Last month, I was in McAllen, Texas for a client. Three other road warriors and I were enjoying a cold beverage and a brief respite from the scorching rays of the sun when the topic of payments came up. One of my new friends spoke up and stated that they were shopping for a gift for their mother-in-law, but would never use their credit card online (only a prepaid). Another chimed in and said that they use their debit and credit cards all over the place (including fuel pumps) without giving a second thought to security. My third acquaintance looked me in the eye and said “David, you’re in security right? Why don’t you write something about safe payment practices? That would actually be useful!” So here it is, David’s guide to safer payments at home and out and about!
First off I want to differentiate between credit and debit cards. Debit cards are inherently more risky to use because they link directly back to your bank account. On the other hand, credit cards often offer more consumer protections in the form of insulation against unauthorized credit charges (i.e., a stolen card that is fraudulently used).
The following are a few statistics from Verizon’s 2012 Data Breach Investigations Report:
- 48% of breaches across all organizations involved payment card information.
- 42% of breaches across all organizations involved authentication credentials (i.e., usernames and passwords).
So it should be pretty obvious that our financial information, specifically payment card information, is of particular interest to criminals. While I do not believe in fear mongering, I do think that understanding the reality of the payment world we operate in and learning to practice safe payments is wise and healthy for our bank accounts.
At some time in your life you have probably pulled up to a fuel station and thought “those pumps look rather old”. Many older PIN entry devices (PEDs, used for entering a PIN for debit card transactions) do not meet current security standards and are highly vulnerable to various attacks, including card skimming. With this in mind, my personal stance is to only use credit cards at a fuel pump. You should always be mindful of your surroundings or on the lookout for odd-looking card readers, but if your credit card number is skimmed at a fuel pump, it is far easier to catch the fraud and recover (often with little effort on the consumer’s part). However, if you use your debit card at a fuel pump and the number is skimmed, the thief can simply cycle through possible PINs looking for the correct PIN. This might seem difficult with 10^4 possible PINs, but many consumers often select from common number sequences. If the thief finds your PIN, they can now use your debit card to make authorized, albeit fraudulent, withdrawals directly from your bank account.
Skimming attacks are not limited to fuel pumps and it is always a good idea to inspect an ATM prior to any transaction. Outdoor markets, strip malls, and such have been common targets for ATM fraud. One attack is where the thieves will bring in a “hacked” ATM and place it next to genuine ATMs. Consumers will walk up, try to withdraw money and receive an error. They would then use the next ATM and proceed to withdraw money since the ATM is genuine; however, the fraudulent ATM already has their PIN. After several hours or the end of the day, the thieves would retrieve their ATM and harvest the card numbers and PINs. With that in mind, a general best practice is to only use ATMs within a bank branch or inside a retail location that is monitored.
When I travel, I often find myself in need of local currency. I avoid using the random ATM located outside of a building and I will either use an ATM inside my hotel, a local bank, or inside security at the airport. For example, I am writing this article from my hotel in Satu Mare, Romania. When I arrived yesterday, I needed local currency (Lei) to pay for my taxi. My taxi driver was kind enough to take me to one of the national banks so that I could go inside and withdraw enough currency for the next few days. I also carefully monitor my account activity during and after any business trips to ensure that I recognize purchases. Generally, it is best to use a credit card when traveling. My personal reasons include easier transaction tracking, better security, and I don’t need to carry a lot of cash with me. It is important to note that many credit card companies will deny your transaction if you are out of the country and do not travel much. I would recommend notifying your credit card company whenever you plan on being out of the country so that you can ensure access to your credit line.
I would be remiss to not discuss online payments. I love the convenience that online shopping provides. Since I travel a lot, I often complete most of Christmas shopping using Amazon.com. Once again, I recommend using a credit card (not a debit card) when processing any payment online. There are services such as PayPal that allow you to load funds onto a card and then complete purchases online. While this can limit your risk, there are several steps you can take to practice safe online payments and reduce your risk.
When shopping online, I recommend typing in the URL of the website you would like purchase from. Phishing emails can look incredibly legitimate and when in doubt, it is safe to open a new browser instance and manually type the website’s URL. Generally, you should only make purchases from reputable online merchant that must comply with security standards enforced by the card payment brands (such as PCI DSS). This alone does not give you security, but when purchasing from a PCI DSS compliant online merchant, your risk should be greatly reduced. When completing online purchases, I recommend reviewing the website for the following:
- Lockbox next to the URL (click on this to verify that the site is using SSL or TLS)
- Check the URL to ensure that the website is the merchant you intend to purchase from
I generally don’t make purchases from untrusted/unsecured wifi hotspots (even at cafes) as they can be prime locations for man-in-the-middle attacks.
What happens if you think your card number has been stolen? It can happen even if you practice safe payments and it is important to know what to do. Here are a few steps to take if you suspect your card has been compromised:
- Note any suspicious transactions
- Call your card issuer (i.e., your bank) and notify them of the suspicious activity
- Request that the current account be frozen and request a new account
- Monitor other accounts for suspicious activity
It doesn’t take much effort to practice safe payments. Learning situational awareness and using the above recommendations will help you enjoy the convenience of card payments while reducing your exposure as a target for payment card fraud. Protect your debit card like you would protect your checkbook. When in doubt, use cash or get that credit card out!