Monday, October 2, 2017

Seven steps to minimize your risk of financial identity fraud

Credit Card Fraud spelled out using Scrabble tiles

This is one of a few Security for Real People blog posts routinely updated once or twice a year, to offer up-to-date advice to consumers and small businesses as threats evolve over time. The recent Equifax breach has put most Americans at a higher risk of identity fraud and is a good reason for an update.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was a few years ago, but it still remains a hot topic. Between Sonic, Sabre, Target, The Home Depot, Sears/Kmart, Dairy Queen, Wendy's, Cici's Pizza, Goodwill - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story in late 2016, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?

First, don't do this:

Pictures of credit cards posted to social media

Don't post pictures of your credit or debit card on social media! You might be surprised how often someone posts a selfie showing off their first debit card, or their new credit card. Often they are jokes with canceled cards - but some of the posts are real.

Even partially-redacted credit card numbers might reveal more than you intend. Lesley Carhart (affectionately known to Twitter fans as @hacks4pancakes) created a fantastic infographic explaining how a credit card image with incomplete information can still provide an attacker with enough data to fill in the missing pieces.

As a side note, don't post pictures of airline tickets or event passes: most contain a barcode or unique ticket number. In a worst-case scenario, the barcode may contain significant personal information. In a slightly less bad scenario, if a crook prints out a picture of your ticket gets to the gate before you, guess who gets left out?

Put a Fraud Alert or a Security Freeze on your credit report

Most of my readers are aware enough to not post pictures of payment cards on social media, so let's move on to the more useful advice.

The consumer information stolen from Equifax is the same information often used to confirm your identity when opening new debt accounts (credit cards, store cards, car loans, etc.) While resolving fraud on an existing account is fairly straightforward, resolving fraudulent accounts - especially accounts you may not even know exist - is a much bigger challenge. And unfortunately, that is a very real concern with this breach.

A Fraud Alert is free, and is reasonably effective at minimizing the damage caused by identity theft. A Fraud Alert tells potential creditors that they should take additional steps to verify your identity before issuing you credit. Often, this means the creditor will call you - at the phone number listed in your credit report (not a number provided by a fraudster) - to ensure you are in fact the one requesting a new credit account.

Note that you do not have to be the victim of identity theft to put an alert on your credit report. Under US law, if you even suspect you may be a victim (in other words, if you are living and breathing), you have the right to place an Initial Security Alert (sometimes called an Initial Fraud Alert) on your credit report, free of charge. You do not have to be the victim of identity theft to have this right.

An Initial Security Alert is good for 90 days, so must be renewed every 3 months. If you know you have been the victim of identity theft, and have a police report to document the event, you can instead request an Extended Fraud Alert, which would be good for 7 years. An Extended Fraud Alert requires sending an affidavit referencing the police report number, along with a copy of a government-issued identification card (passport, drivers' license, military ID card) and a copy of a current utility bill, to any one bureau. That bureau will notify the others.

Each bureau also offers a longer 12-month Active Duty Alert for servicemen and women deployed in the US Military. Again, you only have to notify one bureau, and that bureau will notify the others.

The caveat is, a fraud alert merely tells creditors they should take extra steps to verify your identity. So far as I know, there is no legal requirement that they do so. A credit may still elect to issue credit, knowing full well it could be extending credit to an impostor.

A more permanent solution is a Security Freeze (sometimes called a Credit Freeze). Where a fraud alert tells would-be creditors to take extra steps to verify your identity before issuing credit, a security freeze makes it impossible for a creditor to retrieve your credit report. The downside is, a credit freeze may cost you a nominal fee. This fee varies from state to state; in Texas, it costs $10 per credit bureau to place a freeze - and another $10 per bureau to list the freeze (the fee may be waived in certain cases).

There is a bill in Congress to watch though: in response to the Equifax breach, several Senators introduced a bill that would require the credit bureaus to allow consumers to freeze and unfreeze their credit, at will, and at no cost. If this bill passes, it would eliminate the only reason I can think of for not keeping one's credit file permanently frozen, only thawed for specific credit issuance transactions.

A very important side note: the credit bureaus do not want you to freeze your credit, because credit issuance is their bread and butter. Each has introduced deceptively-named and deceptively-advertised features that allow you to "lock" your credit account. A "lock" is NOT the same thing as a freeze. Whereas a freeze is defined by the US Federal Trade Commission and restricts access to a well-defined set of exceptions, a lock is an arbitrary feature defined by the credit bureau that still allows the bureau to sell your information under whatever terms it defines for the lock service.

