Your credit or debit card is safely tucked into your wallet (or sock drawer), and yet somehow, a thief managed to buy a stereo system with it. So, how can someone use your card when it never left your possession? We asked a couple security experts how it’s done – and how to protect yourself.
Ways your card information gets swiped
The thief who used your card may not have had your physical card in hand. But he didn’t need it – in many cases, all thieves need is your card information to make transactions online or to clone a copy of your card. Ways card data gets stolen include:
1. A waiter took down your card info
You swear your card has never left your sight. But did you give your card to a waiter to pay for dinner? Hand over your card to someone at the drive-through window? In the few minutes or seconds your card was out of your hands, someone may have lifted your card data.
“It’s easy enough for them to write down the card number, and there are devices they can swipe the card through that will copy all the information on the magnetic stripe,” says Robert Siciliano, identity theft expert with BestIDTheftCompanies.com.
2. The retailer got hacked
If you store your card information on a retailer’s website for faster future transactions and that retailer gets hacked, your card information could fall into the hands of thieves.
You’re not completely protected if you avoid shopping online, either – remember the Target breach of 2013?
“You can say, ‘OK I’m never shopping online,’ but you’re still not safe,” says Christopher Budd, global threat communications manager with Trend Micro. “With Target, for instance, and the Hilton data breach, we know that people are putting malware on card readers and payment terminals.”
3. You ran your card through a skimmer
Thieves can install skimmers (small contraptions disguised to look like card readers) on fuel pumps and other unattended payment terminals. The unsuspecting customer runs the card through, and all the information gets lifted off and stored for thieves’ card-cloning pleasure.
Intrepid thieves have even targeted bank and credit union ATMs, Budd points out, citing the recent example of skimmers being installed on a Navy Federal Credit Union ATM just outside of Seattle.
“It’s not like you’re using the ATM at some sketchy 7-Eleven,” he says. “You’re in the lobby of the credit union”
The thief has some of your information and uses it to gain your trust and scam other information (like your card data) out of you. It’s called social engineering, and these scams come in various forms, Siciliano says, including emails and phone calls.
“They might be posing as the IRS, a government agency, a retailer, a bank or a charity,” Siciliano says.
Even in the digital age, with great strides being made in cyber security, “calling people still works,” says Budd.
Budd says he got a call a couple months ago with an automated message, supposedly from his credit union, claiming that his card had been compromised and instructing him to “press 1” to provide information about his account.
“It wasn’t really them,” he says. “If I’d pressed ‘1,’ I’d have been connected to what amounts to a criminal call center.”
5. Malware on your device
Any of your devices connected to the Internet (phones are just as vulnerable as PCs, Siciliano emphasizes) are vulnerable to malware designed to lurk in the background and collect information you type in.
“If your device is infected with malware, anything you do on your device, any site you visit and user names or passwords you type in, any email you send or receive, that data can be recorded,” Siciliano says. “So you plug in your credit card number into a site, and now they’ve got that.”
As for how your device got infected, maybe you downloaded an attachment in an email. Or, perhaps you picked it up while browsing a website thanks to your operating system or browser not being updated to the latest version with the latest security patches.
“That [malicious] software got on your computer somehow, and one of the main vectors these days is the tried and true, much-beloved Windows XP,” Budd says.
Will EMV keep you safer?
One of the latest developments in card security in the U.S. is the implementation of EMV chip technology. In some ways, this technology may decrease the chance that a thief can use your card data.
For example, the chip encrypts data in such a way that it’s practically useless if hackers compromise a retailer’s systems. Chipped cards are also harder to skim and clone.
However, many retailers’ card readers haven’t been upgraded to read chips, meaning cards are still being issued with the more-vulnerable magnetic stripes, which are still being swiped at terminals across the country.
“The full transformation from magnetic stripe cards to full-blown chip where nobody swipes is probably five years away,” Siciliano says.
And then there are online transactions. EMV technology works only against fraud in a card-present environment, not a card-not-present (ie, online) environment. In countries that implemented EMV, online card fraud rose – to the tune of 79 percent in the U.K. in the years immediately following its EMV rollout.
“Hackers are like ants.” Budd says. “Move the cake, and the ants don’t just call it a day and go home, they follow the cake.”
How to protect yourself
Aside from cutting up your cards and sticking to cash, you can protect your card data by taking the following steps:
- Update: Make sure your PCs, phones and tablets (and all the browsers and apps you use on them) are up to date with the latest antivirus protection.
“Anything you do online transactions with, you want it to be up to date, with the latest version of the operating system and the latest version of all the apps,” Budd says.
- Be wary of unsolicited emails and phone calls asking for card information: Some fraudulent calls and emails can be quite convincing, but protecting yourself from phishing scams is quite simple: Rather than clicking on a link in an email or cooperating with instructions in a phone call, immediately disengage and contact your bank via the number on the back of your card.
“Never give critical personal information on any line of communication that you haven’t initiated yourself with what you know to be a valid method of contact for your financial institution,” Budd says.
- Check your paper statements: Comb them for suspicious charges and contact your bank if you spot any. It will re-issue your card with a different number, so thieves can’t keep running up charges. Checking online statements works too, but Budd points out that banking malware discovered in Europe can even alter the way your statement displays in your browser to hide fraudulent transactions.
- Consider real-time credit monitoring: If you’re not checking up on a card in your sock drawer, you may never know that a thief has maxed it out – unless you’re monitoring your credit reports for delinquencies. Various services will do this for you and alert you to anomalies.
“It’s not going to prevent something bad from happening,” Budd says. “But at least you know something bad has happened, so you can react quickly.”
Even if you take all the above precautions, if you use your card at all, there’s no surefire way to prevent your information from getting stolen.
“Yes, you can install antivirus software,” Siciliano says. “Yes, you can update your operating system with the critical security patches. Yes, you can be aware of phishing scams and not respond to them. But the reality is, you’re still going to plug your card number into a website. You’re still going to hand it over at a restaurant. Every time you take it out, there’s a possibility it’ll be compromised.”