Slashdot Mirror
Ask Slashdot: How Do You Keep Your Credit Card Secure?
It's easy to pontificate about the best security practices -- but the real test is what we do with our own money. Long-time Slashdot reader Keybounce writes:
So, like most of you, I recently got a new credit card with a chip in it. I was not worried about that -- I know the chips are harder to copy and counterfeit. But I recently discovered that the card is also a radio card -- swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked" -- stolen by someone with the right device.
How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?
So leave your own answer in the the comments. How are you keeping your own credit card secure?
How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?
So leave your own answer in the the comments. How are you keeping your own credit card secure?
I could care less. If I see fraudulent transactions I call AmEx and I get a replacement card next morning. No need for me to go out of my way to keep a card that provides access to someone else's money secure.
I don't bother. The number of attacks in the wild is still essentially zero, and I'm indemnified against all loss. It might be inconvenient, but it's not a loss. So it's not worth my time and trouble guarding against.
I might worry about it if I were to go to the Olympics or something else with lots of international tourists, the best ones to skim, but for regular everyday use, the chance of you being skimmed rounds to zero, and if it does happen, you are blameless.
Learn to love Alaska
The 16-digit system is ridiculous. If you're going to use your card online, or in restaurants, etc. your card number is quasi-public.
Two of my cards have an option which sends email and/or SMS and/or app-notifications upon every transaction, accepted or denied.
I caught a bogus attempted charge last month - this saved a lot of exposure & aggravation. It also informed me last week when my personal activity caused my card to be suspended ( several international charges, different countries in the same hour). CapitalOne, Discover, & Chase offer this, and I assume some other competitors do so as well.
Honestly, the best you can do is to use a system (like Apple Pay) that uses a device specific PAN for your transactions.
Or you could use a PIN, with is how chip+pin was designed to be used, and how it is used in other countries that have far less CC fraud than America.
Bus passes, tickets or tokens have always worked just fine for me. Buy them at the lottery counter or the drug store. There certainly is no need for credit card processing on the bus. Like the driver has time to manage that. They don't sell tickets or passes on our buses here, exact change, pass or tickets only. They're bus drivers, not cashiers.
If a restaurant will only take credit cards. that's their loss. I won't eat there, and they'll be paying higher transaction fees than if they took cash or debit.
There simply is no need for credit cards. The liability is just too high a risk. Not to mention that the interest rates are usury.
(P.S. when I say cash, I also mean bank/debit card with "tap-to-pay" disabled on the account, you'll need to make solid electrical connection with the gold contacts on my bank card to perform any transaction, and you'll also require my 8 digit pin.)
Sheesh. Apparently you omitted the part where you hire an armed security force and an assistant who carries your cash in a briefcase handcuffed to his wrist.
No way I would live that way. Keep most of your money in an account separate from the one you pay stuff out of day to day. That should do it.
Better known as 318230.
Yeah, you're a paranoid fuckwit. Bank with a non-abusive company and don't be a dumbass.
If you're using a bank, you're using an institution that is probably trying to fuck you. Don't do that. Pick a local credit union instead. Better service, better rates, less ass-fucking. My wife and I both push a monthly amount to a joint account which is tied to our bills and debit cards. I noticed fraud on that account recently. Went to the credit union at lunch, told them that I didn't know what card it was on, they figured it out, (mine) put the money back, shredded the card, printed me a new one, and I walked out of there 15 minutes later.
Their online banking is the shit. We do our banking through their portal most of the time. And that includes their free, scheduled, repeating if necessary bill payments where they format a check with your account number on it and mail it out. And do electronic transfers with some companies. "Only use checks" lol, how quaint. We have our payees set up in the web portal. Log in, click "Utilities", enter the amount, click send. Done. Check is in the mail the next morning. Same with mortgage, student loans, cell phone, etc.
I used to use big banks, but they spammed me, fucked me, and generally treated me like shit. I moved to a local friendly place, and they treat me like a king. It's amazing that you recommend using fucking Walmart and pre-paid cards and cash. Those can be lost and stolen. And if they are, you're SOL. And pre-paid cards have overhead.
If you have any questions, let me know
If anyone does, it's going to be why you aren't taking your meds. The fuck is wrong with you? How did your world get so broken?
Velociraptor = Distiraptor / Timeraptor
Then why are you trying to explain how they work?
A responsible credit card user pays their bills at the end of the month and doesn't rack up interest of fees. And, no, they do not raise the fees to the vendor, in fact they have recently lowered them since they have had their ass reamed in lawsuits for overcharging.
