Security Experts:

Safely Using Credit Cards - NOT Just for the Holidays

Credit Card Security Tips: How to Keep Your Credit Card Secure While Shopping Online and In Person

With all of the news in the past year about big breaches and credit card compromises, are you worried about your credit cards? I am. As a matter of fact, four of my credit cards have been replaced in the past three months.

I had a friend tell me that they are shopping with cash this holiday season. Is that the answer?

Probably not, especially if you are shopping online.

So, what do you do?

Cash vs. Credit vs. Debit

First of all, I’m going to put it right out front. I think credit cards are better than cash, and better than a debit card. If I have a problem with my purchase, I can stop the credit card payment. If I have paid with cash, I am out of luck. And, I know at least one of my credit cards includes extended warranties for any electronics purchase.

Credit Card Safety

Now debit cards. They work kind of like credit cards, but the funds are taken directly out of your account instead of going through the credit process. Which is good, since it helps ensure you know exactly where your finances are. If the money is not in your account, you will not be able to buy. But debit cards are not without their own version of risk.

According to the Fair Credit Billing Act (FCBA), you are never responsible for false charges of more than $50 on your credit card. Never. And, many (most) banks and card companies make that $0, at least for false charges which are reported in a timely manner. And, yes, if the bank is waiving the fee, they get to define “timely” but you usually have a couple days.

If someone uses your debit card, your responsibility is often the first $50 like a credit card. But, if you report the false charge more than two business days late, your responsibility could jump to $500. And if you are more than 60 calendar days behind, you are on your own. Some debit card issuers will work with you on these limits, but, the money is still gone from your account and the dispute process has to complete before any funds are re-deposited. How quickly that can happen depends on the issuer, but I have seen stories of that going on for months. If you make that same dispute with a credit card, the funds STAY in your account and you don’t have to pay anything unless your dispute fails.

You report

Your Responsibility

Credit card fraud

Maximum of $50

Debit card fraud within 2 days

Maximum of $50

Debit card fraud more than 2 days, but less than 60

Maximum of $500

Debit card fraud more than 60 calendar days

No limit

Account Protection

Your credit card comes with an online account. That online account is your friend. And your enemy. Your enemy if that information, like your username and password, gets leaked. So don’t let that happen. Here are some general online account rules to live by:

• Use a username you remember, but NOT your email address if you can avoid it.

• Use a complex password. Even if you have to write it down and store it in a notebook you keep in a drawer in your kitchen. A password like “for20N7yers” (four score and seven years) is ALWAYS better than a password like “asdfGHJK123”. Always. (Did I say “always?”)

• Change your password once in a while. Figure out a frequency which makes sense for you, but just do it. Even once a year is better than “never.”

• NEVER use the same password on two different accounts. For that matter, don’t even use the same construction on two different accounts. So, if your password on your BANKA card is “banka355CliveStreet” would it be smart to make your password for your BANKC card “bankc355CliveStreet?” (Not that your street address is a great password.)

• You know that computer you use to log onto your account? Make sure it has a major market anti-virus solution installed. And some anti-malware software. And update them both regularly – like as often as they can. And run automatic scans at least weekly. And periodically run a manual scan. And check the scan settings to make sure it is actually scanning the main system. Having strong account information is of less value if the computer you are logging on with is infected with some malware.

• As a general rule, avoid public Wi-Fi. Don’t log on to your bank from public places like coffee shops and airports. As much as you might be tempted, just don’t. Use a network which is more controlled, like the one in your home. If you need to use public Wi-Fi, be sure to use a trusted VPN solution.

• Avoid using public computers like ones in a library or in a hotel business center. And avoid using other computers you don’t own, like your friend’s. You really have no idea what kind of security they have.

• Make sure you are using the most current version of whatever your favorite browser is. For the sake of your personal interest, you may want to know that both Safari and Explorer are pretty routinely measured as MORE secure than either Chrome or Firefox. Just sayin’.

There are also a couple little tricks which you can use to improve your account security.

• Don’t use your real mother’s maiden name. Or better yet, include a DIFFERENT “mother’s maiden name” on every account which asks for one (Make sure you track which one you use, even if you have to write it down. Remember that little notebook you have in your kitchen drawer?). For that matter, if you have options besides “mother’s maiden name,” use them. And always remember – NONE of your answers have to actually be true. It’s not like the credit card police are going to come looking for you if you lie and say that evil Mr. Johnson was your favorite teacher.

