Whether your plastic expired, or your issuer replaced it due to a data breach, you’ve now got a defunct debit or credit card – and a new one on the way in the mail. The prevailing wisdom says to cut up your old card and scatter the remains to the ends of the earth. But why? Depending on the circumstances, the new card could have a different expiration date, card security code and possibly account number. So, if you can no longer use the card, how could a thief?
The short version: A thief might not be able to pluck a card from the trash and go straight to the mall. But it’s the first piece of a puzzle that, when assembled, can allow a thief to buy things online and in-store.
Expired cards vs. cards replaced for other reasons
How much useful information is on a tossed card depends on the circumstances that led to its replacement. According to Vanderhoof, policies vary by issuer, but, with an expired card, the issuer will likely issue a card that bears the same account number but a new expiration date and card security code.
When it comes to cards replaced due to theft or fraud, you can generally expect the account number on the front to be different. Things can vary if, for example, you requested a replacement due to a misplaced card (rather than a stolen one), Siciliano says. In that case, the issuer might mail you a card with the same account number on the front, but a different security code and new expiration date, just as if the card expired.
Incomplete information may not stop thieves
Whatever the circumstances, your old card will have some outdated information on it. But that won’t thwart the most determined thieves.
If a thief takes an expired card straight to the store, they may be out of luck.
“The store would know it’s expired based on the information on the magnetic stripe,” Siciliano says. “The magnetic stripe handles the card data. Upon swiping, the point-of-sale software would determine that it’s an expired card, and the transaction wouldn’t go through.”
Still, a thief might be able to get around this by cloning the magnetic stripe (even cards with EMV smart chips still have magnetic stripes in the U.S.) and creating a new card – or a bunch of new cards – with a new expiration date. Vanderhoof points out that new expiration date will often share the same month as the old one, so thief would simply have to add a few years onto it and make a lucky guess.
And thieves might not need that much luck.
“All they need to do, really, is clone a dozen cards with a dozen different expiration dates, and as long as one of them is valid, it’ll work,” Siciliano says. “And the expiration date doesn’t necessarily even have to match. It just has to not be expired.”
Even if the thief gets your expiration date, online transactions present another security hurdle for thieves – the card security code (aka the CVV, CSC or CV2). Not all online retailers require this code, however, Siciliano says. And if the thief really wants to make purchases from one that does, there’s a way to get that information: phishing. If a thief has already been rifling through your trash, they could have your phone number or email address. The card gives them the name of your bank, which they can then impersonate when they contact you. They can then phish for the other information they still need to make online transactions or clone your card – such as the card security code or the card number if that’s changed.
“The idea would be to socially engineer the cardholder,” Siciliano says. “They can pretend they’re an entity you know you can trust, such as your bank or credit card company. Once they complete the puzzle, they can clone the card. And now they have a full-blown version of your credit or debit card.”
Prevention and protection
Both Vanderhoof and Siciliano recommend completely destroying an old credit or debit card. Siciliano recommends a cross-cut shredder.
“But even then, you don’t necessarily want to throw all of it into the same bin,” he says. “Put some in one trash bin and the rest in another trash bin. People can put puzzles together.”
The next layer of defense is being wise to phishing scams. If you get an email or phone call that seems to be from your bank presenting some of your card information and prompting you to respond with more card-related information, be suspicious, Siciliano says. In communications with your bank, you might be asked identity-verification and knowledge-based questions (such as previous address or mother’s maiden name), “but they’re not going to ask for your CV code, they’re not going to ask for your expiration date,” Siciliano says. “Any incoming call, any incoming email, you are not to give out that data.”
The best tactic when someone claiming to be from your bank contacts you, Siciliano says, is to simply hang up or ignore the number provided in the email, and instead dial the number printed on the back of your card.
If you’ve thrown away an intact card and think you may have fallen victim to phishing, reporting your concerns to the card issuer is probably prudent, but vigilance is your final layer of protection. Use online or mobile banking to check your account every day and comb the transaction history for anything suspicious. It can also be helpful to set up text notifications with your various accounts every time there a transaction is made, immediately alerting you to any unauthorized activity.
“People are checking their Facebook accounts 10 times a day,” Siciliano says. “You can check your mobile banking once, right?”
If you become aware of anything suspicious, even if it involves a tiny, inconsequential charge, immediately contact your issuer – whether you’re refunded or on the hook for a certain amount depends on the type of transaction, whether it was made with a debit or credit card, how long ago it was made as well as on the issuer’s own policies (Read up on your protections here).