|
|
Chapter 3 |
T.J. Maxx’s data breach that exposed the payment information of thousands of customers in 2007 resulted in $150 million in fraud losses, and much of it was pulled directly from customers’ bank accounts. Although credit card users got their accounts straightened out and new cards were in the mail within a few days, the case created major problems for debit card holders, who waited an average of two to three months to get reimbursed.51
Credit Cards
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit or debit card to obtain fraudulent funds in a transaction. Credit card fraud is an adjunct to identity theft and is a real problem around the world, but the legal selling of credit card information by banks and other financial institutions is just as alarming.
While some identity thieves focus on getting your credit cards and maxing them out before you even realize they’re missing, an increasing number are using one piece of information about you—often a credit card number—in order to steal your entire identity. Though many folks worry about keeping their credit card information secure when shopping online, the top methods that identity thieves use to steal personal data are still low-tech, according to Justin Yurek, president of ID Watchdog, an identity theft-monitoring firm. “Watch your personal documents, be careful to whom you give out your data over the phone, and be careful of mail theft,” he says. 52
Credit Card Fraud
Most people have more than one credit card, and having a half dozen is not uncommon. After all, all the major retailers entice you to sign up for their store credit cards by giving you 10-20 percent off the first purchase and the promise that you will receive “special” offers from them during the year. Many credit cards offer one-time bonuses of airline miles, special treatment as a “preferred customer” or no-interest for a period of time—all of which are hard to resist.
Provisions in the Gramm-Leach-Biley Act of 1999, also called the Federal Services Modernization Act, require every financial institution to annually notify all customers, in writing, of that organization’s privacy policy. The purpose of the privacy provision of this act is to curtail the ability of third parties to obtain nonpublic personal information regarding individuals who purchase financial products like credit cards and/or services from financial institutions.
But how many of us read the fine print when we sign up for credit cards? I know I didn’t, and until I started researching privacy policies for this book, I would typically take the privacy policy when it came in the mail, and pitch it into the wastebasket. Who wants to take the time to read pages of legal terms about privacy? There are laws against giving out our social security number or other sensitive information, aren’t there? Look at this notice and decide for yourself.
The types of personal information we collect and share depend on the product or service you have with us. This information can include:
- Social security number and income
- Account balances and credit history
- Account transactions and credit card or other debt
Who sent this notice? Not a government agency, but Capital One when I applied for a Best Buy credit card. Lured by the promise of 10 percent off an expensive television, I thought, “What the heck? I’ll get their credit card and then pay it off right away and probably never use it again.” Little did I know how Capital One was going to share my personal information, nor how little I could do to limit that sharing. Also in the notice was the chilling statement that they would begin sharing my data in 30 days, and even if I was no longer their customer, they could continue to share my information. Here are some ways they could share my data and what they said I could do—or not do—to stop them:53
|
Type of Information Sharing by Capital One for Best Buy |
Can I limit sharing? |
|
Credit bureaus |
NO |
|
Legal investigations |
NO |
|
Offer products and services to you |
NO |
|
Share with affiliates information about your experiences |
NO |
|
Information about your creditworthiness |
YES |
|
Joint marketing with other financial companies |
NO |
|
For our affiliates to market to you |
YES |
|
For our nonaffiliates to market to you |
YES |
Financial institutions aren’t the only ones sharing our information. Here are some excerpts from Verizon’s Privacy Policy, which covers what they call CPNI (Customer Proprietary Network Information):54
We will share CPNI among our affiliates and parent companies and their subsidiaries so that they may market communications-related products and services to you and for making mobile ads you see more relevant. Although we will not identify you personally, we will use consumer information about your use of VERIZON products and services such as addresses of websites you visit when using our wireless service. Using certain consumer information (such as your demographics, device type and language preference) and the postal address we have for you, we will determine if you fit into an audience an advertiser is trying to reach. For example, a local restaurant may want to advertise only to people who live within 50 miles; and we might help deliver that ad on a website without sharing information that identifies you personally.55
Okay, I guess that explains why I keep getting offers for pre-approved credit cards and from Groupon, Travelzoo and others for discounts to restaurants.
If you receive applications for “pre-approved” credit cards in the mail but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. (Some credit card companies, when sending credit cards, have adopted security measures that allow a card recipient to activate the card only from his or her home telephone number, but this is not yet a universal practice.) Also, if your mail is delivered to a place where others have ready access to it, criminals may simply intercept and redirect your mail to another location.