• Change your own information when you can. Use your middle name on one account. Omit it on another. Use only your middle initial on another account. And - heh, heh, heh - use a different middle initial on yet another account. If I get a fraud email to Jon-Luis Heimerl, or Jon-Louis Heimerl, or Jon L Heimerl, I know EXACTLY which account each came from.

Beyond that, most credit card companies have security settings and options which can also help you.

• Register a good email with your online account. Again, you don’t have to use the same email for every account. I recently got a “FRAUD ALERT” email sent to my yahoo.com email address. But, it came from a credit card with which I have never registered my yahoo account. That fact alone let me immediately discount it as a phishing email.

• Register a cell phone number with your online account. You should make sure this one is accurate everywhere so that you get the alerts the card company sends you. Some card companies will call you if they see activity on your account that deviates from your normal spending patterns. You want to get that call.

• Use the “account alerts” available on your card. They won’t always be called “account alerts,” but somewhere within your account settings or options you can look for something related, like “security alerts,” and you will find them. You want to look for settings like the following, and TURN THEM ON! Just read the options below and you should be able to see how having these notifications can be helpful in controlling fraudulent activity, especially items a-g. Select options to get text messages and/or emails if your credit card company sees any of these conditions (not every card will support all of these options, but these are typical):

• Spend Tracking – Notify you when more than $X is spent during a billing period, where you get to define X. For instance, if the total of transactions during the billing period reaches $1000, you will get an alert.

• Irregular Account Activity – Notify you when a transaction looks questionable based on your account history. For instance, if you have always used your card “in store,” and suddenly your account shows large, online purchases from China, you get an alert.

• Card Not Present – Notify you when any transaction is attempted via phone or online. For instance, if someone tries to buy airline tickets online with your card, you will get an alert, regardless of the value of those tickets.

• Cash Withdrawal – Notify you when someone tries to take a cash advance on your card.

• Foreign Transactions – Notify you when someone tries to use your card number in a different country or currency.

• Large Purchases – Notify you when someone tries to make a purchase of more than $X, where you get to define X.

• Changed Personal Information – Notify you when someone changes your phone number or mailing address on your account. It might be handy to know if your mailing address is suddenly in a Houston suburb…

To me, the best news here is that these are ACTIVE alerts which happen pretty much in real time. If you are sitting in your office working, and you get a “Large Purchase” text message, you know that someone is up to no good, right now.

Account Passphrase?

For those who really care, call your credit card company and ask them if you have the option to put a passphrase on your account. This is a separate password used just for access through customer service and has absolutely nothing to do with the password with which you log on. That way, if anyone calls in to try to access your account, before anyone at the card’s customer service center can even access your account, they have to ask “and what is your account password?” If the caller does not have the password, the call is essentially over. This reduces the chance that a caller will be able to do things like change your billing or notification details, or raise your credit limit on a compromised account.

But, also be mindful that you should never actually give your passphrase to someone who calls you, claiming to be from your card company. Figure out how to call them back if it appears justified.

Fraud Alerts are Awesome!

The credit reporting agencies (Equifax, TransUnion and Experian) will allow you to put a “fraud alert” on your credit report. This means if someone tries to apply for new credit in your name (like via identity theft) that application is put under greater scrutiny to help ensure that it is actually you who is applying for the credit.

If you are worried that any of your account information will be stolen and used to steal your identity, put a fraud alert on your credit report. The process is free, and can be done online at any of the three credit reporting agencies. The only real catch here is that a fraud alert typically lasts 90 days, so if you want to retain the protection, you will have to go apply every 90 days. This is actually a service which some of the identity theft protection companies do for you – you just pay them a fee to re-apply for a free service on your behalf. A calendar reminder for the 1st day of every third month is cheaper.

A fraud alert will not stop anyone from stealing your card number or your other personal information, but it can make it much harder for the thief to actually do anything with that information which will actually hurt your credit.

Spend Wisely

Since we want to actually USE our credit cards, and the use of our cards potentially exposes our account information, we have a problem. The reality is that if we don’t use our credit cards they are not doing us much good. So we shop.

Is it possible to use credit cards to shop while minimizing your exposure?

Absolutely.Using your credit card safely is all about managing risk. You can shrink your risk by doing things like the following when you shop:

Shop at reputable online sites. If you want a computer, a TV or a new tablet, you are much better shopping at a large, well-known, reputable dealer than you are shopping at someplace like “Bobsonlinediscountshoppingwarehouse”. You MIGHT find an incredible deal, but the chances are probably greater that the deal really IS too good to be true.

