Who’s Got Your Number?

Do you go over your credit card statements to check every transaction? If not, you’re a prime target for credit card scammers. They could have your card number right now, charging up a storm. Unfortunately, you’re not alone.

Experian reports 400,000 incidents of credit card fraud at the Federal Trade Commission in 2020. That’s up 44% from 2019. Credit card fraud is also the number one type of Identity theft, with over 271,000 reports. In 2020 alone, we’re looking at almost 700,000 incidents and that’s only the people who reported them.

What is Credit Card Fraud?

Credit card fraud is when someone else gains access to your credit card information and uses it to make purchases in your name. It’s a form of identity theft because the user is misrepresenting themselves. They are assuming your identity to use your money without your knowledge or consent.

Here are a few common ways credit card scammers get your card numbers:

  1. Spyware apps

These apps are cheap and creepy. They run around 30 bucks and all that’s need is the phone number you want to listen in on. Scammers buy the app and download it on their own phones. They enter the target’s phone number into the app and they’ve got you. They don’t need access to your phone or even proximity. Some of the apps capture text messages, GPS locations, even keystrokes. Another one gives them access to an iPhone’s iCloud data. Just stop and think about how much information they could get from that.

  1. Skimmers

Skimming devices are small electronic devices that illegally grab information off the strip on the back of your card. The data on the strip includes the credit card number, security code, expiration date. They are often found on gas pumps or those standalone ATMs in convenience stores. They’re also used at ticket kiosks, personal sales like flea markets, or estate sales. Skimmers fit over the original swiper and can be hard to spot. When scammers retrieve the device, they hit the mother lode. They have information on every credit or debit card that was used since installation.

Cards with chips were intended to stop this type of theft, but technology marches on. A device called a shimmer is a tiny chip that’s inserted into the slot for your card. If a skimmer is easy to overlook, a shimmer is impossible to spot. It breaches the chip card’s security, grabs the data, and turns it into a metallic strip.

  1. Low Tech Theft

If you get paper statements from your cards, they can be grabbed from your mailbox or your trash. Older people in particular like paper. While everyone focuses on high tech, low tech is still easy and effective. Mailboxes are typically out on the street. A passenger in a car could grab financial statements in under a minute. Then there’s the trash. Anything you put out in our trash is free reign. If you don’t shred financial documents before you toss them, snagging them is simple.

  1. Data Breaches

Between January and April of 2020, over 8 billion credit card records were exposed. EIGHT BILLION! The idea that monitoring credit reports is somehow going to protect people seems inadequate. It gets worse for victims. Experian reports 31% of them will be victimized again through identify theft.

Identity theft is credit card fraud on steroids. Data breaches don’t just expose credit card numbers. Hackers steal addresses, social security numbers, and all kinds of proprietary information. Thieves take all that data and put it to use. They open up new accounts and change your mailing address. They can update the contact info on your accounts and even get an ID with your name and their picture and address.

Credit card fraud has limits on victims’ financial liability. Once it turns into identity theft, those protections vanish.

  1. A Merchant Hack

Good companies can get hacked. If you’re a customer, your credit card information gets hacked right along with them. To name just a few, T-Mobile, Nintendo, Macy’s, and Marriott Hotels were hacked. Customer data was stolen in each of the data. It’s normally the card providers – Visa, MasterCard, and others, which get a list of compromised cards. They send the list to the various banks of card holders. The company that was hacked has a legal requirement to alert customers of the breach within 72 hours.

Read: (Trending Topics: Data security protects your practice )

How to Protect Your Credit Cards

The truth is there’s only so much you can do if you use credit or debit cards. Always carry some cash. If you pay cash when you shop or get gas (especially gas) you can avoid skimmer and shimmers. If a store gets breached, there are no records to steal. Never use a card at some pop-up stand or flea market. Always get cash ahead of time.

This won’t help you at the Marriott and other hotels that require a credit card for a reservation. The internet is the catalyst for much of credit card fraud and identity theft. There can be multiple companies involved in a transaction. If there is a breach, your information is collateral damage.

How a Breach works

Let’s look at a breach of the travel industry that happed in November 2020.

Company 1:  Prestige Software owns the Cloud Hospitality channel management system. The system integrates room availability across sites like hotels.com, booking.com, and Expedia. When a room is booked on one site, availability on the others is updated.

Company 2: Amazon Web Services (AWS) hosts Cloud Hospitality’s data. There was a misconfiguration on the server that exposed over 10,000,000 files from travelers around the world. Neither Prestige nor AWS discovered the vulnerability.

Company 3: Website Planet is a cybersecurity team that analyses sites for security threats. They weren’t hired by Prestige or Amazon. They simply found the code that exposed the database. Website Planet contacted AWS and they fixed the problem the next day.