With enough identifying information about an individual, a criminal can take over that individual’s identity to conduct a wide range of crimes: for example, false applications for loans and credit cards, fraudulent withdrawals from bank accounts, fraudulent use of telephone calling cards, or obtaining other goods or privileges which the criminal might be denied if he were to use his real name. If the criminal takes steps to ensure that bills for the falsely obtained credit cards, or bank statements showing the unauthorized withdrawals are sent to an address other than the victim’s, the victim may not become aware of what is happening until the criminal has already inflicted substantial damage on the victim’s assets, credit, and reputation.56
Debit Cards
Using a debit card seems like a great idea for the simple reason that you won’t have the clerk at the local gas station ask for your phone number, driver’s license, or other private information before he will accept your personal check, and you don’t have to feel self-conscious at the grocery store when five people with full shopping baskets are glaring at you for holding up the line while you fumble for your checkbook. However, by using your debit card frequently, you may be giving crooks a direct line to your bank account.
Debit cards might look the same as credit cards, but they have a big difference. With a credit card you can look at your statement and decline any false charges and not pay the bill. With a debit card, the money is drawn directly from your checking account with no intermediary such as your credit card company. You don’t have the same account monitoring as credit cards because transactions are processed through a different network, which only relies on your transaction history with that specific bank, not the entire Visa or Master Card system. And even though there are consumer protection laws that protect you from liability, it can be weeks before the money is restored to your account. In the meantime, you do not have your funds to pay bills or draw upon for cash.
Using your debit card for online transactions is very risky because the card information is susceptible to being stolen at so many points. The consumer could have malware on their computer, so it could be at their end that the data is compromised. It could be an online attack where somebody is eavesdropping on their communications via the wireless network or at the other end when that data goes into the merchant’s database. Aside from the potential for hacking at many different points in a transaction, a fundamental problem with using debit cards online is that it’s impossible to know who is handling your information.
Restaurants have two problem areas with card transactions, first because it is easy for the server to steal your information when he takes your card to another location to process it, and second it is also easy to leave your card behind when he brings it back. Usually the card is laid on the table in a small binder, and if you are talking or not paying attention, you could walk away without your card. In Europe, they have addressed this by requiring, by law, that credit cards never leave the owner’s sight. They process restaurant transactions at the table.
Even take-out restaurants can present a problem. Using debit cards to order delivery can be risky because pizza and other take-out restaurants like to keep customer payment information on file to speed up order taking. That may make future orders more convenient, but small businesses rarely take the steps necessary to safeguard payment information. Do you really want the kid who works the register to have your debit or credit card information?
Experts recommend checking your accounts every few days, so using as few cards as possible makes sense since the more cards you carry, the more you have to check. Also, the more cards you have, the greater the chance of forgetting to retrieve it after a transaction.
Many people I know could not live without their ATM. They use it almost every day and seem to have the notion that carrying a debit card is safer than having cash in their wallets. Plus, the ATM allows them to deposit checks and retrieve their account balance 24 hours a day, 7 days a week. The problem is that identity thieves work 24/7 too, and have found ways to skim the information from your card. Skimming is the practice of capturing a bank customer’s card information by running it through a machine that reads the card’s magnetic strip. Those machines are often placed over the real card slots at ATMs and other card terminals. The keypads may show no sign of manipulation because the “bugging” device is on the inside of the keypad. Typically, these types of devices still transmit customer data to the bank, but they also capture personal information from the card and the card holder’s PIN number.
Outdoor ATMs are among the most dangerous places to use a debit card because outdoor ATMs present a perfect opportunity for thieves to skim users’ debit cards. You are much safer using an ATM inside a retail outlet or in other high-trafficked, well-lit place. Any transaction you do outdoors at an open ATM is going to expose you to higher risk because a thief has the ability to add skimming devices to it, position cameras on it, or position themselves in a way where they could watch it.57
What Can You Do?
Frank Abagnale, a security expert with PrivacyGuard, offers these tips:58
- Review your credit and debit card accounts frequently so you can spot suspicious activity right away.
- Do not trust keypads if they don’t look quite right. Tampering by inexperienced criminals can sometimes be obvious. Make certain the keypad is firmly attached to the counter or console.
- Protect your PIN by covering the keypad with your hand and do not use ATMs where you know there is a security camera positioned behind you.
Privacy concerns are providing the impetus for credit card companies to provide higher-security cards. The revelations about the National Security Agency spying, the many recent data breaches, high-profile data losses and the realization that data brokers are collecting huge amounts of data have heightened privacy concerns. The public does not believe that business or the government adequately protect consumer data.
To counteract those perceptions, Visa, MasterCard and other large credit card companies are mandating that credit card issuers must embed EMV chips, by October 2015 or they will be held responsible for the cost of any fraudulent in-person transactions due to counterfeit or stolen credit cards.
EMV stands for Europay, MasterCard and Visa and is the new global standards for credit cards. EMV chips have microprocessors embedded in them and are said to make counterfeiting cards virtually impossible. Most banks will be issuing credit cards with EMV chips before the coming liability shift in October 2015.
Businesses such as restaurants, where a server or clerk usually handles the card, will have to update procedures, retrain staff and validate their new approach with their payment processor. In addition, organizations may need to expand their wireless network to accommodate portable card readers.59 This shift will cost businesses some extra money but the public will be better protected from credit card fraud.