Preventing Identity Theft and Credit Card Fraud? 73
carefulCredit asks: "I just checked my AMEX balance, and found around $13k in fraudulent charges. Fortunately, AMEX makes it relatively easy to get a new card and the charges revoked, but this is the second time I've had this type of problem. It's clear to me that the steps I've taken to prevent fraud are inadaquate. (reduced number of cards, restricted availability of some funds, increased vigilence in not allowing CC slips to display the full card #, etc). What measures have any of you taken, or can you suggest, to help put a lid on this problem and to help prevent repeats?"
Receipts (Score:2)
So, make sure you know what happens to your receipts - don't just throw them away, make sure they're destroyed. And hassle retailers that still print the full card details on those bits of paper. A lot of companies are beginning to work out how dumb it is, but POS hardware turnover is slow, and a lot of stores are still reckless with your personal information.
Re:Receipts (Score:2, Informative)
Re:Receipts (Score:1)
i personally went to the extreme measure of having horrible credit, so potential identity theft is usually stopped when the thief realizes they wouldn't be able to get a card in my name.
My supermaket POS credit card experiance (Score:2)
heh
I had a part time job in a supermarket here in the UK. You wouldn't belive the number of customers that would leave thair shopping recipt and credit card recipts in the shopping trollys [ US'ians --> shopping cart] once they had packed up thair shopping.
Chasing after the customers and giving them thair recipt expaining why this was a bad thing just got you a black look. (One fuckwit even thought I was having a go at him for littering the shopping trolly with his credit card recipt!)
The reason most supermarkets now dont print all the didgits of the card number is because people were collecting CC recipts from shopping trollys and from around the car parks after closing time. Most other retailers (to my knowlage) havent yet followed suit.
Paper Shredder (Score:1)
Re:Paper Shredder (Score:1)
Re:Paper Shredder (Score:1)
While you will likely be made whole by Visa/MasterCard, a debit card is a direct link to your checking account. This means that your actual money will be fraudulently taken from your account, and it could take you a while to get it back (as in, "how the hell do I pay my rent now?!"). Much different than a credit account, where the worst that can happen is you'll have to refuse to pay and have a blight on your credit report.
Re:Paper Shredder (Score:2)
To whom are you giving your account info? (Score:3, Interesting)
The problem is that there's really no way for you to determine this beforehand. If you portscan www.store.com or whatever it is you might end up in some trouble, depending how much of an ass the sysadmin is.
Another risk factor for which you're totally unable to account is the employees at the company. You have no idea whether or not Joe Schmoe that's reading your order is honest or dishonest. Maybe he's a disgruntled employee and is sending himself all of the customers' account info to later blackmail the company.
Like I said, there's really nothing you can do to determine this stuff in advance. Of course, everything I've said here assumes that your CC info was stolen from an e-commerce store, which may or may not be the case. But similar problems exist for brick-and-mortar stores -- if they toss their copy of the receipt right into the trash or have a disgruntled employee, you're at just as much risk, and have just as little chance of knowing so beforehand.
Re:To whom are you giving your account info? (Score:1)
Another thing was they kept the recipts in two boxes behind the counter, and they always had the credit card number which no numbers blinked out, if I was a dishonest lad I could of been in cuba.
Re:To whom are you giving your account info? (Score:1)
A company you don't do business with might run a credit check on you and get account information.
I've read reports about car dealerships where dishonest employees kept browsing credit records until they found people with great credit ratings, then pulled an identity theft.
Those reports must have been incorrect because car dealers hire only honest people...
Re:To whom are you giving your account info? (Score:2)
Re:To whom are you giving your account info? (Score:2)
Beware of ATMS the have something like "Type you PIN number three times if your card gets stuck" and ATM machines with a second number pad on top of the actual number pad (these one usually work similar to the credit card hack).
As far as credit cards, I always make sure I can see a store clerk scanning the card. 99% of the stores have it in plain view, so there is no reason to "go under the counter to swipe the card". I also only keep a couple credit cards and I keep the credit limit low. I avoid AMEX.
I also don't shop online. There is no 100% safe way to shop online, and it is harder to return items (or complain about service quality) with e-merchants.