Whether you choose a Fraud Alert or a Security Freeze, the following links take you to each of the credit bureaus. Keep in mind that you only need to request a Fraud Alert at one bureau - each bureau will share fraud alerts with the others. A Security Freeze on the other hand must be requested at each bureau.

Save debit / ATM cards for the bank

In the United States, credit cards carry significant consumer protections, and your cash is separated from the transaction. The Fair Credit Billing Act limits your liability for credit cards to $50 if you report fraudulent use promptly (and further, limits it to $0 if you report the card stolen before it is used fraudulently).

Most banks now guarantee $0 liability for fraudulent use. Since it is in their interest to prevent fraudulent use in the first place, many banks have sophisticated pattern-tracking systems that detect your typical patterns and will alert if something seems out of the ordinary. If you generally use your card at merchants in Miami, and a charge is recorded in Memphis (or Madrid), there's a good chance the bank will flag that as suspicious and either call you, or require the merchant to verify your identity.

The liability law for debit or ATM cards is considerably different. The Electronic Fund Transfer Act limits your liability to $0 if you report the card or number stolen before it is used, and to $50 if you report fraudulent use within 2 days after you learn of the theft. However, after two days your maximum loss increases to $500 - and if not reported within 60 days, you are on the hook for the entire loss.

In addition to the liability laws, there is the practical matter of whose money is missing. With credit card fraud, none of your money has been stolen - it's merely a charge to the bank until your monthly bill arrives. With ATM or debit card fraud, the theft is straight out of your bank account, which can be a real pain if you have a mortgage payment or other bill come due before it is resolved.

The security risks of debit cards simply outweigh the benefits, in my educated opinion.

Now another side note: I sometimes see recommendations to black out the signature stripe on the back of the card, or to write "SEE ID" in place of a signature. That's a myth: merchants are under no obligation to ask for your ID - and some merchants (the US Post Office, for example) will refuse a credit card that is not properly signed.

Take advantage of the alerts offered by your bank

Most banks offer some sort of alerts you can set up, whether via email, text message, or to a mobile app. The specific alerts offered vary from bank to bank, but some common variations include:

  • Any international charge
  • Any purchase marked as "Card Not Present." These are purchases where a physical card was not swiped or inserted into a kiosk - typically online or phone purchases.
  • Any transaction over a certain dollar amount
  • A gas station charge
  • Any activity that the bank deems unusual based on your usual habits

The alerts that make sense for you might not be the same as what makes sense for me, but take a look at your bank's online center and see what is available. Generally you will see a link that says something like "manage account alerts" either directly on the start page, or on an account management tab. 

By taking advantage of these alerts, I have had cases where my bank alerted me to charge I did not recognize, and by reporting it as fraudulent the transaction was blocked even before the merchant shipped the product. Credit fraud nirvana: I'm out nothing, the bank is out nothing, the merchant is out nothing, and the criminal gets nothing! 

Separate recurring bills from in-store purchases

The first few times I had a payment card number stolen, it was a real pain going through my automated payments and updating the card number. I have perhaps a dozen automatic payments set up, and I had to update each and every one with the new credit card number. However, I've never had a card stolen through one of these recurring payments. It's always been through retail purchases.

Consider using one credit card for recurring bills (utilities, trash service -- things that are paid every month and that don't involve providing payment info for each transaction), and a different card for in-store or online purchases. If a card is compromised in a store, it's easy to throw it away and get a new one from the bank, completely eliminating the hassle of updating every recurring payee.

Take care of your passwords

Use strong and unique password for your online accounts, and when possible enable multi-factor authentication - authentication that requires both a password, and a separate factor (often an app on your phone, or a single-use code sent via text message).

Never use the same password for more than one important account: a favorite trick of scammers is to steal a password from one account, then try it out everywhere else that you might do business.

Strong passwords that are unique for every account are a pain to remember - so don't try to remember them. Use a password manager program that remembers the passwords for you.

Let the password manager make up unique and random passwords too - the human mind is far too predictable when it comes to creating passwords.

Review your credit report every four months

Under US law, you are entitled to review your credit report from each credit bureau, free of charge, once per year. The various bureaus generally have similar information about you although on occasion an account or credit inquiry will show up on one and not another. Reviewing your credit report gives you a chance to notice fraudulent accounts a scammer might have opened. It may also reveal accounts you thought were closed, but which the merchant has kept open.

Since the information the bureaus collect overlaps, you can stagger them - review Experian in January, Trans Union in May, and Equifax in September for example.

There are lots of fake sites trying to make a buck off of a free report (or worse, steal your identity). The safe location to request your credit report is:

*Note: lesser-known credit bureau Innovis does not participate in the above website, but by law must still provide you with a free credit report once a year if you request one. The direct link to request your credit report from Innovis is

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen