Here's a scary piece from Yahoo titled Secrets of a Former Credit Card Thief. I'll share some highlights from this interview with a convicted credit card and ID thief/expert. Let's start with this one:
I always recommend against [debit cards]. With debit cards, it's your real money in your bank account you're playing with. So if someone gets your debit card information and uses it, your cash is gone until you fill out a lot of paperwork and persuade the bank to give it back to you. Credit cards are much better at protecting you against fraud. And if you're worried about debt, you can always pay them off every month.
Another reason (in addition to the rewards) to use credit cards over debit cards. It's bad enough for a thief to have access to your credit (where you're protected to a $50 hit at most) -- just imagine if he could tap into your checking account. I bet the bank will give you a huge run-around to try and get your money back.
You've probably heard this before, but the most important thing really is to watch your accounts. And I don't mean just checking your statement once a month. If you're only checking your statement once a month, someone can start using your card at the beginning of the billing cycle, and they can do a lot of damage before you catch it. You're talking thousands of dollars, and it will be a lot harder to catch them and dispute it. I use Mint.com, which is a free aggregation service that allows you to put all your accounts on there and monitor everything at once. I check that every day. It's also a good idea to check your credit report at least twice a year to make sure no one has stolen your identity.
I need to be more vigilant about this. I check my accounts probably once a month and our credit reports once a year.
A more recent issue is the free wireless offered all over the place. If you're using an open Wi-Fi connection, you should pretty much have the expectation that there is no security.
Starbucks? Panera? And on and on...
All financial services companies have two-factor authentication. So you typically have to put in a password plus something else. A lot of banks use questions, but that can actually give you a false sense of security because you can find out a lot of information about people online. So maybe this is extreme, but for those questions, I make up stuff. I don't put in my real information. For example, a common question is: "What city were you married in?" Well, I'm not married, but I'll answer that question so there's no way anyone could possibly know the answer. I try to make sure at least one of the questions has a made-up answer.
I found the "fake answer" thing suggestion interesting. Then again, how do you remember all the fake answers you give around various websites?
ATM skimming is the big thing right now because it's cash, and cash is king. Basically, that's where someone puts a card reader on the ATM machine, captures your PIN, then goes and drains your bank account. The skimmer device goes over the card slot, and it's designed to look like part of the ATM. Some of the equipment now is very good and it's hard to tell the difference between that and a real machine. So what you need to do is try to use the same ATM every time, and watch out for anything on the machine that looks out of the ordinary, especially something stuck on the front where you put your card in. Generally, I like to use ATM machines at banks rather than convenience stores or a bar or club. There have been incidents where thieves installed their own ATM machines in places with skimmers inside them. That's much less likely to happen at a bank.
"Thieves installed their own ATM machines in places with skimmers inside them?" Really? The creativity of these criminals is simply amazing (in a bad way.) What's next, will they be opening their own banks?
Personally, I haven't used an ATM in years. We used to go to the bank to get cash, but now that our soccer referee jobs pay in cash, we never need to visit the bank. In addition, we have a lot of $1 gold coins too.
The biggest thing [the banks] could do is get away from using magnetic stripes. They aren't that secure and anyone can get a magnetic stripe reader (a skimmer) for $5 to $10. The smart chips that are widely used in Europe and internationally are much more secure and harder to hack. They offer near 100 percent protection against fraud, at least from a skimming point of view, and they also require a PIN. But the credit card companies have done the math. They think people will use their credit cards less often if they had to put in a PIN. It might eliminate a lot of the fraud, but there would be less card use and they would end up losing money. So they're actually doing just the opposite, moving to a system where you can just have your credit card in your pocket -- you don't even have to swipe it to use it. The problem is, that's very unsecure. Anyone with equipment can sit out in their car and pick that up.
I saw a video where a guy was walking up and swiping card info from people's cards that were INSIDE THEIR POCKETS. The cards had frequency chips that allowed him to simply brush by the person and get the data. Scary.
A few other tips:
- Stick to buying from sites you know.
- Be wary. If an email looks fishy, it probably is.
- American Express is a bit harder to hack because retailers often require more info to use it -- and not all the info is on the magnetic stripe.
- Use cash (by the commenters -- though they do admit that cash can be lost/stolen and never recovered.
Ugh. If it's not one thing, it's another...
For bank secret questions I like to use places and people from science fiction. That way it cannot be easily answered by gaining info about me (like say childhood best friend could) and it will survive a dictionary hack.
For example, I might choose as a secret question, "Where was your honeymoon?" and I might give the answer as El-Adrel. To any Trekkie, the answer is easily memorable. Another way to make that even more secure is to misspell it purposefully.
Posted by: Michael Goode | March 03, 2011 at 11:36 AM
> All financial services companies have two-factor authentication.
> So you typically have to put in a password plus something else.
> A lot of banks use questions ...
This is not two factor authentication. The factors involved are something you HAVE (e.g. hardware token), something you KNOW (e.g. password or question/answer) or something you ARE (e.g. biometrics). Something you KNOW plus something else you KNOW is still single factor.
Reference: http://en.wikipedia.org/wiki/Two-factor_authentication
Posted by: Dave | March 03, 2011 at 11:45 AM
Even if you're using open WiFi with no security, there will still be security between your computer and the secure website you're communicating with. Saying that there is "no security" is not really accurate. Any kind of financial website, plus most e-mail sites now, will be using secure connections. Nobody will be able to steal your CC number or passwords just by wireless sniffing.
Posted by: tlm | March 03, 2011 at 11:56 AM
"Thieves installed their own ATM machines in places with skimmers inside them?"
It is not a new thing, it has been using in many countires.
For the security questions, even though you trick the answers a little bit but how many answers you can remember for so many different webiste? So, end up you are using almsot the same tricky answers which is not that secured from the security stand point.
With all the advanced technologies today, we may geet more convenient but also less security and privacy. What I'm doing is using the CC carefully and checking my accounts everyday, so I can take action asap if needed.
Posted by: jbhk | March 03, 2011 at 12:04 PM
I use Amex almost exclusively and I have not had the experience that retailers ask for more info when I use my Amex vs MC/Visa.
Posted by: Jclimber | March 03, 2011 at 12:42 PM
I had my debit card swiped like that at a gas station in DC once. Two days later BoA shuts down my credit card while I am in flight from San Diego back to DC. Card worked in one airport, landed, card shut off. BoA stopped $3000 in charges after the first $700 hit my account and had been stolen. Their fraud dept had left me a VM while flying and we verified that while in flight, I could not have been buying a TV in NYC. The money was replaced next day.
Since then, I moved over to a rewards card, and have not had any further issues.
Posted by: Brandon | March 03, 2011 at 12:54 PM
If a thief wants to get your credit card information they can sadly obtain in using the techniques you describe above. I purchased some items from Amazon using my Visa debit card and our credit union called me. I didn't answer it but did call them back and they wanted to verify the purchases were legit. This caught me off guard as we purchase quite a few things from Amazon but I think since they saw several charges from Amazon it drew a red flag and they called us, that was great. Every time I go into our credit union they swipe my debit card and also ask a security question to verify that I am the actual owner of the bank account. Again, I like that. I have not used an ATM machine in several years as I can get cash from a teller or at the grocery store using my ATM card with PIN.
Posted by: IPA @ investmentpropertyasset.com | March 03, 2011 at 01:37 PM
* Tim - The "secure connection" you spoke of are SSL encryption, which has now been broken. You are right there is not NO security, but it is not really a secure connection any more.
* Anyone used the hard shell wallets advertised on tv that supposedly block RFID readers from accessing your credit card?
* Rumor is that the new Iphone 5 coming out in a few months can replace your credit cards, a scanner is held up to the screen, and it charges to your credit card.
* I've never been hacked or skimmed, but have had low-tech fraud(the old carbon copy) where charges went to the account.
Posted by: CoolMouseLuke | March 03, 2011 at 01:52 PM
@Michael G: This is an awesome idea. I'm going to have some fun with my id questions now...
