Stacking your cards
If it hasn’t happened already, there’s a pretty good chance one or more cards in your wallet will be compromised.
Card fraud affected 7.5 million Americans in 2012 (the latest data available), with total card fraud loss reaching about $8 billion, according to Javelin Strategy & Research. ACI Worldwide and Aite Group found in their 2012 report that 42 percent of U.S. residents had directly experienced fraud over the previous five years. That doesn’t include the 40 million credit and debit card accounts that were accessed during Target’s massive breach in December.
All cards in your payments arsenal are undoubtedly at risk, but are certain cards more vulnerable to fraud and/or data breaches than others? There are a lot of factors to consider when stacking payment methods against each other.
The dangers of debit cards
© MIKE BLAKE/Reuters/Corbis
Certain card categories can be considered more vulnerable, thanks to differences in the laws that govern them. Using a debit card is riskier than using a credit card because a customer could wind up paying more out of pocket when a debit card is compromised.
A debit card “connects directly to your bank account,” says John Sileo, data security expert and author of the “Identity Theft Recovery Guide.” “When it’s emptied, the cash is gone” until the bank puts it back. Banks have 45 days to investigate the fraudulent charges, but after 10 days, they have to issue a provisional credit of the missing funds.
Not only that, but under Regulation E of the Electronic Fund Transfer Act, debit card holders can be liable for $50 if they fail to report fraudulent charges within two days and up to $500 if they fail to report within 60 days. After 60 days, they could wind up paying for all unauthorized charges, says Rick Fischer, senior partner at Morrison & Foerster LLP.
At the end of the day you could wind up waiting two weeks for the funds to be reimbursed. This lag time could prove problematic if bills are due, or if while waiting for reimbursement, you rack up overdraft fees.
Beware the mag stripe
From a technological standpoint, any card with a traditional magnetic stripe is more vulnerable to fraud since it’s all too easy to counterfeit. (And, yes, in all likelihood, this currently includes most of the cards in your wallet.)
“It’s very, very old technology,” says Jason Oxman, CEO of the Electronic Transactions Association. “A magnetic stripe is the same technology used in cassette tapes.”
Information is embedded in the form of characters — letters and numbers — that go across the stripe’s tracks. Typically, this information includes your name, your account number, the account’s expiration date and a security code called the card verification value, or CVV. This security code never changes, so once a hacker obtains the stripe’s data, he or she has all the information needed to create a counterfeit card, Oxman says.
Hackers typically obtain the information through skimmers, which can be placed over ATMs or payment terminals. This practice is more common in the U.S. than you may think. According to a 2013 Nilson Report, the U.S. is the only region in the world where counterfeit card fraud has grown consistently. U.S. issuer losses due to counterfeiting accounted for 26.5 percent of global fraud losses in 2012.
“It’s more common than lost or stolen cards or online fraud,” Oxman says.
The perks of EMV
Unlike risky magnetic stripes, tiny microprocessor chips in an EMV — or Europay, MasterCard and Visa — card “generate a new security code every time you use the card,” Oxman says. These chips are “impossible to counterfeit,” he adds, since a hacker doesn’t know what code they are going to generate in the future.
There are two types of EMV chip cards: chip-and-signature and chip-and-PIN. The chip-and-PIN version is considered the more secure of the two, since it requires a personal identification code to verify a transaction. “The PIN is an extra layer,” Oxman says.
Some U.S. issuers have added chips to their credit cards so customers won’t have problems making payments when they travel overseas. But don’t let the chip’s mere presence fool you.
“Until we get magnetic stripes off the back of the cards, they’re going to be highly vulnerable to theft,” Sileo says.
Retailers and financial institutions in the U.S. are currently migrating to an EMV system, and come October 2015, liability will shift to whichever party is sporting outdated technology. Eventually you won’t be able to complete a transaction without an EMV card. Of course, even a chip won’t eradicate fraud completely.
“(A) chip doesn’t do anything to stop fraud online, because we don’t have chip card readers in our houses,” Oxman says.
Does the issuer matter?
Given their zero-liability policies, the cards in your wallet that are branded by the major networks — Visa, MasterCard, American Express and Discover — are likely to provide more protections than cards with smaller networks.
“Hackers go after big databases over smaller databases,” Sileo says, so, yes, they’re more likely to target a large financial institution over a small one. “But the opposite side of that is smaller-to-midsize banks have less security,” he says.
While it can be hard to tap an issuer as the most vulnerable, Javelin Strategy & Research conducts a study evaluating the 24 largest issuers relating to fraud prevention, detection and resolution. In 2013, Bank of America was awarded best in class; USAA was awarded best in prevention; and Wells Fargo was awarded best in detection. Associated Bank and SunTrust tied for best in resolution.
“Bank of America consistently improves their fraud prevention and security capabilities in order to address the most current trends,” says Al Pascual, senior analyst of fraud and security with Javelin Strategy & Research.
Two-way alerts, where a consumer is notified of suspicious activity and prompted for a confirmation, along with customer-defined controls pre-emptively setting transaction limits, are “immensely powerful and timely capabilities,” Pascual says. So, if your bank offers these alerts or services, it’s a good sign.
Unfortunately, all the card security in the world doesn’t guarantee your payment method — and your personal information — won’t be compromised.
“Consumers can never be certain that merchants or other businesses that accept cards are completely secure,” Pascual says. “It’s much like Russian roulette in that regard.” As such, customers should still take steps to protect themselves, no matter what cards are in their wallet.
“Pay attention to your statements,” says Robert Siciliano, identity theft expert at BestIDTheftCompanys.com. At a minimum, he suggests reviewing paper statements every month and online statements weekly.
You can also monitor your credit report if you think financial and/or personal information was compromised. And sign up for the aforementioned alerts from your issuer so you can spot suspicious charges as soon as they are made.
“Any time there is a significant charge made, I get an email,” Siciliano says. “Any card-not-present transaction, I get a text. You can do that with most of your credit cards.”
If you do discover your card was lost, stolen or otherwise breached, call your issuer and have the card replaced as soon as possible to minimize the hassle of disputing unauthorized charges.