself.

Second, this is exactly the information necessary to locate other data about individuals in public and commercial records.

"If I have your name, address and phone number, in many states I can get your property tax records, marriage license and other publicly available information," Cate said. "With that additional information a criminal is in an even better position to commit frauds in your name or to access password-protected sites by using the extra information to answer password-reset questions."

Third, since the information included emails and encrypted passwords, this poses a serious risk to other online accounts held by affected customers of Zappos.

"Almost all consumers reuse passwords, and email addresses often serve as default account names for online sites, so depending upon the quality of encryption being used by Zappos, it is entirely possible that the perpetrators will have access to a wide range of online accounts," Cate said.

What to do

Fortunately, most major breaches do not result in extensive fraud. In addition, there are practical steps consumers can take to protect themselves. If you are a Zappos.com customer, here's what Cate says you should do:

• Change passwords on all accounts that use the same password as you Zappos.com account.
• Use unique passwords on all accounts
• Monitor account, credit card and bank statements carefully
• Be very careful about responding to any email that appears to be from a company that requires your action. When in doubt, look up the company's number and call it directly.