Slashdot Mirror
Preventing Identity Theft and Credit Card Fraud?
carefulCredit asks: "I just checked my AMEX balance, and found around $13k in fraudulent charges. Fortunately, AMEX makes it relatively easy to get a new card and the charges revoked, but this is the second time I've had this type of problem. It's clear to me that the steps I've taken to prevent fraud are inadaquate. (reduced number of cards, restricted availability of some funds, increased vigilence in not allowing CC slips to display the full card #, etc). What measures have any of you taken, or can you suggest, to help put a lid on this problem and to help prevent repeats?"
A big problem that's had very little attention (at least here in the UK) is the habit of POS hardware manufacturers to print all the credit card data on the receipts produced by a transaction. Have a look in your wallet for a receipt from a card transaction - there's a good chance that it's got your full card number, your name, the expiry date - everything needed to make a transaction using that card account.
So, make sure you know what happens to your receipts - don't just throw them away, make sure they're destroyed. And hassle retailers that still print the full card details on those bits of paper. A lot of companies are beginning to work out how dumb it is, but POS hardware turnover is slow, and a lot of stores are still reckless with your personal information.
It seems to me that the weakest link in an e-commerce transaction today (or perhaps always) is the company itself. It's doubtful that somebody is intercepting SSLv3 or TLSv1 128-bit communications, but if the company is storing this data in a MySQL db with no firewall, no password, et cetera, you may as well be posting your account info in you Slashdot sig.
The problem is that there's really no way for you to determine this beforehand. If you portscan www.store.com or whatever it is you might end up in some trouble, depending how much of an ass the sysadmin is.
Another risk factor for which you're totally unable to account is the employees at the company. You have no idea whether or not Joe Schmoe that's reading your order is honest or dishonest. Maybe he's a disgruntled employee and is sending himself all of the customers' account info to later blackmail the company.
Like I said, there's really nothing you can do to determine this stuff in advance. Of course, everything I've said here assumes that your CC info was stolen from an e-commerce store, which may or may not be the case. But similar problems exist for brick-and-mortar stores -- if they toss their copy of the receipt right into the trash or have a disgruntled employee, you're at just as much risk, and have just as little chance of knowing so beforehand.
rooooar
Let's see: the world is divided into two groups: those who have my credit card details and can help themselves to as much of my money as they want, and those who don't.
This, of course, is completely ridiculous. I should be able to authorize a transaction without implicitly trust the other party until the credit card expires.
It seems that right now the system works "well enough" that the credit card companies are quite content to sit on their laurels and deal with fraud when it occurs, rather than trying to prevent it.
And why can't I specify something like "when I'm billed by a certain service provider, mail me the amount and authorize the payment automatically unless less than 28 days have passed since the last one or the amount is over $75"? Let's turn the rainforests into billions of paper bills and envelopes.
CASH!
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
It's probaly the same place using your card. Make sure to file a complaint with your local police department and stop shopping at porn sites or shady vendors.
For online purchases, use one-time cc numbers -- American Express and most Mastercard/Visa banks allow you to do this.
Conformity is the jailer of freedom and enemy of growth. -JFK
- check your credit report 1x per year. This may be free in the state you live in. This is vital, and the most worthwhile thing you can do.
- keep control of all credit card receipts
- shred any promotional mailings you get for credit cards, or, better
- call the relevant credit agencies and have a lifetime "promotional block" put on your file so you won't be sent them
- keep control of your SSN. Don't give it to anyone who doesn't need it for employment or credit purposes. If someone is being a jackass, simply use "078-05-1120", which was a sample number printed on cards throughout the 40s. If you're in school, ensure they don't print it all over creation. - If you're really paranoid, you can tell the credit agencies to put your file on a "fraud watch". This will tell any lender who pulls your flie to verify your identity much more closely. Unfortunately, this burdens you.
Experian: 1-866-200-6020 http://www.experian.com
Equifax: 1-800-685-1111 http://www.equifax.com
Transunion: 1-800-888-4213 http://www.transunion.com
Global opt-out (promotional block): 1-888-5OPTOUT (888-567-8688)
While I won't go as far as the other person who replied to this post, you are indeed somewhat misguided. Although not buying online is perhaps the only 100% solution, akin to abstinence for some people, the use of single-card credit card numbers has made me feel significantly safer about purchasing items online, which I do often.
Sites that I trust (big vendors with reputable histories) get my real credit card number, so that I can buy things instantly from them, but that's only a select few. All of the rest get single-use numbers that are no good for any transactions but that one. Both Visa and Discover support this technology - Visa's version is ShopSafe, while Discover's is Discover Deskshop, both of which are free tools.
Although I buy things frequently, my buying patterns have so far never resulted in my cc info being compromised, and I hope to keep it that way. The biggest scare I ever got was when Egghead admitted to having had cc's stolen, if anyone remembers that story. But mine must not have been one of the ones that they got.
