Wednesday, December 7, 2016

Six steps to block credit card fraud

Credit Card Fraud spelled out using Scrabble tiles

Just over a year ago, I put together a simple guide to dodging financial fraud; it quickly became one of the most popular posts on this site. Given some recent cyber events, now seems like a good time for an updated version.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was two years ago, but it still remains a hot topic. Between Target, The Home Depot, Sears, Dairy Queen, Wendys, Cici's Pizza, Goodwill, Trump Hotels, Hyatt, Hilton - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story this week, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?


Don't do this:



Don't post pictures of your credit or debit card on social media! You might be surprised how often someone posts a selfie showing off their first debit card, or their new credit card. Often they are jokes with canceled cards - but some of the posts are real.

As a side note, don't post pictures of airline tickets or event passes: most contain a barcode or unique ticket number. In a worst-case scenario, the barcode may contain significant personal information. In a slightly less bad scenario, if a crook prints out a picture of your ticket gets to the gate before you, guess who gets left out?


Save debit / ATM cards for the bank


In the United States, credit cards carry significant consumer protections, and your cash is separated from the transaction. The Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently).

Most banks now guarantee $0 liability for fraudulent use. Since it is in their interest to prevent fraudulent use in the first place, many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. If you generally use your card at merchants in Miami, and a charge is recorded in Memphis (or Madrid), there's a good chance the bank will flag that as suspicious and either call you, or require the merchant to verify your identity.

The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.

In addition to the liability laws, there is the practical matter of whose money is missing. With credit card fraud, none of your money has been stolen - it's merely a charge to the bank until your monthly bill arrives. With ATM or debit card fraud, the theft is straight out of your bank account, which can be a real pain if you have a mortgage payment or other bill come due before it is resolved.

The security risks of debit cards simply outweigh the benefits, in my educated opinion.

Now another side note: I sometimes see recommendations to black out the signature stripe on the back of the card, or to write "SEE ID" in place of a signature. That's a myth: merchants are under no obligation to ask for your ID - and some merchants (the US Post Office, for example) will refuse a credit card that is not properly signed.


Take advantage of the alerts offered by your bank


Most banks offer some sort of alerts you can set up, whether via email, text message, or to a mobile app. The specific alerts offered vary from bank to bank, but some common variations include:
  1. Any international charge
  2. Any purchase marked as "Card Not Present." These are purchases where a physical card was not swiped or inserted into a kiosk - typically online or phone purchases.
  3. Any transaction over a certain dollar amount
  4. A gas station charge
  5. Any activity that the bank deems unusual based on your usual habits

The alerts that make sense for you might not be the same as what makes sense for me, but take a look at your bank's online center and see what is available. Generally you will see a link that says something like "manage account alerts" either directly on the start page, or on an account management tab.


Separate recurring bills from in-store purchases


The first few times I had a payment card number stolen, it was a real pain going through my automated payments and updating the card number. I have perhaps a dozen automatic payments set up, and I had to update each and every one with the new credit card number. However, I've never had a card stolen through one of these recurring payments. It's always been through retail purchases.

Consider using one credit card for recurring bills (utilities, trash service -- things that are paid every month and that don't involve providing payment info for each transaction), and a different card for in-store or online purchases. If a card is compromised in a store, it's easy to throw it away and get a new one from the bank, completely eliminating the hassle of updating every recurring payee.


Take care of your passwords


Use strong and unique password for your online accounts, and when possible enable two-factor authentication - authentication that requires both a password, and a separate factor (often an app on your phone, or a single-use code sent via text message).

Never use the same password for more than one important account: a favorite trick of scammers is to steal a password from one account, then try it out everywhere else that you might do business.

Strong passwords that are unique for every account are a pain to remember - so don't try to remember them. Use a password manager program that remembers the passwords for you.

Let the password manager make up unique and random passwords too - the human mind is far too predictable when it comes to creating passwords.


Put a Fraud Alert or a Security Freeze on your credit report


A Fraud Alert is free, and is high highly effective at minimizing the damage caused by identity theft. A Fraud Alert tells potential creditors that they must take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account.

Note that you do not have to be the victim of identity theft to put an alert on your credit report. Under US law, if you even suspect you may be a victim (in other words, if you are living and breathing), you have the right to place an Initial Security Alert (sometimes called an Initial Fraud Alert) on your credit report, free of charge. You do not have to be the victim of identity theft to have this right.

An Initial Security Alert is good for 90 days, so must be renewed every 3 months. If you
know you have been the victim of identity theft, and have a police report to document the event, you can instead request an Extended Fraud Alert, which would be good for 7 years. An Extended Fraud Alert requires sending an affidavit referencing the police report number, along with a copy of a government-issued identification card (passport, drivers' license, military ID card) and a copy of a current utility bill, to any one bureau. That bureau will notify the others.

Each bureau also offers a longer 12-month Active Duty Alert for servicemen and women deployed in the US Military. Again, you only have to notify one bureau, and that bureau will notify the others.

A more permanent solution is a Security Freeze (sometimes called a Credit Freeze). Where a fraud alert tells would-be creditors to take extra steps to verify your identity before issuing credit, a security freeze makes it impossible for a creditor to retrieve your credit report. The downside is, a credit freeze may cost you a nominal fee. This fee varies from state to state; in Texas, it costs $10 per credit bureau to place a freeze - and another $10 per bureau to list the freeze (the fee may be waived in certain cases).

Whether you choose a Fraud Alert or a Security Freeze, the following links take you to each of the credit bureaus. Keep in mind that you only need to request a Fraud Alert at one bureau - each bureau will share fraud alerts with the others. A Security Freeze on the other hand must be requested at each bureau.


Bonus tip: review your credit report every four months


I know I labeled this post as 6 steps, but here's a bonus tip: under US law, you are entitled to review your credit report from each credit bureau, free of charge, once per year. The various bureaus generally have similar information about you although on occasion an account or credit inquiry will show up on one and not another.

Since the information the bureaus collect overlaps, you can stagger them - review Experian in January, Trans Union in May, and Equifax in September for example.

There are lots of fake sites trying to make a buck off of a free report (or worse, steal your identity). The safe location to request your credit report is:


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.