Ask Slashdot: How Do You Keep Your Credit Card Secure?

It's easy to pontificate about the best security practices -- but the real test is what we do with our own money. Long-time Slashdot reader Keybounce writes: So, like most of you, I recently got a new credit card with a chip in it. I was not worried about that -- I know the chips are harder to copy and counterfeit. But I recently discovered that the card is also a radio card -- swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked" -- stolen by someone with the right device.

How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?

So leave your own answer in the the comments. How are you keeping your own credit card secure?

Don't care, not my card, card issuer's problems.

I could care less. If I see fraudulent transactions I call AmEx and I get a replacement card next morning. No need for me to go out of my way to keep a card that provides access to someone else's money secure.

Re:Easy

[Lord+Crc]

If you cannot afford to buy something with cash, then you can do without it.

There have been serious suggestions here in Norway to forbid cash payments for various things. This includes buying tickets from bus drivers, paying at restaurants and for purchases above some threshold (think 2000 USD and such).

The bus drivers don't want to have cash because of robberies, the tax administration wants to make it harder for restaurant owners to cheat, and the police wants to make it harder to launder money.

We're not there yet, but I'd say it's coming soon.

Re:Don't care, not my card, card issuer's problems

[ShanghaiBill]

I am not liable for fraudulent charges.

Sometimes you are. I was fraudulently charged $19/month for several months by Travelocity. I disputed the charges through Bank of America, and BOA told me that Travelocity was their "marketing partner" so the fraudulent transactions could not be reversed. I cancelled the credit card, closed all my BOA accounts, and switched to Wells Fargo (the only other bank within bicycle distance of my house). I also never again used Travelocity for anything. I periodically go into the local BOA branch and steal their ink pens.

Re:I don't

[ShanghaiBill]

Don't they kick you out when the transaction is denied?

If you are paying $2000 in Mexico, you are going to the wrong strip clubs. Try walking more than 1 block from the border.

Re:Shielding, jamming

[ArmoredDragon]

I wouldn't even fret over it at all, and indeed those little sleeves are a total waste of money.

Current credit card laws limit your liability for fraudulent transactions to $50. But that's not all: Every bank that isn't shitty takes that a step further by making you liable for nothing at all. Really, I haven't even seen a credit card offer that has a non-zero liability clause. I'm sure they exist, but you'd have to have downright awful credit to have one of them as your only option.

That said, a much bigger risk (indeed by far the biggest risk) of getting your credit card information stolen is when you use it to buy something on the internet and the merchant's PCI database is compromised. This has happened numerous times to me, by the way, and you know what it has cost me in my entire lifetime? Not a single red cent.

Typically it goes like this: My bank calls me and notifies me that somebody all the way on the other side of the country in a state that I've never been to tried to buy something expensive on my card within minutes of me buying chips from a vending machine. Obviously something wrong there, so they call me and list the most recent 5 or so transactions and ask me if I made any of them. If the answer is yes, then there's no problem. If the answer is no, they deactivate my card and send me a new one, and have me fill out a form telling them which transactions showed up on my bill that are ones I didn't make. I just tell them which ones aren't mine, and they simply remove them from my statement.

That's it, no problems. The only inconvenience is that I'm out of a credit card for a few days, but that's ok because in addition to my mastercard that I use practically everywhere, I also have an Amex card that I occasionally use for its occasional incentives, and I can continue using it until my new mastercard arrives in the mail.

No need to waste money on a sleeve, and no need to have to pull it in and out of the sleeve when I need to use it.

Re: Easy

[slashrio]

The moment the cashless society is a fact you will regret that you didn't fight it.

My card leaks visible spectrum radio signal also!

[vortex2.71]

I recently found out that my card was leaking radio waves in the visible spectrum! This is really nefarious because the radio waves do not actually originate from the card itself. When a store, hacker, or other third party sends radio waves in the visible spectrum towards my credit card, the card returns the signal back to a wide range of locations with the user's name, the credit card number, and even the cvv code on the back!

The worst part is that there are even visible spectrum enhancers on the market, which turn the radio signal, which is usually only decipherable at 2-3 ft, into a signal that can be deciphered from 30-100 ft. I can't even believe that these things are legal, or that the card returns these radio waves in the visible spectrum!

The world is going to hell in a handbag!

Re:Turn it off

It doesn't include the CVV2 that will be requested even by very low risk online retailers. You might be thinking, "But this field right here is labelled CVV" and it is, but there are like four CVVs for a modern card, and that's the wrong one. The one you need online is CVV2, which is the one written on the back of the card but not stored on the card itself.

This happened because cards _used_ to have just one CVV, baked into the magstripe, so you could tell you had a "real" magstripe read, not one based on just reading the digits off the card, but if people got the CVV elsewhere they'd fake that out. So the "fix" was to have a different value for CVV in each place, and check you got the right one. So there's a CVV for EMV chip transactions, a CVV for the magstripe and one written on the card for online.