Blog article
See all stories »

Protecting Your Credit Cards From Identity Theft

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when the identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or perhaps you simply hand it over when paying at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft. I’ve always viewed it as simple credit card fraud, rather than “identity theft” in its truest sense.

New account fraud, as it relates to credit cards, occurs when someone gains access to your personal identifying information, including your name, address and, most importantly, your Social Security number. With this data, a thief can open a new account and have the card sent to a different address. This is true identity theft. Once the identity thief receives the new card, he or she maxes it out and doesn’t pay the bill. Over time, the creditors track down the victim, blame him or her for the unpaid bills, and demand the owed funds. New account fraud destroys the victim’s credit and is a mess to clean up.

Victims of account takeover are likely to discover the fraud in numerous ways. They may notice suspicious charges on a credit card statement, or the credit card company may notice charges that seem unusual in the context of the victim’s established spending habits. Credit card companies have anomaly detection software that monitors credit card transactions for red flags. For example, if you hand your credit card to a gas station attendant in Boston at noon, and then a card present purchase is made from a tiny village in Romania one hour later, a red flag is raised. Common sense says you can’t possibly get from Boston to Romania in one hour. The software knows this.

Victims of account takeover only wind up paying the fraudulent charges if they don’t detect and report the crime within 60 days. A 6o day window covers two billing cycles, which should be enough for most account-conscious consumers who keep an eye on their spending. During that time, you are covered by a “zero liability policy,” which was invented by credit card companies to reduce fears of online fraud. Under this policy, the cardholder may be responsible for up to $50.00 in charges, but most banks extend the coverage to charges under $50.00. After 60 days, though, you are out of luck. So pay attention to your statements. As long as you do, account takeover should not hurt you financially.

But new account fraud is another story entirely - one that can and will hurt you if you don’t protect yourself. You may not be held financially responsible for the charges themselves, but you will pay in time, and time is money. In some cases you may pay lawyers or private investigators, or you may need to take time off from work, depending on how dire your credit situation becomes. Identity theft victims have been denied credit due to the unpaid debts in their names, and have missed opportunities to purchase homes as a result.

Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each. You


Robert Siciliano Identity Theft Speaker discussing identity theft hackers


Comments: (5)

A Finextra member
A Finextra member 02 July, 2009, 11:06Be the first to give this comment the thumbs up 0 likes

There is another way to protect credit ratings and identity - but the Governments around the world won't go for it.  If CRAs were made to work on the basis that the credit and ID data they held was the subject's, not theirs, and that, whenever anything happens that requires a change to their rating, they must contact the subject via a channel separate from the incoming change (e.g. where someone asks for a new account/credit), then the subject is in far more control and it would be more difficult for new account fraud to happen.

Of course, it would drive up the costs of credit, and it would make instant credit more difficult or impossible to function, but even that has a plus point in making it that bit more difficult for the consumer to get into a mess of their own accord.

I don't see why I should pay a CRA to get updates on my credit rating - it' should be up to them to prove that any changes made were valid, by having to check with me first.

This is unlikely to see the light of day unless there is a swell of opinion, which would need to be mobilised...  This is a pity.

Robert Siciliano
Robert Siciliano - - Boston 02 July, 2009, 12:23Be the first to give this comment the thumbs up 0 likes

Roger, 1000% correct.

A Finextra member
A Finextra member 03 July, 2009, 09:53Be the first to give this comment the thumbs up 0 likes

"New account fraud, as it relates to credit cards, occurs when someone gains access to your personal identifying information, including your name, address and, most importantly, your Social Security number. With this data, a thief can open a new account and have the card sent to a different address."

If this is all that's needed to open a fraudulent account of credit card, then there is something seriously wrong with the system. If the customer's identity is not reliably verified in the process, customers should not be held responsible for any account activities.

BTW, I found out the perfect way to eliminate credit card fraud on a consumer level: destroy the magnetic stripe of the card. After doing so, the card cannot be copied, and purchases can only be done via chip&pin. Vendors who lack C&P teminals must enter the card data manually to the terminal, which acts as a security measure as well.

For cash withdrawals where the ATM does not have C&P, use a separate debit card that is linked to a separate account where you only carry a small balance for the withdrawals.

A Finextra member
A Finextra member 04 July, 2009, 04:58Be the first to give this comment the thumbs up 0 likes

Id Theft Prevention, Fraud Alerts...  hhmmm...  Lifelock charges U.S. consumers, $10 per month for annual credit reports and for putting fraud alerts. Lifelock reports to have approximately 980,000 customers. 

In 2008, ID Security Firm Lifelock was sued by a couple of its customers for misleading, deceptive practices.

"The lawsuit alleges that LifeLock is engaged in the "concealment, suppression, and omission of material facts" about its service. The company allegedly fails to make clear that it charges subscribers for an annual credit report that's available to them for free when placing a fraud alert."

""LifeLock does not necessarily protect its subscribers' identities as advertised," the lawsuit claims. "Indeed, the statements by LifeLock's CEO regarding the ability of LifeLock to protect his own identity are deceptive because his identity was stolen while he was a customer and is, upon information and belief, presently being misappropriated by at least 20 identity thieves."

Lifelock was also sued by Experian. Judge ruled for Experian. See Finextra's news item about this : "Judge backs Experian over LifeLock's unfair business practices". Experian states that the placing of hundreds of thousands of alerts is costing Experian millions of dollars a year. 

The judge agreed and granted the Experian motion, stating: "Under the clear terms of the legislative history, any request for a fraud alert "must" be made by "an individual," and not by a company like LifeLock."

But the real story is that Experian although it allows a consumers to put his own fraud alerts for free (for 3 months) and see his own credit report, that it also then sells several other services such as triple alerts credit monitoring, identity theft protection, etc. 

What this says is that giving consumers the ability to monitor and control their IDs (social security numbers, card numbers, bank accounts, driver license, etc.) is something that consumers would pay for. This is great news for banks that are looking for something new that they can offer to their customers.

A Finextra member
A Finextra member 04 July, 2009, 05:06Be the first to give this comment the thumbs up 0 likes

Oh by the way, this is to Kalle of Nordea - You can also just close your card account. This way, you will not get dedrauded even if someone gets your card number, exp date and CVV.

Zapping your magnetic stripe is easy. Just use one of those fun magnetic items that you slap onto your refrigerator, pass your magnetic stripe over one and voila, your magnetic stripe is dead. Yes, like kalle you can do this if you have no plans to leave Finland or go to a country that only accepts magnetic stripes and signatures (and there still are many countries that accept only magnetic stripes and signatures).

Now hiring