Don't buy online. (Score:1)
Re:Don't buy online. (Score:1)
Re:Don't buy online. (Score:2)
The problem with online trading is simple:
All transactions (of any sort, and since time began) are based on trust - "I trust that what you're giving me is worth what I'm giving you in exchange"; "I trust that the money you're paying with isn't forged"; "I trust that you won't write down my card number and buy stuff with it yourself."
Unfortunately, over the internet it becomes much harder to know who to trust, and much easier for crooked individuals to make themselves appear trustworthy.
In addition, current credit cards have only one (very weak) barrier against unauthorised use - the signature - and this is bypassed in online trading. In short, once someone has your name and card number, they can buy anything online, especially if the things they're buying don't need to be delivered (some stores will check the delivery address, but not everyone does this).
The bottom line is that as long as you trust the person or company you're dealing with, no problem. But are you sure they really are trustworthy? As I said already, this applies in all arenas of trade, but the lack of personal contact makes it much harder to judge.
Re:Don't buy online. (Score:2)
Do you eat in resturants? Read George Orwell's Down and Out in Paris and London for a description of the amount of trust you are putting in the kitchen. If you want something more recent, I could tell you some stories about when I worked at the grocery store. Maybe better not.
Personal anecdotes are not a substitute for statistics, but I have not observed a greater percentage of bad transactions on-line compated to in person.
sPh
Re:Don't buy online. (Score:2)
Sites that I trust (big vendors with reputable histories) get my real credit card number, so that I can buy things instantly from them, but that's only a select few. All of the rest get single-use numbers that are no good for any transactions but that one. Both Visa and Discover support this technology - Visa's version is ShopSafe [mbnashopsafe.com], while Discover's is Discover Deskshop [discovercard.com], both of which are free tools.
Although I buy things frequently, my buying patterns have so far never resulted in my cc info being compromised, and I hope to keep it that way. The biggest scare I ever got was when Egghead admitted to having had cc's stolen, if anyone remembers that story [ecommercetimes.com]. But mine must not have been one of the ones that they got.
Re:Don't buy online. (Score:1, Interesting)
I had my AMEX card number stolen (not the physical card) in Decemeber. I hadn't bought anything online with that card at all.
As a previous poster mentioned, the credit card slips you get at a brick-and-mortar place has everything you need...most don't even mark out the card # like XXXX XXXX XXXX 3450, they put the whole thing there. And that's how mine was stolen, a busboy picked it up off the table after I left the restaurant.
Most thieves are low tech and dumb; they lack the technical prowess it would take to knock over even bad computer security.
Know how the busboy got caught? He made long distance calls billed back to my card #. These calls were from St. Louis (where I live) to his friend in New Jersey. The dolt actually made the calls FROM HIS OWN HOUSE! Oh, and he put a singles ad in the local free paper (with his phone #) and stayed at a really nice hotel ($400/night) downtown on New Years Eve (video camera at the front desk got him too).
Why doesn't AMEX make it harder? I can understand that it doesn't make business sense to spend more to solve it (like implementing biometrics) than they actually lose through fraud. But I don't understand why they don't require merchants to mask out the card # and other sensitive info on the credit card slips. I now just mark it out with a pen before I leave the restaurant. Getting my card replaced didn't cost me any $$$ but it was a pain in my ass (because I also had to deal with ATT's fraud department directly; they suck!) that I don't wish to have the experience again.
And, for the love of God, why can't waiters/cashier's actually look at the signature on the back of the card and compare it to what I write? I watch how often this happens now, and it has happened exactly once (out of probably 50-0 transactions) since January.
Re:Don't buy online. (Score:2, Informative)
IIRC, this topic came up a few months ago. California consumer protection laws require merchants to shield all but the last 4 digits. Dont know what other states (if any) mandates this. I do know that a lot of merchants already do this on their own, often out of a desire to protect their customers, but others are national chains with stores in CA.
You could send a letter of complaint to the restaurant you were at when the busboy got your CCN, telling them about your experience and recommending a system that hides the first 12 digits. Find out if your state has a law like CA's, and if so, mention that. If it turns out there is a law, consider pressing charges for negligence of that law, or inform the state if you dont want to go through with a suit and let them handle it. You might be surprised how they handle it given that $13k was put at stake here.