Companies 4++: Every client of Cloud Hospital and their customers were breached. That includes reservations made on almost every major booking website and online travel agent. The data included credit card numbers, names, addresses, and phone numbers of millions of people.

Companies 5++: Credit card companies are alerted to the breach of customer cards. They engage banks or financial institutions that reach out to their customers.

Companies 6++:  The three big credit reporting companies have to be alerted to prevent fraud and identity theft.

Back to Company 1: It’s unclear who, how, when (or if?) the 10 M+ customers were alerted to the breach. Prestige clients, i.e., booking sites, are not responsible. Prestige Cloud Hospitality is 100% accountable. The company is located in Spain. They face serious consequences under GDPR data regulations. Prestige violated PCI Data Security Standards. They could lose the ability to accept credit card payments. It’s a mess.

Currently, there’s no indication that the exposed data was stolen or mirrored. There’s also no record of travelers whose data was exposed being informed of the breach. There were credit card records from seven years back.

What could you do to protect yourself from something like that? Absolutely nothing.

Some Companies Never Learn

We mentioned a breach at the  Marriott earlier. It was in May 2020 and involved over the records of over 5.2 million guests. What we didn’t say was that it was their second cybersecurity attack in two years. The first was in 2018 and exposed records of 339 million guests.

As of September 2020, over 200 vulnerabilities, 18 of them critical appear in their system. Marriot is one of the largest hotel chains in the world. However hard hit they were by the pandemic – this is inexcusable.

(Read: Ransomware article)

What Can We Do?

One of the smartest moves you can make is to monitor your accounts. If you can’t prevent a breach, you can minimize the damage. Set up alerts on your cards. Talk with your credit card company to see what’s available. You can also hire an identity theft protection service.

Don’t pay at the pump with a credit or debit card. If you don’t have cash, go inside and pay. It’s harder to install a skimmer or shimmer at the front counter. Pay attention to your environment. The simplest way of stealing your credit card information is by actually stealing your card.

Do not use a standalone ATM stuck in some convenience store. Period. If you need cash, buy something with your debit card and get cashback. If they don’t have cashback, ask how to find the nearest place that does.

Secure any credit card or mobile banking apps on your phone. Over 70 million smartphones are lost or stolen every year. Only 7% are recovered. First, make sure the apps don’t automatically log you in. Second, a screen lock isn’t enough. A good thief can grab a phone when it’s unlocked or break a password in a matter of minutes. Just FYI, Chinese hackers claim they can break a fingerprint lock in under 20 minutes.

The easiest way for hackers to get credit card information is when you give it to them. It shouldn’t need to be said, but don’t give people a credit card number over the phone. It is so unbelievably easy to spoof a phone number. You have no idea who’s on the other end of the line. The IRS regularly puts on information on phone scams where callers are threatened with arrest if they don’t make a payment. For the record, the IRS doesn’t randomly call people about overdue tax bills.

Phishing still catches a ton of people. Phishing emails take two tracts: 1) Scare you 2) Entice you. In case 1, you may get a notice claiming to be from your credit card company. There is some worrisome message and a link. If you click the link, you end up at a fake site that looks almost like the real one. It tells you to enter your card information and voila – mission accomplished.

Case 2 is a honey pot. You’ve won a sweepstake or you have unclaimed money from something. You click the link, you go to a professional-looking website. You have to put your credit card info to register for an account. And that’s it. End of story, nothing happens after that. During COVID, thousands of cash-strapped people were scammed.

If you do not see a small padlock on the side of a website it does not have a valid security certificate. Granted modern browsers have gotten better at identifying sites that aren’t secure. But they don’t always block them. Sometimes they just replace the padlock with an exclamation mark in a triangle. Please pay attention.

Do not make assumptions about an unknown vendor by the look of their website. A domain costs under $12 and a decent-looking website can be tossed together in a couple of hours. Scammers set up websites that accept “donations.” They choose high-profile emotional issues – sick children, political stands, funeral expenses. Sometimes they won’t even charge your card, just grab the information they need to use it. The same for Facebook and other social media platforms.

If You Think Your Card is Comprised

Don’t wait for confirmation. If your card is lost or you think your information has been stolen, act immediately.

  • Alert your credit card company asap
  • Change your pin and password
  • Freeze your credit to keep thieves from opening up accounts in your name
  • Set up transaction alerts based on location or the amount of purchase.
  • Report any suspicion of Identity theft to the Federal Trade Commission.

Credit card fraud is no joke. Identity theft is worse. At least you can stop a criminal from profiting from his or her crime.

Share This