Posted by: Jeff | March 03, 2011 at 02:02 PM
History is replete with each side overcoming the advantage that each has at one time or another. Yes, even with the chip cards, there are now 'readers' which use RF to query and download the information on the chip when one is in close proximity to the chip. Use of a shell to cover the card and protect it from unwanted RF advances is of more importance nowadays.
I am not a fan of the 'touch and go' technology for exactly the reason of ease of use for a criminal as well as yourself.
As always, it pays to be vigilant.
Posted by: Deserat | March 03, 2011 at 02:02 PM
I've known all this for a long time. It's why I *never* carry a debit card around, and almost never use one. The rare few times I do use one, it's at the bank's inside ATM only, to withdraw cash (and I go to the bank, and come right back home).
I guess that's one of the great things about being a pessimist. You already are suspicious of everything, so you take a lot of safety measures, LOL. :)
Posted by: BD | March 03, 2011 at 02:09 PM
@BD - if you only use your debit card for cash you should have an ATM/cash card instead of the debit card. That way if it's hacked it can only be used at an ATM instead of anywhere else.
Posted by: Jclimber | March 03, 2011 at 02:16 PM
Re: credit reports - what works for me has been to set up an Outlook reminder every 4 months, with a link to to annualcreditreport.com (the ONLY website that allows you to actually check your credit report for free) in the body. The subject line is "EQUIFAX" (April 1) "EXPERIAN" (Aug 1) and "TRANS UNION" (Dec 1). That way I am checking regularly without having to pay for the privilege.
Posted by: Holly | March 03, 2011 at 03:09 PM
For the "security questions", just treat them like a secondary password. "Where were you married?" "Xq~1fnj03M" "What is the name of your childhood best friend?" "Xq~1fnj03M" "What is your mother's maiden name?" "Xq~1fnj03M"
And, of course, never log in over unencrypted wireless, EVER.
Posted by: LotharBot | March 03, 2011 at 07:03 PM
@Jclimber : Do banks even offer those any more? I know when I joined my bank here (a small local bank only in this area), they didn't offer a choice. The only card that withdraws cash that they offered (other than a credit card) was a debit card.
Posted by: BD | March 03, 2011 at 11:41 PM
"Then again, how do you remember all the fake answers you give around various websites?"
I don't know how others do it, but I have created a small encrypted file using the freeware program TrueCrypt. When I want access to ANY of my passwords or security information I can't remember, I just open that file (using the only password that I actually MUST remember) and there are all my passwords, login IDs, and nonsensical ID verification questions and answers. (Plus some 'real' ones I recorded from back before I started using nonsensical ones)
I second those above who use fictional (even science fictional)answers. I've told websites my first job was as an attache for the Obsidian Order, and another that I got married in Thunderia. Hard to remember unless you record it, and of course the record must be kept very secure, and you've got to keep backups.
(In case anyone is wondering, those security answers are for 'dead' accounts, for instance, a bank I haven't used in about 5 years)
Posted by: MattJ | March 04, 2011 at 08:43 AM
@BD: I guess it depends on your bank. I've had an atm-only card from my credit union for over ten years but I don't know about other banks.
Posted by: Jclimber | March 04, 2011 at 03:16 PM
My bank texts me my bank balance every morning. When my debit card was stolen and used to rack up $400 in Xbox charges one night (and I don't own an Xbox!) I knew it within hours. I contacted my bank and they provisionally refunded the money within 2 hours. The money was permanently credited in less than 3 biz days.
If your bank doesn't offer that level of service ... find a new bank.
Posted by: KH | March 09, 2011 at 01:29 PM
I find it easy to remember "fake" answers by using not quite true answers. Like if you were married at a church on Charleston Ave and they ask what city you were married in, don't say the actual city, say Charleston. It's easy to remember because it's "True" and associated with the question, but it's not the city listed on your marriage certificate.
Mostly, I try to avoid using any answer that's documented anywhere. If it's written down, there's the potential that they can find it. So I might use my pet's nickname that only I use instead of the actual name for instance. Works pretty well, and is fairly easy to remember.
Posted by: Slinky | March 25, 2011 at 01:04 PM