Please subscribe to see the more insightful version of th
Thanks for the stinging reply. :-/
The problem with online trading is simple:
All transactions (of any sort, and since time began) are based on trust - "I trust that what you're giving me is worth what I'm giving you in exchange"; "I trust that the money you're paying with isn't forged"; "I trust that you won't write down my card number and buy stuff with it yourself."
Unfortunately, over the internet it becomes much harder to know who to trust, and much easier for crooked individuals to make themselves appear trustworthy.
In addition, current credit cards have only one (very weak) barrier against unauthorised use - the signature - and this is bypassed in online trading. In short, once someone has your name and card number, they can buy anything online, especially if the things they're buying don't need to be delivered (some stores will check the delivery address, but not everyone does this).
The bottom line is that as long as you trust the person or company you're dealing with, no problem. But are you sure they really are trustworthy? As I said already, this applies in all arenas of trade, but the lack of personal contact makes it much harder to judge.
(Spudley Strikes Again!)
But I don't understand why they don't require merchants to mask out the card # and other sensitive info on the credit card slips.
IIRC, this topic came up a few months ago. California consumer protection laws require merchants to shield all but the last 4 digits. Dont know what other states (if any) mandates this. I do know that a lot of merchants already do this on their own, often out of a desire to protect their customers, but others are national chains with stores in CA.
You could send a letter of complaint to the restaurant you were at when the busboy got your CCN, telling them about your experience and recommending a system that hides the first 12 digits. Find out if your state has a law like CA's, and if so, mention that. If it turns out there is a law, consider pressing charges for negligence of that law, or inform the state if you dont want to go through with a suit and let them handle it. You might be surprised how they handle it given that $13k was put at stake here.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
IMHO CC fraud is still happening as its always done, manually. Ie you give you card to pay for something and a tellor then swipes the card on the till and also his small collector under the desk. They then sell on the details...
The problem is ALL the details for the CC are on the mag stripe. Until we can make sure that smart card readers are available everywhere (including computer keyboards for on-line stuff) you'll always be able to snarf to details and make a duplicate card.
Also check your statements carefully everytime you have one. Then you'll spot any misuse ASAP and be able to report it.
Just my 2 pence worth
Why doesn't AMEX make it harder?
i used to work as a cashier and i know that every time amex or another of the cc companies tried to force ID checking or something like that, there was always a large percentage of customers who would complain that they didn't have to show ID at the other stores, why should they show it at this one?
I've even been guilty of it myself everytime i gave my cc to my girlfriend to buy something at the corner store and she wasn't asked for ID, i'd wonder how much i could get taken for if my wallet got lost and i didn't realize it. but then when i go shopping at that same store i used to work at they now require that i actually pull out my driver's license to show it to them, and i get annoyed at the inconvenience of it all..
Free Webmail
Good luck!
I'm not sure what the secret to success is, but the secret to failure lies in trying to please everyone -Bill Cosby
...don't use a credit card. I use a check card for all online purchases, which means that all anyone can get is what I have in that checking account. You may have a huge amount of difficulty proving that you didn't make those charges, and you could be saddled with $10,000 of debt and years of bad credit, even bankruptcy.
The worst anyone can do to your check card number is overdraw your bank account. If you only transfer in money as you need it, they can't buy anything at all.
If you really need to spend money you don't have, plan ahead and get a small loan. Credit cards are a huge risk to your financial situation, and you don't have complete control of how merchants handle your credit card information.
...
Citibank offers virtual account numbers. Don't know if it works under WINE.
Basically, you have an app with a secure connection, and everytime you want to use your card you can generate a one-time number. You can set a limit on it too. Even if the merchant's security sucks, no one can use that number again.
Having had to replace my cards after that Egghead fiasco a while back, this gives me at least a little more peace of mind.
I had some serious problems with American Express a couple years ago. In late 1999, I applied online for one of their then-new Blue cards, and my first bill included over $12K in balance transfers from accounts that weren't mine.
AMEX dutifully blew off about seven months of phone calls and letters (complete with photocopies of the entire paper trail) from me, trying to get this rectified. I have never in my life encountered more rude, hostile, and unhelpful CSRs. They were actively attempting to thwart me at every turn, and when they finally forced me to do my own legwork and look into the accounts the balances had come from, I found they had lied to me quite often as well.
For all that lethargy, though, AMEX was mighty quick to release the 'trademark infringement' hounds when a web site at amexblew.com was created to relate my experience to others (The story that was there will become a part of my personal site in the very near future, if it was online right now I'd link to it).
I was preparing to sue them in anticipation of my credit being screwed when I finally managed to get this resolved in July of 2000 in the most bizarre way possible... an AMEX employee read my posts on another anti-AMEX web site, contacted me, and took care of almost everything. AMEX still insisted I pay a little under $40 that I absolutely did not owe, so I did. In pennies. Mailed to their CEO, with my pulverized card and a nasty, nasty letter.
To this day, I still don't know how those balance transfers managed to find their way into my brand-new account at the moment of its creation. You would think that if it had been just a really stupid data-entry mistake on their part, they'd own up to it and apologize for it-- but AMEX representatives said they would only disclose what happened if they were subpoenaed, which leads me to believe there were some internal monkeyshines going on.
