Preventing Identity Theft and Credit Card Fraud?

carefulCredit asks: "I just checked my AMEX balance, and found around $13k in fraudulent charges. Fortunately, AMEX makes it relatively easy to get a new card and the charges revoked, but this is the second time I've had this type of problem. It's clear to me that the steps I've taken to prevent fraud are inadaquate. (reduced number of cards, restricted availability of some funds, increased vigilence in not allowing CC slips to display the full card #, etc). What measures have any of you taken, or can you suggest, to help put a lid on this problem and to help prevent repeats?"

To whom are you giving your account info?

[Evro]

It seems to me that the weakest link in an e-commerce transaction today (or perhaps always) is the company itself. It's doubtful that somebody is intercepting SSLv3 or TLSv1 128-bit communications, but if the company is storing this data in a MySQL db with no firewall, no password, et cetera, you may as well be posting your account info in you Slashdot sig.

The problem is that there's really no way for you to determine this beforehand. If you portscan www.store.com or whatever it is you might end up in some trouble, depending how much of an ass the sysadmin is.

Another risk factor for which you're totally unable to account is the employees at the company. You have no idea whether or not Joe Schmoe that's reading your order is honest or dishonest. Maybe he's a disgruntled employee and is sending himself all of the customers' account info to later blackmail the company.

Like I said, there's really nothing you can do to determine this stuff in advance. Of course, everything I've said here assumes that your CC info was stolen from an e-commerce store, which may or may not be the case. But similar problems exist for brick-and-mortar stores -- if they toss their copy of the receipt right into the trash or have a disgruntled employee, you're at just as much risk, and have just as little chance of knowing so beforehand.

A laundry list

[xyzzy]

- check your credit report 1x per year. This may be free in the state you live in. This is vital, and the most worthwhile thing you can do.

- keep control of all credit card receipts

- shred any promotional mailings you get for credit cards, or, better

- call the relevant credit agencies and have a lifetime "promotional block" put on your file so you won't be sent them

- keep control of your SSN. Don't give it to anyone who doesn't need it for employment or credit purposes. If someone is being a jackass, simply use "078-05-1120", which was a sample number printed on cards throughout the 40s. If you're in school, ensure they don't print it all over creation. - If you're really paranoid, you can tell the credit agencies to put your file on a "fraud watch". This will tell any lender who pulls your flie to verify your identity much more closely. Unfortunately, this burdens you.


Experian: 1-866-200-6020 http://www.experian.com

Equifax: 1-800-685-1111 http://www.equifax.com

Transunion: 1-800-888-4213 http://www.transunion.com


Global opt-out (promotional block): 1-888-5OPTOUT (888-567-8688)

Re:how it may be happening - skimming

[joe52]

I can attest to the fact that manual theft in the real world is still alive and well. I recently had to replace a card that was only two months old because of fraudulent use.

In the months I was using that card I used it online once to pay my wireless phone bill. I also used it many times in restaurants, shops, and a hotel. I never lost the card and I still have my copy of the receipt for everything I charged on it. The fraud was in the form of people making long-distance calls using obscure phone companies with my card. I assume that someone got my cc number and expiration date and that these companies allowed them to make phone calls with that information.

Based on where the card was used I assume that someone working at one of the businesses I patronized stole my credit card number. With the current US system of a simple name, number, and date being enough information to use a credit card there isn't much that can be done to prevent this kind of theft. The use of PIN codes would help, but the entire US credit card system would have to be overhauled (new cards, new card readers, lots and lots of consumer education) at massive cost. I'm sure that we will move to a more secure system at some point in the future, but I'm guessing that the cost of the current levels of fraud to the credit card companies may not be high enough to make investing in a new system a high priority.

joe

What about when it's an inside job?

[phillymjs]

I had some serious problems with American Express a couple years ago. In late 1999, I applied online for one of their then-new Blue cards, and my first bill included over $12K in balance transfers from accounts that weren't mine.

AMEX dutifully blew off about seven months of phone calls and letters (complete with photocopies of the entire paper trail) from me, trying to get this rectified. I have never in my life encountered more rude, hostile, and unhelpful CSRs. They were actively attempting to thwart me at every turn, and when they finally forced me to do my own legwork and look into the accounts the balances had come from, I found they had lied to me quite often as well.

For all that lethargy, though, AMEX was mighty quick to release the 'trademark infringement' hounds when a web site at amexblew.com was created to relate my experience to others (The story that was there will become a part of my personal site in the very near future, if it was online right now I'd link to it).

I was preparing to sue them in anticipation of my credit being screwed when I finally managed to get this resolved in July of 2000 in the most bizarre way possible... an AMEX employee read my posts on another anti-AMEX web site, contacted me, and took care of almost everything. AMEX still insisted I pay a little under $40 that I absolutely did not owe, so I did. In pennies. Mailed to their CEO, with my pulverized card and a nasty, nasty letter.

To this day, I still don't know how those balance transfers managed to find their way into my brand-new account at the moment of its creation. You would think that if it had been just a really stupid data-entry mistake on their part, they'd own up to it and apologize for it-- but AMEX representatives said they would only disclose what happened if they were subpoenaed, which leads me to believe there were some internal monkeyshines going on.

Do yourself a favor and cancel your AMEX cards now, if you like having good credit.

~Philly

Re:Using Check Card for Online Purchases

Please, do a little research before you use a debit card or check card, for any purchases! While federal U.S. law limits your liability for fraudulent credit card purchases to $50, there is no legal limit for fraudulent use of your debit/check card. If you keep more than $50 in your checking account, you stand to lose a lot more than with a credit card. Also, if you have overdraft protection for your debit/check card, the perpetrator can not only wipe out your account but also put you into deep debt. Check with your bank about exactly what your liability is before using a debit/check card for any purchases.

And since I'm posting anonymously only because I'm too lazy to create an account: linux1@williamrice.com

Drop credit cards

[afidel]

whenever possible. When I realized that by simply including your picture on your credit cards almost 100% of in person theft could be eliminated, and yet visa and mastercard had not mandated them I came to the conclusion that they were not serious about stopping theft. The cost per card can't be more than $2 max, and probably more like 50 cents to add a small picture, yet it is not mandatory. There would still be online and telephone fraud, but those are easier to catch.

Re:Using Check Card for Online Purchases

[pthisis]

Please, do a little research before you use a debit card or check card, for any purchases! While federal U.S. law limits your liability for fraudulent credit card purchases to $50, there is no legal limit for fraudulent use of your debit/check card.

Please do a little research of your own--the Electronic Funds Transfer Act limits consumer liability for ATM, debit, or check cards to 1) $50 if the card is lost or stolen and reported as such within 2 days; 2) $500 if the card is lost or stolen and reported as such within 60 days; 3) $500 for fraudulent purchases if they are reported within 60 days.

Moreover, Mastercard and Visa both limit check-card losses to the same $50 max as credit cards as a matter of corporate policy.

HR 445 is a bill in congress to limit liability to $50 in all cases of fraud; it's been tabled since 1999 as far as I know.

Sumner