Re:Don't buy online. (Score:2, Interesting)
i used to work as a cashier and i know that every time amex or another of the cc companies tried to force ID checking or something like that, there was always a large percentage of customers who would complain that they didn't have to show ID at the other stores, why should they show it at this one?
I've even been guilty of it myself everytime i gave my cc to my girlfriend to buy something at the corner store and she wasn't asked for ID, i'd wonder how much i could get taken for if my wallet got lost and i didn't realize it. but then when i go shopping at that same store i used to work at they now require that i actually pull out my driver's license to show it to them, and i get annoyed at the inconvenience of it all..
Re:Don't buy online. (Score:1)
At Walmart, though - I go buy a couple bags of water softener salt, and my card and signature get scrutinized so closely I wondered if I was wearing an orange 'Department of Corrections' outfit...
Re:Don't buy online. (Score:2)
Shaun
Credit card security model is inherently flawed (Score:2)
This, of course, is completely ridiculous. I should be able to authorize a transaction without implicitly trust the other party until the credit card expires.
It seems that right now the system works "well enough" that the credit card companies are quite content to sit on their laurels and deal with fraud when it occurs, rather than trying to prevent it.
And why can't I specify something like "when I'm billed by a certain service provider, mail me the amount and authorize the payment automatically unless less than 28 days have passed since the last one or the amount is over $75"? Let's turn the rainforests into billions of paper bills and envelopes.
One word for you. (Score:2)
CASH!
Don't buy from a shady or grey-market vendor (Score:2)
For online purchases, use one-time cc numbers -- American Express and most Mastercard/Visa banks allow you to do this.
Single-Use Card Numbers? (Score:1)
Doesn't help very much with meatspace transactions, but for that just make sure you get all your receipts and stay away from shady businesses.
A laundry list (Score:5, Informative)
- keep control of all credit card receipts
- shred any promotional mailings you get for credit cards, or, better
- call the relevant credit agencies and have a lifetime "promotional block" put on your file so you won't be sent them
- keep control of your SSN. Don't give it to anyone who doesn't need it for employment or credit purposes. If someone is being a jackass, simply use "078-05-1120", which was a sample number printed on cards throughout the 40s. If you're in school, ensure they don't print it all over creation. - If you're really paranoid, you can tell the credit agencies to put your file on a "fraud watch". This will tell any lender who pulls your flie to verify your identity much more closely. Unfortunately, this burdens you.
Experian: 1-866-200-6020 http://www.experian.com
Equifax: 1-800-685-1111 http://www.equifax.com
Transunion: 1-800-888-4213 http://www.transunion.com
Global opt-out (promotional block): 1-888-5OPTOUT (888-567-8688)
Re:A laundry list (Score:2)
how it may be happening - skimming (Score:2)
The problem is ALL the details for the CC are on the mag stripe. Until we can make sure that smart card readers are available everywhere (including computer keyboards for on-line stuff) you'll always be able to snarf to details and make a duplicate card.
Also check your statements carefully everytime you have one. Then you'll spot any misuse ASAP and be able to report it.
Just my 2 pence worth
Re:how it may be happening - skimming (Score:3, Interesting)
In the months I was using that card I used it online once to pay my wireless phone bill. I also used it many times in restaurants, shops, and a hotel. I never lost the card and I still have my copy of the receipt for everything I charged on it. The fraud was in the form of people making long-distance calls using obscure phone companies with my card. I assume that someone got my cc number and expiration date and that these companies allowed them to make phone calls with that information.
Based on where the card was used I assume that someone working at one of the businesses I patronized stole my credit card number. With the current US system of a simple name, number, and date being enough information to use a credit card there isn't much that can be done to prevent this kind of theft. The use of PIN codes would help, but the entire US credit card system would have to be overhauled (new cards, new card readers, lots and lots of consumer education) at massive cost. I'm sure that we will move to a more secure system at some point in the future, but I'm guessing that the cost of the current levels of fraud to the credit card companies may not be high enough to make investing in a new system a high priority.
joe
Re:how it may be happening - skimming (Score:1)
Re:how it may be happening - skimming (Score:1)
The reason credit card companies are not worried about providing a more secure system is that they don't stand to loose anything if someone uses a fraudulent card... the cost is borne by the merchants and the consumers.
