But come consumers are reporting that they’ve received live, sticker-less cards in the mail; these pre-activated cards are usable straight out of the envelope. One of our employees received the Chase Sapphire Reserve pre-activated, for example.
We reached out to issuers to learn about their policies – and to identity-theft experts to see how worried you should be about a live card landing in your mailbox.
Why pre-activated cards could be a security concern
If you can use the card straight out of the envelope no questions asked, so can a thief. And mail theft is a risk, especially in certain parts of the country, says Robert Siciliano, personal security and ID theft expert and CEO of IDTheftSecurity.com.
“That scenario [of pre-activated cards being mailed out] is alarming, due to the fact it doesn’t require the cardholder at any point to verify they actually received it,” Siciliano says. “Which would allow a criminal who steals your mail to go out and max out the card with little effort.”
But how would a thief know you’re about to receive a new card? They don’t have to, says identity theft expert Steve Weisman, founder of Scamicide.com and professor at Bentley University. They’re already out there, rooting through your mail. Imagine their joy if they find a pre-activated card.
“The identity thieves are looking for card statements and bank statements, all kinds of stuff,” Weisman says. “Then they open the mailbox, and it’s like Christmas morning.”
Why issuers may send out pre-activated cards
Given the risk that they’re funding a mail-thief’s shopping spree, you may wonder why banks send out ready-to-use cards.
It’s likely the result of cost-risk analysis, Siciliano says. The bank wants its cardholders to be able to use its cards with little effort, both to please the customer and because it makes money off of every transaction via interchange fees. If you can’t recall the last four digits of your Social Security number, simply don’t want to spend a couple minutes activating your new card, or encounter technical failures during the activation process, you might reach for another card to purchase those expensive plane tickets you’ve been meaning to buy.
“Some algorithm somewhere figured out [sending out pre-activated cards] is the most effective way,” Siciliano says. “They’ve made it as easy as possible for a consumer who’s as clueless as possible to go ahead and make charges without further authentication.”
But convenience shouldn’t outweigh security, both Siciliano and Weisman say.
“It’s a wonderful convenience for people too lazy to pick up the phone and it’s a real convenience for identity thieves,” Weisman says.
We reached out to most of the major U.S. issuers and asked about their policies regarding pre-activated cards.
Bank of America, Discover and Wells Fargo wrote back and told us they never send out pre-activated cards. Chase didn’t indicate whether or not they send out pre-activated cards, but a spokeswoman emphasized that if a pre-activated card were to be used by a thief (or someone who accidentally got the cardholder’s mail), the cardholder would not be responsible for those charges. “We would immediately remove [the charges] and run them through our fraud group for verification,” she said.
Indeed, consumers have protection against fraudulent charges, thanks to laws and most major banks’ voluntary policies. The law (the Fair Credit Billing Act, in this case) caps a consumer’s liability at $50 in unauthorized charges made before the consumer reports the card theft to the bank. On top of that, most major banks generally offer what’s called zero-liability protection, which holds the consumer responsible for nothing, even if the fraudulent charges were made before the consumer reported the theft.
What’s the big deal if you get re-funded anyway?
Zero-liability protection does not mean zero questions asked. The bank may immediately reverse the charges you reported, but that reversal is not necessarily permanent. The bank is doing its own investigation to determine if a thief really made the charges. It might want you to file a police report, which you might not want to do if, say, it was a family member who took your pre-activated card out of the mailbox. Waiting too long to report fraudulent charges may also complicate your case, Siciliano says, even if the reason it took you so long was because you thought the card hadn’t even arrived yet.
“With fraud, consumers have to understand they are guilty until proven innocent,” Siciliano says. “In the end, it is up to the consumer to refute those unauthorized transactions.”
Even if the charges are expediently resolved and the bank sides with you, you’ve spent time sorting out the issue and waiting for the new card to come in the mail. That’s more time wasted than the bank tried to save you by sending out a pre-activated card, Weisman points out.
“What you have is unnecessary inconvenience,” Weisman says. “At the absolute best, you have to report it and explain those charges and answer to them.”
And all that money the bank refunded you? It comes out of everyone’s pocket indirectly, Weisman says.
“When the banks say the consumer has no risk here because they won’t be held liable, it’s disingenuous because, ultimately, identity theft gets passed on to us in the form of greater costs and fees,” Weisman says.
How to protect yourself
One solution is a locking mailbox, which can be purchased for $50 to $100, Siciliano says. The postal carrier can deposit the mail in a slot, but a key is needed to retrieve the mail.
Another solution is immediate vigilance. As soon as you see the “You’ve been approved!” email from the bank, go to its website and set up online banking. Get the bank’s app, too. Then sign up for every security alert available to you.
“Sign up for alerts on transactions proactively,” Siciliano says. “That will keep you in tune with regards to card activity.”