Active and Passive Monitoring are Critical in Your Defense Against Credit Card Fraud and Identity Theft
I normally write about organizational security, but this is as good a time as any to be selfish and talk about us consumers. After all, it is the holiday season, and credit card use is up. People are out more often, using their cards in public, and online shopping is expected to rise again. So, do credit cards give us pause?
Identity theft. Credit card fraud.
It seems, these days, like we should not be talking about “if” we are a victim of credit card fraud as much as “when.” A personal scanner costs less than $100. An attacker can attach a scanner to a Smartphone and begin using the card number before the victim even leaves their table at the restaurant. RFID scanners are in the wild. If you have a credit card with an RFID chip, an attacker can simply walk by you and potentially scan your credit card information right out of your purse or wallet, and you will never know. Online stores are attacked, along with banks or clearing houses and credit card information is stolen. It almost seems like fake scanners are everywhere, and you pretty much have to check every time you buy gas to try to make sure that there is not any extra gear hanging on the pump. Locally, we even had a scanner with a built-in cell phone, so the attacker could get card information from their scanner remotely.
So, what do we do about it? Well, you could just never use your card, right? But that kind of defeats the purpose of actually having one. So, instead, let’s think of this as a holistic security issue, and consider what we would do if we were a company.
For this example, my critical systems are easy. Right now, I am worried about how my credit card data is being used, so my critical systems include anything related to the way I use my cards, thus, mostly my wallet. Online purchases suggest that perhaps I should include those supporting systems as “critical” since they will hold my credit card and transaction information.
Standard Security Controls
I do certain things to make sure I have at least some control over my credit cards. If my card is out, my wallet is in my hand. I always put my cards in my wallet in the exact same order so I can more easily tell if a card is missing. These are simply controls, because not everything has to be complicated. If I have the option, I request that online sites not store my card information – I would rather enter it every time. All of these things are the basic controls that follow the rules, or policies, by which I manage my own systems. Since I do online purchases I have a requisite set of controls related to virus scanners, anti-malware software, firewalls, and other such related controls to help protect me.
Up front, there are a couple obvious things you may be able to do to help limit your exposure. For instance, I have one credit card that I use for all online purchases. If I see a mail order or “card present” type purchase on the statement for that card, I know it is fraudulent. If I see any online purchase on any of my other statements, I know those are fraudulent. This is not great magic; I am just using intelligence about my own use of the system. I understand my security baseline, so I can immediately recognize deviations.
As an obvious passive monitoring solution, I can check my credit card statements at the end of the month. Realistically, it only takes a couple of minutes to read through my charges and see if everything makes sense. Most months there are one or two charges that make me pause, but I usually figure them out easily. Another less passive control is that I can periodically log onto my credit card account and check my statement online. I can also phone in and check recent transactions, and if I am using mobile banking, my card provider may support a text message query of my latest transactions. All of these are relatively passive because they will let me check my existing statement for some activity that happened at some point.
If I want better intelligence about what is happening with my credit cards, I can also use more active monitoring. If I were an organization, I would think about monitoring logs and events on at least my critical systems. I would build a baseline of expected activity, and watch for anomalous behavior.
Chances are that your credit cards will let you do the same thing. Check your online card settings. Look under profile or security settings, and find “alerts.” If activity on your card triggers one of these alerts, you will be notified. Most cards think of these in essentially the same manner. Depending on the exact card brand, you will have a variety of alerts available. You may be able to set an alert that is delivered via email, text message, or voice message. Your cards will likely be able to alert on such activities as:
1. Balance transfer has been received
2. Balance reaches $XXX
3. Available credit is less than $XXX
4. More than $XXX on a single charge
5. More than $XXX in a billing period
6. Any cash withdrawal
7. Online or phone transaction (card not present)
8. Any international charge
9. Online, phone, or mail charge
10. Gas station charge
11. Password reset online
12. Email address change online
13. Mailing address change online
Many card companies also have some form of “anomalous behavior detection.” This is active monitoring that can get you alerted, but you don’t really have control over the alert mechanism, other than, perhaps, defining how you actually get the alert. Card companies are tight lipped about what kind of behavior they detect, and that also varies greatly by card company. Therefore, it is an additional control that potentially helps reduce your exposure.
One of my card companies use to allow me to set a spending limit by transaction, and they would actually have a customer support person call my cell phone if an attempted charge exceeded my predefined limit. I made use of that a couple times, while standing at the checkout line on a large purchase, and personally, I thought having the ability to review and approve before the purchase was very cool. You may notice that all of these alerts are on activity that has already happened, but if there is any saving grace here it is that you can get these alerts immediately, as the event taking place.
Not every financial institution supports every alert. If you simply think about the type of information in the list, you should be able to see the value in any of those alerts. Think of this, though, as any monitoring solution: if monitoring reports on an alert or event, you need to be able to manage the event. The worst thing you can do is simply ignore the alert, so it is up to you to define those alerts that you will act upon. If you are just going to ignore the “available credit is less than $1000,” then don’t alert on it.
Monitoring Information Management
If I have five credit cards, it would probably not be the best solution to turn on all of these alerts for all of my cards. There is such a thing as “information overload.” Information management is probably the single biggest issue with any monitoring solution. How do you alert on the important items but leave other information available so that you can use it as you need to?
To that extent, monitoring on a key event or two, then retaining the ability to query for additional information is probably the best compromise. In context of your credit card use, figure out what your tolerances are for each card, and make sure you know to get details on your latest transactions. For instance, I may not need to alert for “all online purchases” for my “online only” card. But, at the same time, for my card that is only “card present” charges, I probably want that text message that says someone just used your card online.
Overall, we can try to minimize our exposure, but even the best of us still get hit. Sometimes it is not as much what you do to protect yourself up front as it is how you react to an attack. This is true for personal credit cards as well as cyber attacks on businesses.