Control your search results. There is nothing wrong with searching for a good deal. Just be cautious about the search results. Though the search engines are doing a much better job of filtering this than previously, malicious people regularly seed search results with hostile sites, just waiting for you to come and visit. Once you check out your results, please feel free to navigate to the retailer’s main site and find your item instead of following a link.

Don’t follow links. If you get an email from a retailer, and it includes a link to a wonderful deal that is exactly what you were looking for, you will be tempted to click the link to purchase. Stop that now! Go to the retailer’s main site by entering their URL in your browser, or use a page you already have bookmarked in your “favorites.” Using a juicy link is a great way for a phishing attack to get your account information, or even compromise your computer, which you really don’t want.

If you can, pick one credit card, and use that one card for ALL online purchases. Don’t use your other cards for ANY online purchases. Then, if you see an online purchase on any of your other card statements, you automatically know it is fraudulent.

When you shop online, check for a secure connection before entering any account or credit card information. Check for the lock or the “https:” in the URL, and if you can’t log on securely go shop somewhere else. And, DON’T enter your card information in an email form. I got one of these the other day. Just don’t do it.

When you shop online, deselect the option to “save your card number for future purchases” if you can. If the retailer is not storing your card they can’t lose it in a breach can they? Yes, it is less convenient to enter your card information every time you go to that same site. And that can be so frustrating. But that is seriously a first world problem. Put it more simply – the fewer people who know your credit card number the better. Period.

When you are buying in the store, scan your own card when you can. If you have to hand your card over, keep an eye on it. Don't be distracted by your surroundings. Make sure the card does not disappear underneath the counter to reduce the chances that the clerk can scan their own copy of the card in a surreptitious card reader.

When scanning your card, check out the scanner. Look for a reader which does not look right. Either it looks too big, or is a different color, or looks like it could be loose. Card skimmers are small, but they will add bulk to a real scanner. They are sometimes not easy to detect, but if you don’t look, you will never see one.

If the cashier asks, you can decline to provide your phone number or zip code for the credit card transaction. That information is most often used for loyalty programs and tracking purchases, and is not generally required for purchases. For that matter, in California it is actually illegal for a retailer to ask for your zip code with most credit card purchases. Some purchases use zip codes to help identify fraudulent transactions, but these are mostly “cashierless” payment mechanisms like gasoline pumps.

Keep all your receipts. If you buy online, print your receipt or dump all your confirmation emails into a “shopping” folder so you can check them later.

Keep an Eye on Your Stuff!

Online Security TipsYou’ve been careful. You found your deals and did your paranoid shopping. You used your one online card and bought from Amazon. You were careful with your plastic, and you kept all your receipts. But you know you are not done right?

You have to be checking your statements. Use strong credit card kung-fu and check every line item on every credit card statement. The bad guys regularly use small “test” charges to see if a card is real, so yes, EVERY amount. And monthly may not be often enough. Especially now. And by “now” I don’t mean for the holiday shopping time, I mean in modern times. Set a calendar reminder and check your credit card statements in the middle of the month – halfway between statements. Or better yet, weekly. But, it is more important to pick an interval at which you will actually do it. Online, you can check your entire statement, and recent transactions. Dig those receipts back out and make sure that you have no unexplained charges.

If you see a fraudulent charge, report it immediately. Call the customer service number on the back of your card, and follow up with email or paper mail as requested. Don’t be afraid to admit you made a mistake if you accidentally report a valid charge, but don’t hesitate to report a bad charge.

Don’t Call Me, I’ll Call You

Be aware of incoming emails about your credit card accounts. You will get genuine emails from your credit card companies. You will probably get many more phishing emails. In any event, follow these rules for dealing with contact from your credit card company:

Never follow a link in a received email. If your credit card company needs you to log in, you can do it at the link you have bookmarked for them, or from their main operating site.

Never call a “customer service” phone number in a received email. Your credit card has a customer service phone number printed on it for a reason. Use the number on your card.

If you get a phone call from “your credit card company,” you should automatically be suspicious. Don’t get a phone number to call back. Ask them for a reference number and call the customer service phone number on the back of your credit card. If they are calling to verify a charge, think carefully about what information you are being asked to provide. Do not be afraid to tell them you will call back, even if it slows down the transaction.

Finally

Credit card security really is easier than it sounds. Some of this stuff is easy once you are set up. Some of it is habit. But everything above will improve the security of your credit card and associated personal information.

Now, go SHOPPING!

view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.