If you’re part of my generation, you might have had to convince your parents or grandparents at some point that using their credit card online is safe. “It doesn’t feel safe,” they say, but you tell them that’s the way everyone shops all the time, and their credit card information is totally safe.
But you’re wrong. Credit card numbers do get stolen, and credit card fraud does happen, both online and offline. But how does it happen? How does a thief get your card number? Why don’t verification systems prevent these problems? And what can you do to keep your own cards safe? Let’s take a look at credit card fraud and find out how you can protect yourself.
Obviously, the first thing that needs to happen for credit card fraud to take place is someone else getting your credit card number. There are a number of ways to accomplish this, and they range from the very basic, to the more technologically complex.
Phishing, for example, is an old strategy that only requires a thief to be a smooth talker. They’ll get in touch with you via phone, email, post, or some other way, usually posing as someone from your credit card issuer, and talk to you into giving them your credit card information. It sounds like something you’d be able to spot right away, but some phishers are really good at what they do—this is very similar to the tactic that was used in the British phone hacking scandal a couple years ago.
Another way in which thieves could come to have your 16-digit credit card number is through online data breaches like those suffered by Target, Home Depot, the Playstation Network, and a whole list of others in recent years. The numbers stolen from those sites often end up on “carding” shops, where people go to buy stolen credit card numbers for use online. According to Brian Krebs, the card numbers sold on Rescator, one of the biggest card-buying sites, go for a median price of about $27 per card. This makes it easy for thieves to buy hundreds of cards at a time, potentially including yours.
It’s not always a merchant or a bank that’s compromised, though; sometimes it’s your own computer. If a hacker manages to get a keylogger or another type of malware installed on your computer, they could easily nab your credit card information when you use it for online shopping. Because most people don’t do enough to protect their computers from malware, this is a serious threat.
Your card itself can also be the target for card thieves. With the increase in contactless payment credit cards, radio frequency identification (RFID) scanners have become a more popular method to steal credit card information; all a thief needs to do is get a scanning device in close range to your card, and they’ll have all the information they need.
This same strategy can be used if your phone uses near-field communication (NFC) to communicate with points of sale to share your credit card information—Apple Pay, Google Wallet, Visa PayWave, and similar apps use this technology when you pay with them. If an NFC reader is compromised or tampered with, it could be giving your credit card information to a criminal.
A similar method called “skimming” requires a thief to have a physical scanner that reads the information from your credit card. These devices are surprisingly easy to get (you can get a basic reader for $13 on Amazon), and thieves can be rather creative in using them to tamper with ATMs, card readers at businesses, and other places where your card is swiped on a regular basis. ATM fraud is surprisingly common; check out Dan Price’s awesome article on ATM fraud to see just how much of it happens every day.
And, of course, there’s the most time-tested, old-fashioned way: just stealing the card. A forgotten wallet or purse, a dropped card, an unlocked car door, or any number of things, can make your card easy for a thief to grab. Sometimes they’ll just write down your information—the number of waiters caught writing down card numbers while running customers’ cards is larger than you might expect.
Of course, once a thief has your credit card, the hardest part is done. Now all they need to do is use it (or sell it). Banks want you to think that your credit card transactions are very secure, but a quick trip to the store makes it clear that anyone with your card could use it wherever they want. I live in the US, where not all cards have EMV chips yet, and I haven’t had my signature checked against my card or driver’s license in a long time.
Contactless payments with cards don’t require PINs or signatures, so they’re perfect for credit card thieves (even though the limits for contactless payments are rather small, they add up quickly). Online payments don’t require PINs or signatures ether, so going on an Amazon shopping spree with a stolen card is remarkably easy.
And, as I mentioned, these card numbers can be sold online. Rescator is one of many sites that sell this information—most of these sites are on the dark web, where all sorts of identifying information can be bought, but some are easy to get to from any browser. By staying hidden, using servers based in other countries, and making it difficult for law enforcement to look for patterns in stolen cards, these sites stay untouchable.
As you can see from the list above, there are a lot of different ways that fraudsters can obtain and use your credit card information—it might seem like it’s impossible to protect yourself. But by following a few simple guidelines, you can significantly decrease the chances that you’ll fall victim to credit card fraud.
First, don’t share your card information over the phone or in an email. Most credit card companies, banks, and stores won’t ask for your credit card information via email, so an email asking for this information should be a clear sign that you’re being scammed. If you need to share your information over the phone, be sure that no one is around to overhear you.
Second, pay attention to online security news; if a retailer or a bank that might have your credit card information gets hacked, call your bank, tell them what happened, and ask for a new card. You could wait to see if you get any suspicious charges on your account before alerting your bank, but it’s up to you whether or not you want to take that chance before starting the process.
Third, if your card is RFID-equipped, consider getting an RFID-blocking wallet so your card is protected while it’s in your pocket. By blocking RFID signals, the wallet prevents any device from reading the information on your card until you take it out to use it.
Fourth, be on the lookout for any card-scanning device that looks like it’s been tampered with. ATMs, pay-at-the-pump gas stations, small stores and restaurants, and many other places can be targeted by skimmers. If something looks suspicious, use another method to pay. Make cash withdrawals from within your bank, pay at the counter when you buy gas, and don’t let your card out of your sight.
Finally, make sure to monitor your credit card statements, bank statements, and credit reports on a regular basis. The earlier you catch a potentially fraudulent transaction, the better the chances that you’ll be able to prevent further trouble. You can get a credit report free every year from annualcreditreport.com, but you should make sure to check your online accounts much more frequently than that to see if anything suspicious is going on.
Now that you know how credit card fraud happens and what you can do to protect yourself, we want to hear your stories of credit card fraud. Have you ever had a card stolen? Do you know how the thief got the information? What tipped you off to the fact that your card had been compromised? And what did you do about it? Share your stories below so we can all learn from them!
Image credits: steal a credit card by Andrea Danti via Shutterstock, wk1003mike via Shutterstock.com, LDprod via Shutterstock.com, A. and I. Kruk via Shutterstock.com, India Picture via Shutterstock.com, Khakimullin Aleksandr via Shutterstock.com.