Do yourself a favor and cancel your AMEX cards now, if you like having good credit.
~Philly
heh
I had a part time job in a supermarket here in the UK. You wouldn't belive the number of customers that would leave thair shopping recipt and credit card recipts in the shopping trollys [ US'ians --> shopping cart] once they had packed up thair shopping.
Chasing after the customers and giving them thair recipt expaining why this was a bad thing just got you a black look. (One fuckwit even thought I was having a go at him for littering the shopping trolly with his credit card recipt!)
The reason most supermarkets now dont print all the didgits of the card number is because people were collecting CC recipts from shopping trollys and from around the car parks after closing time. Most other retailers (to my knowlage) havent yet followed suit.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Please, do a little research before you use a debit card or check card, for any purchases! While federal U.S. law limits your liability for fraudulent credit card purchases to $50, there is no legal limit for fraudulent use of your debit/check card. If you keep more than $50 in your checking account, you stand to lose a lot more than with a credit card. Also, if you have overdraft protection for your debit/check card, the perpetrator can not only wipe out your account but also put you into deep debt. Check with your bank about exactly what your liability is before using a debit/check card for any purchases.
And since I'm posting anonymously only because I'm too lazy to create an account: linux1@williamrice.com
Exactly why you have a checking account set up for this purpose, with no overdraft protection. No one should be stupid enough to keep their life savings in a checking account, anyway.
It would be like keeping all your money in your wallet, and then walking down a dark city street on the bad side of town.
...
Do you eat in resturants? Read George Orwell's Down and Out in Paris and London for a description of the amount of trust you are putting in the kitchen. If you want something more recent, I could tell you some stories about when I worked at the grocery store. Maybe better not.
Personal anecdotes are not a substitute for statistics, but I have not observed a greater percentage of bad transactions on-line compated to in person.
sPh
whenever possible. When I realized that by simply including your picture on your credit cards almost 100% of in person theft could be eliminated, and yet visa and mastercard had not mandated them I came to the conclusion that they were not serious about stopping theft. The cost per card can't be more than $2 max, and probably more like 50 cents to add a small picture, yet it is not mandatory. There would still be online and telephone fraud, but those are easier to catch.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
If your bank wants to charge you for an account, get another bank.
fencepost
just a little off
Please, do a little research before you use a debit card or check card, for any purchases! While federal U.S. law limits your liability for fraudulent credit card purchases to $50, there is no legal limit for fraudulent use of your debit/check card.
Please do a little research of your own--the Electronic Funds Transfer Act limits consumer liability for ATM, debit, or check cards to 1) $50 if the card is lost or stolen and reported as such within 2 days; 2) $500 if the card is lost or stolen and reported as such within 60 days; 3) $500 for fraudulent purchases if they are reported within 60 days.
Moreover, Mastercard and Visa both limit check-card losses to the same $50 max as credit cards as a matter of corporate policy.
HR 445 is a bill in congress to limit liability to $50 in all cases of fraud; it's been tabled since 1999 as far as I know.
Sumner
rage, rage against the dying of the light
I figure if I am receiving fewer offers, my information is going fewer places, and therefore can be abused in fewer places as well.
Not a huge gain, but at least it helps reduce the exposure a bit.
sPh
That's a ridiculous suggestion. I've purchased hundreds of products and services online over the past few years and I've only had a single instance of fraud (someone got my number and racked up over $600 in charges from Victoria's Secret of all places). Considering the number of times I've given out various credit card numbers online, versus a single incident of fraud, I'd say that avoiding online shopping is going seriously overboard.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Two of my credit card issuers include the credit card number as the account number on my statement. They also want me to write the account number (that is, the credit card number) on my check. So when Vinny comes and rifles thru the mail, not only does he get the CC#, he gets my bank account along with it.
The other issuer smartly uses an account number that is different from the CC#, and the CC# appears nowhere on the statement. Any transactions using the account number must be confirmed with a password which only I and my bank know.
Why can't ALL credit card companies do this?
Give me my freedom, and I'll take care of my own security, thank you.
check YOUR sources first. Mastercard and Visa may cover that but a LOT of financial institutions issue cards of their own that are not affiliated with V/MC. and some regions/states do not allow for limitations on losses.
The EFTA is federal law. See, in particular, the U.S. Code Title 15, Chapter 41, Subchapter VI, Section 1693g, "Consumer liability". and the rest of 15.41.VI.
In the U.S., "regions" or states can't override it, it applies everywhere and limits debit/check card liability as stated (for all cards, Visa/Mastercard or not).
The Visa/Mastercard policy obviously only applies to cards affiliated with those institutions.
Sumner
rage, rage against the dying of the light
Just set up a checking account with a debit card and keep the balance near zero, only transferring funds into it when you're getting ready to use it.
I see even classic Slashdot is now pretty much unusable on dial up anymore.