The same caution goes for the electronic fund transfers (sometimes initiated by a merchant "scanning" your check now)! These aren't checks anymore, and you are not afforded the same protections.
Read the disclosures from your bank... when it comes to electronic transfers, you don't have ANY real protection... think before lighting up the debit cards and electronic bill payments!
Re:how it may be happening - skimming (Score:1)
Another Reference (Score:2, Informative)
Good luck!
Cut your losses... (Score:2, Interesting)
The worst anyone can do to your check card number is overdraw your bank account. If you only transfer in money as you need it, they can't buy anything at all.
If you really need to spend money you don't have, plan ahead and get a small loan. Credit cards are a huge risk to your financial situation, and you don't have complete control of how merchants handle your credit card information.
Re:Cut your losses... (Score:2, Interesting)
Please read the fine print on using a check aka debit card vs a credit card to make sure you are covered for any fruad.
Local news did a story on people using check cards when buying gas. Even is is the purchase was for $20 they will place a hold charge of $50-$100 on the account to make sure the money is there so they will get paid. With a credit card, they can only tag the card for $1 to make sure it is a legit card.
Re:Cut your losses... (Score:2, Interesting)
Plus, you've put yourself through a lot of hassle trying to straighten out a huge mess. The point about using a debit card is that you're not losing much to begin with, so you can absorb the loss and remember to keep the balance lower next time. If you lost 200 dollars from your checking account, how does that compare to hours spent on the phone and writing letters, and possibly still ending up with thousands in losses?
And what is the problem with check cards and gas...just because your local news did a story on it doesn't mean the gas stations are doing something wrong. People's checking balances might be zero or less. If you authorize the card, someone pumps their gas, and then the balance is not enough to pay, what happens? I've only seen this at a few gas stations anyway, and they have this information posted on the pumps. The charge is there only while pumping the gas, and then it's corrected when you quit pumping. With credit cards, they don't have to take those precautions because most people don't try to use a maxed-out card to buy gas with.
Re:Using Check Card for Online Purchases (Score:3, Informative)
And since I'm posting anonymously only because I'm too lazy to create an account: linux1@williamrice.com
Re:Using Check Card for Online Purchases (Score:2, Interesting)
It would be like keeping all your money in your wallet, and then walking down a dark city street on the bad side of town.
Re:Using Check Card for Online Purchases (Score:1)
Re:Using Check Card for Online Purchases (Score:3, Informative)
Please do a little research of your own--the Electronic Funds Transfer Act limits consumer liability for ATM, debit, or check cards to 1) $50 if the card is lost or stolen and reported as such within 2 days; 2) $500 if the card is lost or stolen and reported as such within 60 days; 3) $500 for fraudulent purchases if they are reported within 60 days.
Moreover, Mastercard and Visa both limit check-card losses to the same $50 max as credit cards as a matter of corporate policy.
HR 445 is a bill in congress to limit liability to $50 in all cases of fraud; it's been tabled since 1999 as far as I know.
Sumner
Re:Using Check Card for Online Purchases (Score:1)
Re:Using Check Card for Online Purchases (Score:2)
The EFTA is federal law. See, in particular, the U.S. Code Title 15, Chapter 41, Subchapter VI, Section 1693g, "Consumer liability". and the rest of 15.41.VI.
In the U.S., "regions" or states can't override it, it applies everywhere and limits debit/check card liability as stated (for all cards, Visa/Mastercard or not).
The Visa/Mastercard policy obviously only applies to cards affiliated with those institutions.
Sumner
Note: "THAT" checking account (Score:2)
If your bank wants to charge you for an account, get another bank.
Virtual account numbers (Score:2)
Basically, you have an app with a secure connection, and everytime you want to use your card you can generate a one-time number. You can set a limit on it too. Even if the merchant's security sucks, no one can use that number again.
Having had to replace my cards after that Egghead fiasco a while back, this gives me at least a little more peace of mind.
What about when it's an inside job? (Score:3, Interesting)
AMEX dutifully blew off about seven months of phone calls and letters (complete with photocopies of the entire paper trail) from me, trying to get this rectified. I have never in my life encountered more rude, hostile, and unhelpful CSRs. They were actively attempting to thwart me at every turn, and when they finally forced me to do my own legwork and look into the accounts the balances had come from, I found they had lied to me quite often as well.