Yes, VISA, etc charges a small fee for transactions, they make a (sometimes too healthy) profit, but fraud protection is one of the major FEATURES of using a credit card. Go pay cash to a shady person for something and then try to get your money back later when you got screwed. Use a credit card? If it was the vendor's fault you will get your money back.
I wouldn't even fret over it at all, and indeed those little sleeves are a total waste of money.
Current credit card laws limit your liability for fraudulent transactions to $50. But that's not all: Every bank that isn't shitty takes that a step further by making you liable for nothing at all. Really, I haven't even seen a credit card offer that has a non-zero liability clause. I'm sure they exist, but you'd have to have downright awful credit to have one of them as your only option.
That said, a much bigger risk (indeed by far the biggest risk) of getting your credit card information stolen is when you use it to buy something on the internet and the merchant's PCI database is compromised. This has happened numerous times to me, by the way, and you know what it has cost me in my entire lifetime? Not a single red cent.
Typically it goes like this: My bank calls me and notifies me that somebody all the way on the other side of the country in a state that I've never been to tried to buy something expensive on my card within minutes of me buying chips from a vending machine. Obviously something wrong there, so they call me and list the most recent 5 or so transactions and ask me if I made any of them. If the answer is yes, then there's no problem. If the answer is no, they deactivate my card and send me a new one, and have me fill out a form telling them which transactions showed up on my bill that are ones I didn't make. I just tell them which ones aren't mine, and they simply remove them from my statement.
That's it, no problems. The only inconvenience is that I'm out of a credit card for a few days, but that's ok because in addition to my mastercard that I use practically everywhere, I also have an Amex card that I occasionally use for its occasional incentives, and I can continue using it until my new mastercard arrives in the mail.
No need to waste money on a sleeve, and no need to have to pull it in and out of the sleeve when I need to use it.
If you cannot afford to buy something with cash, then you can do without it.
There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).
The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.
We're not there yet, but I'd say it's coming soon.
A card-only system is the perfect surveillance solution. Not only does it reveal everything that you've purchased and from whom, but the time and location as well.
Presidents Putin and Erdogan recommend them!
The moment the cashless society is a fact you will regret that you didn't fight it.
"Trump!!", the new Godwin.
You MUST read your statements because any VISA retailer, anywhere in the world, can tell VISA "Oh, this 16 digit card was used in my store, and I want $100" and they will just add that to your statement and bill you unless you protest. VISA does not give a shit whether there is even the slightest evidence the charge is legitimate _unless_ you say you didn't do it.
Credit Cards have two separate processes. Authorization is the first, it's the one with chips and PINs, and CVVs and checking your address matches, and a typical retailer wants nothing to do with you unless they can successfully complete Authorization. This step exists _purely_ for the retailer to obtain proof you authorized the transaction, the VISA network doesn't need it, doesn't care about it, unless you dispute.
Settlement is the second step, it has no security whatsoever, it's purely on the word of the acquirer and it's the step where your money is taken. All they need to provide are the card numbers and the amounts they want to get paid. If there's Authorization but no Settlement, you don't pay a penny in the end. But if there's Settlement but no Authorization, your money is GONE unless you say "Hey! I never agreed to pay that".
For a huge fraction of transactions nobody has any actual proof. Even if it's a legit transaction where you presented your card, often they screwed up and threw away the proof, or they typed in the wrong amount and then later "fixed" it and billed you a different amount. And because Settlement has no security, they get their money anyway. UNLESS you say you didn't agree to pay, and then VISA sighs and says "Hey, where's the proof?" and the retailer says "Oh, whoops, we don't have it" and you pay NOTHING.
So, that's the only thing you need to know about Credit Cards, READ every statement, DISPUTE anything you're concerned about.
Do you really think that the banks would have added a feature that makes fraud as easy as pointing an antenna at people walking past? Where are the crime waves of people draining accounts with concealed card readers?
Why yes, I do. It has been demonstrated numerous times, and is easy to reproduce on your own with inexpensive equipment. The specs are public (have you read them? I have.) Even EMV chips send your card information in plaintext - any encryption needs to be added by the terminal. You may not have read much about it as RFID cards are still uncommon in the US, but that is changing. The specs for this and EMV are more than a decade old and were designed for the banks' convenience, not your protection.
US banks have shown a singular unwillingness to invest in technology that helps their customers. In the US they fall back on "zero liability" terms that mostly shield customers from direct financial losses but then pass on the cost of billions of dollars of fraud to all consumers and merchants.