Consumers Not Powerless in the Face of Credit Card Fraud

by Ron Lieber, New York Times

creditcard_databreach_ccWhen you think about the security of your credit and debit cards, consider the facts on the ground.

Industry representatives readily admit that thieves are often one step ahead of them and that data breaches are a fact of life. One bank went rogue and publicly called out MasterCard and Bank of America for not sharing information and for failing to stem card fraud fast enough in Chicago taxicabs.

Now a for-profit college, sensing opportunity, has found its own angle. Monroe College is currently pitching a minor in cybersecurity. Its ad on New York City subways features a woman in a white coat holding a card that intersects with beams of light. Perhaps she’ll invent a way to solve the payments industry’s problems.

Until then, you have to help yourself. Most card companies already have custom alerts and other features that not enough consumers use. Then there’s something that all cards should have but most don’t — an on/off switch accessible from a mobile app that could keep most fraud from happening. Finally, there are the microchip cards that most of the rest of the civilized world uses but that barely exist in the United States so far.

Let’s take them in order.

Alerts and Other Tools

Whether you’re using a debit or credit card, there are all sorts of ways to limit the damage a thief might do, or at least get a quick warning that one is on the loose.

Capital One offers a typical list: Customers can turn on text or email alerts that will arrive when their balance goes above or below an amount that the customer sets, when a charge occurs above or below a certain amount, when any charge occurs at all, or if a transaction doesn’t go through because there isn’t enough money in the checking account.

Citibank can ping you if you’re within a set distance from your credit limit. Chase will text you if its systems detect an unusual charge and let you reject it on the spot. When I logged into American Express’s website recently, I found that I could get an alert whenever someone gets a cash advance using the card (something I never do).

There is no reason not to set at least a few alerts, even if they may only warn you about theft after it has occurred. Some banks, like Bank of America and Citibank, will generate a one-time-use card number for online shopping. That way, you can cross sketchy websites (or sketchy employees at legitimate sites) off your list of things to worry about. Other institutions, like Capital One, don’t offer this service because so few people end up using it.

Committed debit card users may want to consider the two-account approach that a reader mentioned in the online comments about last week’s column. The strategy here is to use one checking account for everyday spending with a debit card and a separate checking account for recurring payments. Destroy the debit card for the second account, and you won’t have to worry about a thief stealing the card, draining the account and causing your mortgage or other payments to come up short.

The On/Off Switch

If everyone turned their debit or credit cards on before each charge and then off again before returning the plastic to the wallet, it would be a lot harder for thieves to do their work.

This technology actually exists. A company called Malauzai Software built an on/off switch after one of its bank customers sought a solution to the amount of time its representatives were spending on the phone with people whose debit cards had gone missing. It wanted the customers to be able to turn the cards off temporarily via their mobile banking app until they found them again or declared them lost and asked for a replacement.

Malauzai obliged, but it soon discovered that fraud-wary customers were turning the cards on and off before and after every charge. “The fraud prevention thing was gravy on top of the mashed potatoes,” said Robb Gaynor, Malauzai’s co-founder and chief product officer. “It was unexpected.”

Now 70 to 80 institutions, all smaller banks or credit unions, have adopted Malauzai’s on/off switch. Capital One has built its own for debit cards, as have USAA and Simple, which was acquired by BBVA last month. Of customers who are active on mobile banking apps and patronize a bank that uses Malauzai’s switch, 3 to 5 percent of them flip it at least once each month. Recurring charges for things like mobile phone bills get a code that allows them to go through even when a customer has turned the card off. A company called TSYS has its own new on/off offering for banks that can geo-fence transactions, keeping any from going through unless they’re relatively close to a user’s mobile phone.

Ellen Richey, Visa’s chief legal officer, expressed a bit of skepticism about the on/off switch. The right malware could muck it up, and users may forget that their cards are off and get annoyed at the cash register when things aren’t working. “One thing we have found is that consumers are remarkably impatient with anything that gets between them and making a payment,” she said.

Perhaps, but why not let consumers decide whether they mind that friction? So far, Chase, American Express, Citibank and Bank of America have no plans to do so. If enough of you demand it, however, perhaps they’ll see the light. This is what happened with the now ubiquitous tool that lets you deposit checks by taking a picture of them with your phone and zapping them to the bank.

Chip Cards

The United States is such a fraud-friendly country in part because we still use old-fashioned magnetic stripes on the back of our cards. This makes it relatively easy for thieves to make counterfeit ones.

At long last, retailers and banks and the companies that process their payments are preparing to begin to possibly get their acts together on this front. Over the next 18 months, more debit and credit card issuers will issue plastic with a microchip inside that will transmit a unique code each time you use it in person. Presumably, thieves won’t be able to counterfeit that sort of thing easily, at least for a while.

Then, on Oct. 1, 2015, assuming there aren’t any extensions, most retailers that don’t have terminals to read the chip cards yet will be responsible for certain types of fraud if it occurs. If retailers do have the terminals but a bank hasn’t gotten around to giving a consumer a chip-enabled card, the bank will pay for the fraud as a penalty for lagging the retailers. It’s an elaborate game of chicken, fitting for an industry where the major players spent years embroiled in a lawsuit.

Most people will be dipping these new cards in the terminals instead of swiping them, and some banks may eventually make you enter a PIN instead of signing for a purchase. As long as you don’t lose your card or have the actual plastic stolen, the sort of fraud that went on with Target should be a lot harder to pull off.

That said, the thieves will then immediately migrate online, since many people will still be typing numbers into websites the old-fashioned way for the foreseeable future. There, the bad guys will find a more welcoming environment, at least until everyone involved with card payments agrees on a technology to thwart the scofflaws there, too. A process called tokenization may become the security standard, or perhaps you’ll be inputting codes you receive via text message, similar to the way you might be now if you have activated two-step verification for Gmail.

Ms. Richey of Visa says she believes that the various industry players will be quick to act online as well. After all, if they do nothing, the rate of online fraud may rise at the same rate that in-person card fraud falls thanks to all those microchips. “It’s so compelling that it will fuel the merchant and bank players’ willingness to proceed,” she said. “Otherwise, they won’t get the benefit of the investments they’ve made in chip cards.”

That’s a lot of ifs, in an industry that has waited an awfully long time to fix its fraud problems while inconveniencing millions of customers. Let’s hope it happens as they say it will. Until it does, set some alerts and pester your bank to give you all of the technological options that ought to be available right now.