Credit Card Breaches
Credit Card Breaches have been headline news over the last couple of years as some big name companies have had their networks compromised. These large data breaches often leads to credit card fraud affecting the individual card owners. Given the sheer volume of credit cards that are compromised when a retailer is hacked and its data compromised, there’s a high probability that your credit card will be used for fraudulent transactions one day. In September 2014, Home Depot revealed that 56 million credit cards have been compromised in a four month breach. Target had 40 million cards stolen in their breach. A vendor managing online payments for various photo sites including CVS and Costco was recently compromised. I learned about this one when I went online to Costco Photo Services only to find out that Online photo service was shut down until the compromise was fixed.
I was just at a convention this week where there was a discussion on cybersecurity. The speaker asked how many people in the audience have had a credit card or bank card compromised. Not surprisingly, it looked like 60% of the folks raised their hands. And I was one of the people raising my hand because one of my credit cards was recently compromised last week.
I went to the local grocery store to purchase groceries and my VISA credit card was denied. Luckily I had a backup American Express Card with me and was able to complete my purchase. When I went home I checked my home answering machine and sure enough I had a message from my credit card company indicating that I had to contact them because the fraud department had flagged a few charges as possibly being fraudulent. I logged online to my credit card website and noticed a strange charge for $5.97 which was re credited back to my account. I initially thought this was just a minor mistake since the amount was small and it was re credited to my account. But I called the credit card company and they informed me that this was a tactic that thieves use to determine if the credit card was still valid. Then they asked about a charge for over $700 to an online auto parts store which I did not make or authorize. This confirmed that my credit card had been compromised and the credit card company issued me a new credit card.
Now this is a minor inconvenience since 1) I have a few automatic payments that I set up with credit card that I now have to update with those companies, and 2) I could recite my credit card number and expiration date by memory since this has been my card number for quite a few years. So now I will have to pull out the new credit card if I ever make purchases online with it until I am able to commit it to memory. I also had to update my automatic payments charged to the credit card, as one had actually been declined and a received a letter in the mail stating so. But I am happy the credit card company fraud department was able to catch these fraudulent charges early and suspend my card until I was able to contact them or else the damage could have been worse.
Now the big question is how was my card compromised in the first place? For one, this is the credit card that I use for all my online purchases. Therefore, it could have been easily compromised by various means from companies that I have purchased stuff from. This card could have also been compromised at the various retailers that I used this credit card at. But I am usually vigilant on protecting my credit card information when using it at local merchants. Therefore, I suspect that my card most likely was compromised online.
New technology is being deployed by credit card companies which will require consumers to carry a new kind of card with embedded computer chips. Retailers across the U.S. will have to upgrade payment terminals to accept payment with these new cards. An October deadline to switch to chip embedded cards is in place. This comes at a heavy price tag, estimated to be $8.65 billion, to implement this new embedded chip technology. But in reality this will only address a narrow range of security issues, which is counterfeit cards. Counterfeit cards account for approximately 37 percent of credit card fraud.
Stolen or lost cards are another segment of credit card fraud. The switch to a requirement requiring personal identification numbers (PINs) with new credit cards is not being implemented by banks at this time. This would have rendered stolen or lost cards virtually useless when making in person purchases. The reason it’s not being implemented is because of the cost and complexity for implementing a PIN management system to the card issuers.
Chips technology already exists in Europe and has been used for nearly 20 years and banks usually require PINs. The thing is this data is unprotected when it is entered in the payment terminal, when it is transmitted through the processor, and when it is stored in a retailer’s information system. Thus, if the retailers are hacked, even these cards will be compromised. Chip technology wouldn’t protect against online purchases either.
Once these chip enabled cards are implemented, analysts predict credit card fraud at retailers will fall but online fraud will most likely rise, as has happened in other countries. Therefore we need to all be more vigilant with protecting our credit card information online and minimize the risk of substantial loss if our credit cards are compromised. Unfortunately, we can only do so much on our end to protect our credit cards while entering the credit card data online. The online retailers are mostly asked to protect the information on their servers once we give it to them. And as we see from the constant news stories about online retailers being hacked, many are not doing such a good job at protecting our data.
Therefore it is up to the credit card holder to try to minimize the effect of a credit card breach if it ever happens. The following are our recommended tips for protecting yourself from having your credit card compromised and minimizing the damage that can be done if it is comprommised:
- Check your credit card charges weekly online to verify that there hasn’t been any charges to you credit.
- If you can, use only one credit card for online purchases. Therefore, if the credit card you only use online is compromised, you will know for a fact that it was either compromised on one of the websites you purchased stuff from or you entered the credit card number on a compromised computer or network.
- As I have mentioned in previous blog post on password security, make sure you have complicated passwords for your credit card accounts.
- Be wary of shoulder surfers trying to take a picture of your credit card. Always keep you credit card number private and protected while out and about. Treat your credit card just like its cash or a check.
- Do not save credit card on websites for future purchases. Therefore if that website is compromised, they won’t have your credit card information stored on their servers.
- Go Paperless so that there is no risk of someone being able to steal your credit card statements in the mail.
- Don’t log in to your online credit card account from a public wifi.
- Make sure your computer has a firewall installed and keep your browser software and anti-virus program updated.
- When purchasing things online, make sure any internet purchases are secure with encryption to protect your account information. Look for a lock symbol on the lower right hand corner of your web browser, or shows “https:/..” in the address bar for the website. This ensures that only your merchant can view the credit card data that is transmitted.
- Do not give out your card number over the phone unless you initiated the call.
- Cancel and cut up unused credit and other cards. If you receive a replacement card, destroy your old card.
- Always log off from any website after a purchase transaction is made with your credit or debit card. If you cannot log off, shut down your browser to prevent unauthorized access to your account information.
- Sign the signature panel on the back of your card as soon as you get it.
- Never answer an email that asks for your account number or personal information—even if it looks like it’s from your bank or a reputable company or organization. Do not send your card number through email, as it is typically not secure.
- Store paper statements and other documents with sensitive information securely—and shred prior to disposal. Keep your receipts and check them against your billing statements.
- Don’t just toss receipts and duplicates—shred the ones you don’t need and securely file the rest.
- Periodically check to ensure your bank or credit card issuer has your current phone number and email address on file so you can be contacted quickly if necessary.
- If your credit card issuer offers email or mobile alerts about unusual activity, sign up to receive them.
- If you lose your credit card or suspect fraudulent activity, contact your bank or credit card issuer right away. Your credit card issuer can block your card and account number so no one else can use them, and then give you a new card and account number
Remember, speed is critical when your credit card is compromised. According to U.S. law, once you notify your issuer that your card was lost or stolen, the most you’ll have to pay is $50—and many issuers waive that as long as you notify them promptly.
Even though I followed good credit card security and all of the tips I mentioned above, my credit card was still compromised. This shows that sometimes no matter how much we try to live a cyber secured lifestyle, sometimes things are out of our hands no matter what we do. The key is to have a plan to minimize the affect of a compromise on your everyday life.
What other steps have you used to protect your credit card from compromise?