Tuesday, September 15, 2015

Financial fraud - a prevention guide

Five steps to dramatically limit the risk and consequences of financial fraud.
Credit card fraud is a perpetual worry in the modern age. Who among us has never had to replace a card because the number had been stolen? Target, The Home Depot, Sears, Dairy Queen - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

Ah, but just because a crime is common doesn't mean it must be a reason to worry. 

I'd like to start with a story - a real-life case of fraud that I experienced very recently. I'll explain how I noticed it and how I resolved it. In fact, it took me longer to write this post than it did to resolve the case of fraud. The rest of this post will explain a few basic things I do to ensure financial fraud is not something I worry about - things that you can do too.

I sync transactions from my various banks and credit card issuers to my personal finance software a few times a week. By doing so, I typically know of every charge, deposit, withdrawal, or other transaction within a few days of it occurring. Last week I noticed an unexpected $85 charge to StubHub.com, a reasonably well-known business that facilitates trading event tickets (concerts, sporting events, etc.). 

As far as I can remember, I've never done business with StubHub. Their business simply doesn't intersect with my family's current entertainment interests. I know I haven't bought anything through them recently. So ... red flags are going up.

A brief call to StubHub made things a bit stranger. The company had no record of any purchases by me (not unexpected) or using my credit card (unexpected). On a side note, I chose to give my credit card number to a person in StubHub's fraud and security team so they could do a reverse lookup. It was a calculated risk, but one I felt was minimal as I already suspected the account compromised and thus would be getting a new number very shortly.

So having done my homework, a quick call to my card issuer was all that was necessary to cancel the charge, get the bank to start their own investigation into the fraudulent use, and have them issue a new card with a new number. Total cost to me: about ten minutes and $0.

Security journalist Steve Ragan related a similar experience this week. In his case, the fraudulent transactions were small-dollar charges in a city a thousand miles from his location, very likely "test" charges to verify a stolen card number is valid before making a more substantial purchase. Steve discovered the fraud because his bank emailed him an alert - an alert he had signed up for. Similar to my case, a short call to his bank was all he needed to do to have the charges reversed and cancel the card.

So what can you do to take credit card fraud off the top of your list of worries?


Save debit / ATM cards for the bank


I agree with just about everything Dave Ramsey says in the way of financial advice, but he is dead wrong when he says there is no positive side to credit card use. There is a substantial benefit to (responsibly) using credit cards. It's just in a different form than he is looking for.

Small businesses don't like this advice - payment processors typically charge more to run a credit card than a debit card, but as a consumer you're the one that chooses how to pay. In the United States, credit cards carry significant consumer protections, and your cash is separated from the transaction. The Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently).

Most banks now guarantee $0 liability for fraudulent use. Since it is in their interest to prevent fraudulent use in the first place, many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. If you generally use your card at merchants in Miami, and a charge is recorded in Memphis (or Madrid), there's a good chance the bank will flag that as suspicious and either call you, or require the merchant to verify your identity.

The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss. 

In addition to the liability laws, there is the practical matter of whose money is missing. With credit card fraud, none of your money has been stolen - it's merely a charge to the bank until your monthly bill arrives. With ATM or debit card fraud, the theft is straight out of your bank account, which can be a real pain if you have a mortgage payment or other bill come due before it is resolved.

The security risks of debit cards simply outweigh the benefits, in my educated opinion.

As an aside, Brian Krebs is in the middle of a fantastic series on high-tech ATM heists in Mexico. His investigation uncovered ATMs in which skimmers (devices to copy the card number and PIN) are placed inside the ATM and the crooks retrieve the information wirelessly. Brian's research suggests that when you must use an ATM, ATMs inside a bank property are likely safer than freestanding ATMs such as at those airports, hotels/resorts, and shopping centers.


Take advantage of the alerts offered by your bank


Most banks offer some sort of alerts you can set up, whether via email, text message, or to a mobile app. The specific alerts offered vary from bank to bank, but some common variations include:
  1. Any international charge
  2. Any purchase marked as "Card Not Present." These are purchases where a physical card was not swiped or inserted into a kiosk - typically online or phone purchases.
  3. Any transaction over a certain dollar amount
  4. A gas station charge
  5. Any activity that the bank deems unusual based on your usual habits

The alerts that make sense for you might not be the same as what makes sense for me, but take a look at your bank's online center and see what is available. Generally you will see a link that says something like "manage account alerts" either directly on the start page, or on an account management tab.


Separate recurring bills from in-store purchases


The first few times I had a payment card number stolen, it was a real pain going through my automated payments and updating the card number. I have perhaps a dozen automatic payments set up, and I had to update each and every one with the new credit card number. However, I've never had a card stolen through one of these recurring payments. It's always been through retail purchases (Home Depot, Target, Dairy queen, the list could go on).

Consider using one credit card for recurring bills (utilities, trash service -- things that are paid every month and that don't involve providing payment info for each transaction), and a different card for in-store or online purchases. If a card is compromised in a store, it's easy to throw it away and get a new one from the bank, completely eliminating the hassle of updating every recurring payee.


Take care of your passwords


Use strong and unique password for your online accounts, and when possible enable two-factor authentication - authentication that requires both a password, and a separate factor (often an app on your phone, or a single-use code sent via text message). 

Never use the same password for more than one important account: a favorite trick of scammers is to steal a password from one account, then try it out everywhere else that you might do business.

Strong passwords that are unique for every account are a pain to remember - so don't try to remember them. Use a password manager program that remembers the passwords for you.

Let the password manager make up unique and random passwords too - the human mind is far too predictable when it comes to creating passwords.


Put a Fraud Alert on your credit report


A Fraud Alert is free, and is high highly effective at minimizing the damage caused by identity theft. A Fraud Alert tells potential creditors that they must take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account. 

Note that you do not have to be the victim of identity theft to put an alert on your credit report. Under US law, if you even suspect you may be a victim (in other words, if you are living and breathing), you have the right to place an alert on your credit report. 

Keep in mind that a Fraud Alert is good for 90 days, so must be renewed every 3 months. If you know you have been the victim of identity theft, and have a police report to document the event, you can instead request an Extended Fraud Alert, which would be good for 7 years.


Update September 16: A day after I wrote this, Australian blogger and security expert Troy Hunt wrote a post entitled Relax, it’s only your credit card! The near-zero impact of online fraud on consumers. As he says, "When credit cards are compromised, it’s the merchants and the banks who pay the price. They’ve had to sort this all out, get the cash back and someone is inevitably attempting to chase down the fraudster. It’s a zero-sum game for us, a mere inconvenience of no financial consequence." For all the headlines credit card fraud generates, with a little prevention the effect on us as consumers is little more than an ocassional inconvenience.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.