For all that lethargy, though, AMEX was mighty quick to release the 'trademark infringement' hounds when a web site at amexblew.com was created to relate my experience to others (The story that was there will become a part of my personal site in the very near future, if it was online right now I'd link to it).
I was preparing to sue them in anticipation of my credit being screwed when I finally managed to get this resolved in July of 2000 in the most bizarre way possible... an AMEX employee read my posts on another anti-AMEX web site, contacted me, and took care of almost everything. AMEX still insisted I pay a little under $40 that I absolutely did not owe, so I did. In pennies. Mailed to their CEO, with my pulverized card and a nasty, nasty letter.
To this day, I still don't know how those balance transfers managed to find their way into my brand-new account at the moment of its creation. You would think that if it had been just a really stupid data-entry mistake on their part, they'd own up to it and apologize for it-- but AMEX representatives said they would only disclose what happened if they were subpoenaed, which leads me to believe there were some internal monkeyshines going on.
Do yourself a favor and cancel your AMEX cards now, if you like having good credit.
~Philly
Re:What about when it's an inside job? (Score:1)
Last year, I was traveling across the country paying for all my gas with my amex. I didn't bother to call AMEX before i left so they called me on the road (they have my cell number) to make sure that I did in fact still have my card.
Sorry you had problems, but in my experience AMEX has been the best.
Re:What about when it's an inside job? (Score:1)
You rock.
Re:What about when it's an inside job? (Score:1)
however i work retail, and had i been the ceo when i received your mail i would send it right back being an equal ass. the penny is not legal tender.
Re:What about when it's an inside job? (Score:2)
The penny is legal tender. You are not required to accept legal tender, but if you don't state up front you won't, you are going to have a hard time justifying your position.
sPh
Re:What about when it's an inside job? (Score:2)
Furthermore, if they sent back my pennies, I would have then paid with a check written on a pair of underwear that were worn daily for one week, specifically for the purpose of getting them funky. And yes, it is possible to write a check on pretty much anything [bankrate.com], before you dispute that, too.
It is generally not wise to *really* piss me off, and AMEX did it in spades... first by screwing up my account in a way that could have damaged my credit, then by providing very poor customer service, and then by threatening legal action over my website without the apparent thought, "Gee, how did we anger this person so much that he went to the trouble to make this whole website to complain about us? Maybe we should talk to him and try to rectify the situation." No, they just did the typical, uncaring-huge-company routine and pointed the lawyers at me. My understanding that "these things happen" was gone by about the second month of trying to get them to straighten everything out.
~Philly
Re:What about when it's an inside job? (Score:1)
the more of an ass you are the shittier the treatment you'll get.
Re:What about when it's an inside job? (Score:2)
Use cash... (Score:1)
An answer to credit card fraud (Score:1)
I remember reading a while back, probably on Slashdot, that AMEX was experimenting with providing one-use credit card numbers to its customers for use on internet purchases, etc. I forget exactly the details of how all this would work.
I think something like this would be awesome to stop fraud. If the number is only valid for one transaction and then you get a new one, then the number sitting around waiting to be sponged off the internet by unscrupulous sorts wouldn't be of any use by they time they got their paws on it. Your transaction would have been completed and your real account information would be safe.
Drop credit cards (Score:3, Insightful)
Re:Drop credit cards (Score:2)
Of course, this was the US. I know that in the UK at one point they had a policy where if you caught someone using a card fraudulently you got a reward, and there some people are pretty strict about checking.
In the US, "Opt Out" for all financial accounts (Score:2)
I figure if I am receiving fewer offers, my information is going fewer places, and therefore can be abused in fewer places as well.
Not a huge gain, but at least it helps reduce the exposure a bit.
sPh
Looks like discover does it as well. (Score:1)
I haven't used it yet, but it looks like a pretty good deal. One time numbers, and it even fills them in for you. Now if only my Discover card was everywhere I wanted to be.
CC nubmers on statements (Score:2)
The other issuer smartly uses an account number that is different from the CC#, and the CC# appears nowhere on the statement. Any transactions using the account number must be confirmed with a password which only I and my bank know.
Why can't ALL credit card companies do this?