Online Shopping, Credit Card Fraud, Identity Theft, and You

creditcard316088Many years ago, my family and I were having lunch at the Wolf Pack brewpub near the Grisly Discovery Center in West Yellowstone, MT. All three are located outside of Yellowstone National Park.

At the time, Wolf Pack was located in a small stand-alone building near the Discovery Center. On that afternoon, there seemed to be one employee who was the host, waiter, cook, brewer, and probably everything else. He approached our table, and, in a thick Eastern European accent, asked if I worked in computers. Apparently, I have “that look.” I answered yes, and then he asked why a hacker had targeted him and infected his computer, stealing his credit card information. As touching as the story and the man’s angst were, I tried to reassure him that it was nothing personal. His information was a commodity on the black market. I explained that he had two protections: using a credit card (rather than a debit card) and monitoring his account. I’ll tell you more about those in a moment.

Let’s fast forward to just before Christmas 2014. On December 18, security researcher Brian Krebs disclosed that Target stores had experienced a massive data breach. The next day, Target confirmed that forty million credit and debit card names and numbers had been stolen. That included the Card Verification Value, or CVV, numbers. Those CVVs are supposed to prove that you have actual possession of the card when you make the transaction. In other words, short of ATM Personal Identification Numbers (PINs), the hackers had everything they needed to exploit the stolen credit card numbers. In the interest of fairness, Target has not officially stated that the CVVs were stolen, only the encrypted PINs. However, CNN reported that the credit card numbers are already in use and the encrypted PINs were retrieved. Since then, the magnitude of the attack has increased. Hackers stole an additional seventy million people’s Personally Identifiable Information (PII), possibly from store loyalty programs, and the data breach has expanded to include Neiman Marcus and Michael’s stores.

To protect yourself, use a credit card for your purchases. Federal laws have imposed much stronger fraud protection measures on credit cards, and there are almost no protections on debit cards. For example, the Fair Credit Billing Act and related legislation limit your credit card fraud liability to $50. That’s still a lot of money, but debit and ATM cards have higher liabilities—up to $500 if you report the fraud more than two days (but up to 60 days) and the entire amount (or more) after 60 days. The Electronic Funds Transfer Act protection also depends on how long you wait to report the loss on your debit or ATM card.

Banks, credit card companies, and other card issuers have resolution processes. They also have automated fraud prevention systems. Unfortunately, in the case of the Target data breach, part of the process was to lower credit authorization limits. JPMorgan Chase did just that in response to the theft of the credit cards. After all, there’s no better time than right before the Christmas holiday to restrict people’s spending, right?

In addition to the automated fraud prevention systems that all credit card issuers and member banking institutions have, they also have complaint resolution mechanisms.

Besides the fraud protections, there are other reasons to get and use credit cards. These include possible extended warranties and enhanced protections for returning merchandise (defective or not). Other credit cards offer benefits such as free insurance or waiving international transaction fees. Credit cards also make it much easier to rent cars and check into hotels. Benefits vary from issuer to issuer and card product to card product.

The moral of the story is that debit cards have fewer fraud limits, and it can take a long time to get your money back, if you get it at all. I speak from experience because, several years ago, someone skimmed my debit card number and charged hotel rooms in Accra, the capital of Ghana. I got my money back, but it took almost two weeks after I discovered the fraud.

Like many, I’m credit-averse. But, to take advantage of the fraud protections they provide, I use my credit card and pay it off rapidly, never carrying a balance and certainly never extending past the due date.

The second piece of advice from the Federal Trade Commission is to check your credit card activity online and to do it regularly. Also, check your monthly statements. Remember, if you don’t report a fraud within 60 days, you may be liable for the whole amount or more.

This practice has helped me, even without financial fraud. Last autumn, I purchased an item in a store, but the clerk told me that the transaction didn’t go through. Luckily, I use my credit card company’s app on my phone. When I checked, I saw that the transaction had completed even though the clerk told me it failed. I could have left the store with a charge and no product or multiple charges if we tried again. So, I second the FTC’s advice.

Here are a few more recommendations:

  • If you shopped at Target during the period of the break-in, you can call them to check if your card was one of the ones compromised. Target is offering protections to affected customers such as free credit monitoring, but scammers are also forging email messages to try to piggyback on the data breach. To take advantage of this additional compensation, go to Target’s website directly, rather than clicking on links in email.
  • Check your statements, either on paper, electronically, or the list of transactions on your cards. Do not wait. Do it now.
  • If you find fraudulent transactions, report them to your credit card company. Do not wait. Do it now.
  • Save your debit cards for places where you can’t use a credit card, such as some warehouse stores.
  • If you eschew credit cards, consider a prepaid card that acts like a credit card. Beware that many prepaid cards are really debit cards in disguise.

Related Courses
Cybersecurity Foundations
Certified Ethical Hacker v8
Security+ Prep Course
Cyber Security Compliance & Mobility Course (CSCMC)